NSX-T | Securing VM Network Traffic

Here are few features in VMware NSX-T, the Software-Defined Networking solution from VMware.

Distributed Network Encryption (DNE) – This is optional security capability that can selectively encrypt E-W traffic at the network layer when an application does not provide a secure channel. This is enforced at hypervisor kernel level to ensure data confidentiality, integrity, and authenticity between NSX-T nodes. In addition, DNE provides replay checking functionality. Encryption rules are aligned to existing NSX-TDFW firewall rules, simplifying the alignment of encryption policies to application boundaries. Encryption rules match on the same constructs used in DFW rules – source, destination, and services – with actions to encrypt and check integrity, check integrity only, or pass data with no encryption. The NSX-T DNE supports granular, rule-based group key management. DNE uses a symmetric key cryptographic technique with MACalgorithm AES GCM with 128 bits key, with configurable key rotation policy. DNE relies on a VMware-provided DNE key manager appliance for DNE key management. DNE uses the ESP format to encrypt the network packet. DNE encapsulation is done as the last action in the packet processing before leaving the transport node after overlay encapsulation and the first action on the receiving side followed by overlay decapsulation.

SpoofGuard – Provides protection against spoofing with MAC+IP+VLAN bindings. This can be enforced at a per logical port level. The SpoofGuard feature requires static or dynamic bindings (e.g., DHCP/ARP snooping) of IP+MAC for enforcement.

Switch Security – Provides stateless L2 and L3 security to protect logical switch integrity by filtering out malicious attacks (e.g., denial of service using broadcast/multicast storms) and unauthorized traffic entering logical switch from VMs. This is accomplished by attaching the switch security profile to a logical switch for enforcement. The switch security profile has options to allow/block bridge protocol data unit (BPDU), DHCP server/client traffic, non-IP traffic. It allows for rate limiting of broadcast and multicast
traffic, both transmitted and received.

For more information, please read the following book:

Architecture and Design of VMware NSX-T for Workload Domains

For more NSX references, read “The Ultimate Guide to What’s New in VMware…” article.


Leave a Reply

%d bloggers like this: