VMware’s NSX™ Distributed Firewall, Intrusion Prevention and Intrusion Detection System.

The security breaches usually occur when the organization does not sufficiently restrict communication inside network perimeter or does not implement lateral security controls, which allow hackers to target the priority systems or infiltrate information. The following article talks about VMware’s NSX™ Distributed Firewall, Intrusion Preventions, and Intrusion Detection System.

Note: Article in Progress. The following is only a basic skeleton for the more comprehensive overview.

VMware NSX™ Distributed Firewall

Recently I observed that number of organizations are converting some of their physical firewalls to VMware NSX network virtualization platform, selecting NSX security model in favor of physical firewall, fully knowing that micro-segmentation streamlines overall network security and will provide inherently more secure infrastructure.

“Unlike traditional firewalls, NSX has the ability to run a centrally managed firewall in the kernel of each host. This is incredibly scalable.” (O’Connor, 2016).

NSX firewall not only allows each of the virtual machines to have its own security perimeter, where policies align with logical groups and which prevents threats from spreading but aside from the various NSX virtualization capabilities, it also delivers features related to security, such as a distributed high-performance firewall.

“There are internal stateful Firewalls in the NSX that can provide distributed Firewall detection for each virtual router port.” (Chen et al., 2014).

Among other benefits, NSX distributed firewall offers zero trust security micro-segmentation, identity firewall, programmable rest API and other options, as shown in Figure 1.

Figure 1 – Practical NSX Distributed Firewall – (O’Connor, 2016)

Is NSX sufficient?

Well, my suggestion for the most organization is to not to migrate to NSX entirely and not to virtualize all of their firewall resources. While I personally feel quite positive about the experience of using NSX firewall, its application-aware policies (dynamic tagging, identity-based), infrastructure cluster, switch and group procedures and also network-based strategies and overall zero-trust model, I’d advise companies to fully verify NSX capabilities. Perhaps the best strategy is to continue using hardware firewalls (such as Checkpoint) in front of NSX, to strengthen the security and protect all of the corporate resources until the organization is completely confident in the capabilities NSX firewall can offer.

IDS and Firewall Tools

One thing I am missing in NSX is the full-fledged IDS functionality. However, NSX does provide IPS services, such as McAfee® Network Security Platform that allow “to dynamically protect, manage, remediate, and support compliance in your Software-Defined Data Center with next-generation intrusion prevention system services.” (Intelsecurity.com, 2017).

NSX also supports 3rd party integration with Palo Alto Networks and Intel Security that offer NSX compatible IDS, but as I mentioned earlier, it’s not out of the box solution that most companies would truly appreciate (in my view).

“For IDS only NSX supports Netflow and IPFix for exporting flow data which allows the use of any Netflow or IPFix capable IDS like Lancope StealthWatch.” (VMWare.com, 2017).

VMware NSX™ vs. Competitors

VMware has recently lowered prices for NSX solution and offered their product in different versions that are cheaper than the top version of the product.

Figure 2 illustrates 2015 Gartner analysis is presenting that VMWare NSX is the most evaluated and used from among all other market solutions.

Figure 2 – Robuck (2015)

Cisco ACI is the second, even though it is a more economical solution. Some industry related analysis point to Cisco ACI overtaking VMware now (Figure 3).

Figure 3 – Router-switch.com (2013)


Chen, Z., Dong, W., Li, H., Zhang, P., Chen, X., & Cao, J. (2014). Collaborative network security in the multi-tenant data center for cloud computing. Tsinghua Science and Technology, 19(1), 82-94.

Robuck, M. (2015). Enter the Octagon: Cisco ACI vs. VMware NSX: Page 1. [online] SDxCentral. Available at: https://www.sdxcentral.com/articles/news/enter-the-octagon-cisco-aci-vs-vmware-nsx/2015/11/ [Accessed 1 Dec. 2017].

O’Connor R. (2016). Practical NSX Distributed Firewall. [online] Available at: http://raoconnor.com/2016/11/10/vmworld-sessions-practical-nsx-distributed-firewall-policy-creation/ [Accessed 1 Dec. 2017].

Intelsecurity.com. (2017). [online] Available at: http://www.intelsecurity.com/resources/sb-ngips-vmware-nsx-sd-data-centers.pdf [Accessed 1 Dec. 2017].

VMWare.com. (2017). VMWare virtual IDS/IPS appliance on the network over… |VMware Communities. [online] Available at: https://communities.vmware.com/thread/509786 [Accessed 1 Dec. 2017].

Router-switch.com (2013). Choose Cisco ACI or VMware NSX? – Router Switch Blog. [online] Blog.router-switch.com. Available at: http://blog.router-switch.com/2015/09/choose-cisco-aci-or-vmware-nsx/ [Accessed 1 Dec. 2017].