October 13, 2017

How to Overcome VMware NSX Security Deployment Challenges

This article is a follow-up from my first blog from September 6. In that article, I reviewed NSX and all of the announcements related to it from VMworld 2017. It really is being set up to become VMware’s hallmark product over the next few years, and overall, VMware has done a very good job with it.

However, I made note that some NSX deployments are not without challenges. One critical customer impediment is the high cost to deploy all the NSX features, especially the security features on existing server production environments.

For example, in situations when a full set of security features is desired to protect critical data – such as firewalling and encrypting data at rest or when sent from VM to VM – the required processes can quickly use up all available server CPU cores. Additionally, this can create situations where the applications themselves become unstable and/or not perform as consistently as required (if at all during times of high stress).

Let’s take a closer look at some numbers to illustrate the situations that cause these types of issues:

  • First, we asked VMware what the typical production environment its customers currently use today. This would help set a baseline to understand the number of environments customers might want to deploy NSX into. In this case, the answer was typically eight core servers but sometimes as high as 16.
  • Without running any additional services, NSX or the hypervisor uses at least 1 CPU core. (Data straight from VMware.)
  • If we assume three virtual machines as well as their respective operating systems and applications, this scenario uses all of the cores when these applications are running under load.
  • Now the critical question: What capacity is required to also run security processes such as IPSec encryption, server encryption, key encryption or any other type of encryption software? Well, if we run it as IPSec encryption-in-motion, machine to machine at 10Gig line rate, it can chew up 40% of a 16 core server environment. That’s over six cores … and that doesn’t include encrypting data from virtual machine to virtual machine on the same host or data at rest when storing the data. We also have not factored in firewalling, microsegmentation or any other value-added security service.
  • Finally, it’s not out of the realm of possibility that NSX can require full-scale server upgrades to run these advanced security services, even on 16 core servers.

Fortunately there are better options than the massive disruption of ripping out and replacing servers that may not yet be fully depreciated – especially with very expensive 32-core systems that are now quietly recommended.

At ARIA Cybersecurity, we have always been the industry leader at offloading critical applications from server cores to run on processors on the NIC with our Myricom line of SmartNIC network adapters.

We can provide the same capabilities to offload these security and other functions to the NIC card. This preserves the investment in existing servers, supports the decision to add NSX and all the security features mentioned above while ensuring determinist high-performance for all critical applications running on the server cores.

We do this at a fraction of the cost of other solutions and approaches and can provide a path to 25Gig network interface speeds. Contact us to learn more, or download our SDS overview and SIA and Orchestrator datasheet using the below link.


Tags: data breach, cybersecurity, data protection