Cisco Systems Application Centric Infrastructure (ACI) is the industry leading SDN platform according to Gartner, outpacing NSX by a factor of 2:1. ACI continues to accelerate past NSX by enabling Micro Segmentation and End-Point Granularity.  In real world data centers, there are many simultaneous application delivery end points including VM’s from multiple hypervisors, bare-metal hosts, Linux containers, and layer 4 – 7 appliances that are both physical and virtual.

VMware recently published articles regarding this announcement and appear confused through inaccurately stating ACI capability.  Juan Lage, a Principal Engineer at Cisco Systems provides an accurate and detailed description of our capabilities and addresses VMware’s obvious misunderstanding in his article below my introduction.

After reading Juan’s article below, the only thing left to say to VMware NSX is welcome to the “real world”

When we announced last month the 1.2 release of ACI (http://newsroom.cisco.com/press-release-content?articleId=1732204) we knew that we were bringing a lot of value to our customers, but we also knew that as a consequence, we are making it more complicated for competing offerings, and that there would be reactions to our announcement.

best pic 1 300 screen shot preview

This is why VMware’s blog “VMware NSX and Split and Smear Micro-Segmentation”
(https://blogs.vmware.com/networkvirtualization/2016/01/vmware-nsx-and-split-and-smear-micro-segmentation.html ) did not come as a surprise.

The author of the blog attempts to prove that only VMware NSX can provide micro segmentation. Also, it appears the author suggests that you are not protected from “the bad” guys if you don’t have VMware’s Micro Segmentation.

It is an interesting post, but it has several statements that are inaccurate and a few ideas and exaggerations that are recurring in NSX’s marketing and that we certainly disagree with.

The first idea we must disagree with is about the scope of the vision of a Data Center. To speak of data center security where every security perimeter has a diameter of one by defending a solution that only works for vSphere is not arrogant: it is naïve. As much as some vendors may dislike it, there are endpoints that are not Virtual Machines. And yes, even a server running ESXi is one of those. How can the NSX Micro Segmentation approach provide any lateral movement protection for the vmkernel itself? … How can it do it for the management ports of the server where ESX is running on? Or for the physical filers that implement NFS shares?

And then of course, there are a good percentage of Virtual Machines that do not run on VMware.

The second idea we need to disagree with is the very definition of Micro Segmentation.

What is Micro Segmentation?

In our understanding and that of the customers and partners that we work with on a daily basis, Micro Segmentation is about having the possibility of setting up policies with endpoint granularity. Notice we use the word “endpoint” rather than “Virtual Machine” because again, there are things other than VMs running in every data center.

Can we settle for that simple definition? This is what our customers are asking for.

And they are asking for it because Micro Segmentation has many great use cases. It helps in minimizing the attack perimeter, complicating or even impeding lateral movement. It can also be useful to help in containing attacks, by quarantining endpoints and in facilitating remediation.

The author of the VMware blog makes the assumption that only NSX can implement security perimeters of one (one being a VM). This is not true. The Cisco ACI leaf switches can do per-Endpoint classification. We can definitely work with a perimeter of one for virtual and physical endpoints.

Cisco ACI provides Micro Segmentation on vSphere since June 2015 by using the Cisco Application Virtual Switch (AVS). Since December 2015 with the ACI 1.2 release, we also provide Micro Segmentation for Microsoft Hyper-V and for bare metal workloads. We have plans to also enable this functionality for Open vSwitch as well as extending it to using the native vSphere Distributed Switch (VDS) soon.

Screen Shot 2016-01-07 at 9.24.08 PM copy

The author seems to be surprised or confused about how we can accomplish this using the VDS. We do agree that the VDS is a limited virtual switch compared to Open vSwitch or the Microsoft Virtual Switch. That is part of the reason why we developed and continue enhancing the Cisco AVS in the first place.

For instance, in Open vSwitch there’s the possibility of programming security rules using OpenFlow. The Microsoft Hyper-V vSwitch is also programmable using the Virtual Filtering Platform. Both these virtual switches offer this programmability in an open way, and both can use OpFlex (https://wiki.opendaylight.org/view/OpFlex:Opflex_Architecture) to be programmed.

But we can still work with the VDS to bring advantages to customers simplifying software lifecycle management by saving the customer from having to manage kernel modules on vSphere.

About firewalls and traffic “inspection”

The second biggest misconception seems to be the assumption that to provide micro segmentation in ACI, all traffic needs to be sent to a centralized firewall for “inspection”. We have already clarified that the ACI policy model can block traffic that is not conforming to policy without a firewall.

We also think there’s some exaggeration in the way the author talks about traffic “inspection” as it relates to NSX. The author is comparing a set of physical firewalls with the NSX Distributed Firewall and assuming the inspection capabilities are similar. Here we have an issue, because this leads to the perception that the NSX DFW capabilities are similar to those of a Cisco ASA, or a Palo Alto, Fortinet or Checkpoint firewall.

The word “firewall” and the term “traffic inspection” are not used with rigor in the blog. A firewall that only looks at L4 headers and keeps L4 connection state does not really “inspect” traffic. Or certainly not when it is being compared to a security device that actually may terminate connections to look at application level-threats, or that looks deep into the packet (i.e. beyond L4 packet headers) to detect for instance VoIP packets on HTTP, or block at URL-level. Next Generation Firewalls (NGFW) do that. NSX firewalls do not do that. Nor does the ACI fabric.

From what we know, the NSX Firewalls (both the ESG and DFW) implement something similar to Netfilter’s Connection Tracking (https://en.wikipedia.org/wiki/Netfilter). This basically keeps state of TCP flow sessions as you implement port-level filtering.

The ACI contract model also provides L4-port level security for east-west traffic. While the fabric does not keep TCP state, it also does not require the endpoints to dedicate any compute capacity to run a L4-port level packet filter.

Again, to compare a basic stateful packet filtering mechanism with the security provided by a Checkpoint, Cisco, Fortinet, or Palo Alto NextGen firewall only helps confusing customers and create wrong perceptions of security. The security teams must seriously evaluate if their requirements are adequately addressed by the NSX DFW compared to the advanced capabilities of available Next Generation Firewall (NGFW).

And the truth is that a Next Gen Firewall may well be required between certain applications tiers. After all, customers no longer use only L4-port level security at the perimeter. The security posture for East-West in certain application environments does not differ much from the North-South. Which leads to our final consideration.

Is Micro Segmentation all I need for Data Center Security?

Definitely not. And on this point, I am sure we are in agreement with other vendors including VMware.

Micro Segmentation helps in many ways. Increasing East-West security is one. But let’s say that you use NSX or ACI for allowing only HTTP between a set of endpoints: neither of the solutions can block URL-level attacks. Similarly, neither NSX nor ACI can natively block SQL inject attacks. And this is to name just two really basic examples.

To provide protection for modern attacks you need a NGFW that can really inspect traffic. To provide NGFW filtering for East-West traffic when using NSX, you are limited to using virtual editions of the supported vendors. This may be adequate for some scenarios, but it is expensive in compute resources and provides low per-host performance. What is the point of having 10GE capable servers when the NGFW will limit you to 1-2 Gbps while consuming a few vCPUs?

With ACI, NGFW and other advance network service devices can be inserted for both Perimeter and East-West traffic flows. Customers can choose to use NGFW virtual editions, or physical editions, or a combination of both. This way, access to high performance DB can go through hardware NGFW that can achieve multi-10Gbps, while a virtual NGFW is used for development environments for instance.

This is an area where ACI delivers a great advantage because of its flexibility and true multi-tenancy. By contrast, NSX limits customers to using virtual editions only, without any multi-tenancy support.

ACI helps in these scenarios using the same model when a NGFW, or an ADC, or an IPS/IDS is required for East-West or for North-South, whether using virtual or physical form factors: Service Graphs (http://blogs.cisco.com/datacenter/new-innovations-for-l4-7-network-services-integration-with-ciscos-aci-approach).

Final comments and conclusion

We welcome blogs like this one (https://blogs.vmware.com/networkvirtualization/2016/01/vmware-nsx-and-split-and-smear-micro-segmentation.html). They reflect misconceptions that may be shared across a large number of customers and partners and gives us the opportunity to clarify them.

The reality is that Cisco ACI does deliver Micro Segmentation for Microsoft, Bare Metal and vSphere Environments with endpoint granularity, and soon will do it for KVM as well. And the best part of it all is the fact that you can also run NSX Micro Segmentation on top of ACI. We are not putting limits to that.

The following table can help customers understanding when NSX and ACI are valid solutions for implementing Micro Segmentation in their environments.

Screen Shot 2016-01-07 at 9.25.15 PM copy 2

The reality is also that Micro Segmentation is a great tool in the toolbox, but only one of many that are required in a Data Center Security strategy. ACI helps to insert and automate virtual and physical NGFW from many vendors, IPS/IDS systems and provides the foundation for automated security for the perimeter and for inside the perimeter, for single tenant and for multi tenant environments.

The reality is also that there is no one single product that can help customers be completely safe from “the bad” guys. But we are all here to work in getting better security, one step at a time.


Frank D'Agostino

No Longer with Cisco