With the ever-increasing cases of data breaches resulting in information leaks and data loss, now is the time for every business to re-evaluate their security strategy to avoid undesired consequences, including lawsuits, damage to the firm’s reputation, and lost revenue or even bankruptcy. Business-critical applications and their corresponding data are the main IT assets of every organization. They are the assets your company can’t afford to lose.
Sadly, they become the main target in the eyes of a hacker today. Sophisticated attacks can be originated from several vectors, most-commonly starting with a company employee who happened to open an unsafe attachment that was sent in an email, thus allowing the “bad guys” to install their software and exploit vulnerabilities your business may not even be aware of. Or an in-house network engineer could unintentionally open access to the application from the outside world.
Upgrading Firewalls Is Not Enough
Most C-level officers and upper management try to improve their security posture by allocating more of their budget toward major software and hardware upgrades, including replacing their outdated firewalls, antivirus applications, and spam filters with more robust and secure versions. Unfortunately, this approach tends to neglect the holistic design, which then translates to a greater disappointment, unnecessary spending, and waste.
Today, many businesses still rely on the old security model of using firewalls and antivirus programs for business-critical application protection, which is not effective enough to keep the bad guys out—especially knowing how educated and sophisticated hackers have become.
How Can You Keep the “Bad Guys” Away?
In general, your firm will first need to run a security assessment to evaluate the current security posture and develop a plan to bridge the identified gaps. To initialize the process, you may want to start with a list of questions:
- Is the workstation network the same as the server network and what is the best practice?
- If a workstation or server gets compromised, how would I quickly and intelligently isolate it before it infects others without having to un-plug its network cable, and, more importantly, how do I prevent this from happening in the first place?
- Is every computer on the network protected against viruses with antivirus agent running that is also up-to-date?
- Are my firewalls functioning correctly and how effective are they? Is every critical application port locked down? When was the last time we validated our security solution?
Secondly, a solution qualification process needs to occur to identify products or techniques that will meet your requirements and rectify the uncovered problems. Start with these questions:
- Can the solution feasibly isolate (micro-segment) each device/asset from each other through firewall rules even though they are on the same network?
- Can the solution provide antivirus protection or is a separate product required?
- Some of the workloads are in the cloud—can this solution protect them as well? Is a “single pane of glass” solution available?
- We run virtual machines, physical servers, and containers. Will the solution be able to support them all?
Interestingly enough, there are many solutions on the market that will meet one or two of the requirements, but not many solutions that can meet them all in a single product.
Our Solution Recommendation
VMware NSX-T is a solution that provides a whole breadth of services, including virus protection, micro-segmentation, and support for on-premises and multi-cloud-based workloads and even containers.
With the release of VMware NSX-T 2.5, a number of remarkable enhancements geared toward improving a security posture have been introduced:
- FIPS 140-2 Compliance—Customers can now generate a FIPS compliance report, which enables you to configure/manage their NSX deployments in FIPS compliant mode.
- Service-Defined Firewalling—Service-defined firewalling was introduced earlier this year and is a combination of AppDefense and NSX specifically designed to mitigate threats in the on-prem or multi-cloud environments. It is a new proven approach that embraces the zero-trust network security model and allows you to create firewall rules and polices based on identity and attributes of workloads.
- East-West Traffic Inspection through Packet Mirroring—Customers are now able to monitor and inspect traffic by using a duplicate copy of packets, thus eliminating network latency and making the process non-intrusive.
- Layer 7 Support to NSX Edge Firewall and KVM Environments—It is possible now to apply Layer 7 application ID-based or context-aware rules to NSX edge (gateway) firewall for north-south traffic.
VMware NSX-T is the leader in the software-defined networking (SDN) market and truly shines when it comes to reducing the attack surface. The platform also enables consistent networking and intrinsic security for workloads of any type (virtual, physical, or bare-metal), as well as any location (edge, data center, or cloud). With this solution, you can ensure your business assets are intelligently secured.