Logical Network Perimeter is the only way to implement micro-segmentation security policies between logical networks on vSphere, making it an attractive proposition for all those organizations currently using NSX for networking and security workloads.
A security feature of VMware NSX called the Logical Network Perimeter (LNP) provides micro-segmentation capabilities for logical networks. This means you can move specific workloads into isolated security zones without changing the underlying network or jeopardizing availability by using LNP. It’s like “switching” all your VMs from one virtual switch.
Types of Network Segmentation
VMware NSX offers three types of network segmentation: External, Internal, and Cross-Pod. The first two are essentially routing domains between different physical locations, while Cross-Pod is about isolating traffic within an area.
Workloads in an external network can communicate with workloads in other external networks through the existing routed gateway. Traffic cannot flow to and from a physical data center via an external logical switch after enabling LNP on the logical switch.
Workloads in this network typically do not have access to any workloads or services outside their security zone. Traffic between internal zones is blocked by default but can be opened up using firewall rules. You can still route traffic across logical switches in a physical location via a Gateway Interconnect device.
Workloads in this type of network cannot communicate with workloads from other Pods. For example, you could have External-East and External-West logical switches and configure Cross-Pod logical networks to isolate the East & West Pods.
Features of Logical Network Perimeter
Use A Perimeter Firewall
The Logical Network Perimeter feature of VMware NSX is designed to allow you to use a perimeter firewall as a security service at the edge of your logical network and provide that same security service across multiple regions and not just within a single location or data center.
An example would be to secure traffic between sets of VMs belonging to different departments (e.g., Finance and Sales) in the same company. These can run on either side of a firewall in various locations, with LNP ensuring they cannot communicate without going through the firewall even if both port groups are on the same subnet, essentially rising above the traditional network boundaries.
Separate Set Of Endpoint Security Rules
Logical networks (LNs) are micro-segmented by LNP. This adds a separate set of endpoint security rules for logical networks that control access and apply to VMs and containers. When LNP is enabled on a virtual network, a new firewall generates with its rule definition and is used to an existing edge gateway.
Enable Micro-Segmentation Security Policies
With VMware NSX 6.3, the Logical Network Perimeter feature has been expanded so it can now enable micro-segmentation security policies between container-based applications — even if they share the same host! This makes it possible for IT administrators to define acceptable grained security policies between individual virtual machines or groups of them running on the same host and between virtual machines and container-based applications.
Advantages Of Logical Network Perimeter
- One of the key benefits of VMware NSX is that you can deploy it without requiring any changes to existing physical network hardware.
This makes it possible to secure remote and branch offices and cloud-based deployments using Logical Network Perimeter, providing a host-based security solution for applications running on bare metal servers. There are software licensing costs for NSX, but it is only necessary to pay these if someone moves workloads onto different hosts after LNP has been enabled on a virtual network.
- Logical Network Perimeter is an integral part of VMware’s NSX for the vSphere product line. It provides a way to isolate workloads that would otherwise be placed on the same layer two networks as monolithic legacy apps as those running in public clouds. You can also use it with VMware Cloud Foundation and VMware Cloud on AWS to secure workloads running in both cloud services.
Disadvantages Of Logical Network Perimeter
- Some of the significant disadvantages common to all networking technologies using micro-segmentation are that this approach does not scale without limit and eventually becomes prohibitively expensive with increasing numbers of security rules applied across an ever more significant number of logical networks.
Network/security architects need to take care of how they design their security policies when configuring VMware NSX, applying good-grained application-specific policy rules even if this means creating additional sub-divisions within existing logical networks where there are no immediate requirements for doing so.
- Another issue with LNP is that it is a rather expensive way of achieving what can be achieved for free via a perimeter firewall. The security policies applied through the NSX LNP firewall are not as acceptable grained as those provided by traditional firewalls, and there’s no UTM or IDS/IPS included either.
This means that an older-style perimeter firewall may remain as a backup defense should the use of NSX LNP fail to block unexpected traffic from reaching workloads within a virtual network.
Note: NSX has been available since 2013 and supports vSphere 5.0, 5.1 & 5.5, and all subsequent releases up to & including current dismissal NSX-v 6.3.
There are pros and cons to using NSX LNP. Although it is a powerful tool for securing logical networks, we must keep in mind that just because we can do something doesn’t mean we should – at least not without considering the implications carefully beforehand.
When it comes to micro-segmentation security policies especially, the devil is in the detail. This means that many of us need to think carefully about how finely we grained our security rules before committing valuable resources into production deployments.
Even with this critical caveat, LNP remains an innovative approach to network micro-segmentation currently unavailable on most other platforms apart from Cisco. They have their offering called Application Centric Infrastructure (ACI), which works similarly. NSX LNP may not be a complete replacement for a traditional perimeter firewall, but it is worth considering carefully before writing it off as an unnecessary expense.