Cybersecurity Blog

VMware and NSX: You Can't Have Your Cake and Eat It Too | ARIA Blog

Written by ARIA Cybersecurity Solutions | Sep 6, 2017 8:35:12 PM

This the first in a series of blogs where we explore how to take advantage of the NSX open architecture in order to fully leverage the great functionality it can provide for complete network flexibility and security. Having just returned from VMworld 2017, I have to say that it was an eye opener from both a technology perspective as well as insights into how the market is moving.

One of the biggest shifts was VMware’s acknowledgement of the rising tide of containers as a better way to develop and run many applications rather than using VMs. Instead of fighting the trend, they have embraced both containers and K8s as the way to manage them.

It’s also clear that VMware NSX is being widely adopted by the largest ESX shops. In fact, if you listen to the vision, the next generation NSX-T will be the centric if not dominant platform sold by VMWorld because it will run with any VM Hypervisor and not just ESX.

Even AWS has been brought into the fold. Bundling VMware (ESX and NSX) on top of a dedicated EC2 infrastructure will allow enterprises to buy elastic compute and overflow onto the VMware Controlled EC2 instances.

VMware NSX’s strength comes from the breadth of vision VMware has for this product, and the decision to put hooks into it that allows for straightforward connection of third-party applications. Network data security is clearly an area of focus, but it is expanding to cover vulnerability management and even security compliance. Given all the functionality, VMware NSX has become an attractive way to connect, visualize, control, and protect compute assets. Even better, it is coming from one vendor who is orchestrating an ecosystem of many others to offer a very compelling solution.

A closer look at the true costs

This sounds fantastic, right? And it is – but don’t think that you’ll be getting a free lunch. I took a look at the numbers, and it’s clear that, for most organizations, the price tag for the virtualization and flexibility is pretty steep.

Let’s start with compute overflow onto four VMware-/AWS-dedicated servers. This is the smallest four-pack bundle VMware sells at a cost slightly over $8,700 per month. It includes base VM and VMware NSX running on four EC2 dedicated servers, including an undisclosed amount of storage. It’s worth pointing out that adding S3 storage is at an additional cost. The annual cost for those four servers with just the Hypervisor licenses cost $105,000 per year. Suddenly that “overflow” is looking pretty expensive.

FREE INFOGRAPHIC: A Better Way to do Rapid Breach Response

To be fair, VMware is simply marking up the AWS price. Now some could say “I only need a few months of extra compute – for a limited project.” Yet VMware’s own examples show this as a way to offload hot spots from daily production, on an ongoing basis. More likely this model’s best use is to allow you to literally buy time until you can go buy some more physical servers and get them in place … or rip and replace what you have (with its own high costs). The point is you don’t want to keep using compute overflow capacity on a permanent basis – you’ll want to use it briefly until you get a cheaper physical alternative in place.

Let’s next look at virtualizing security functions, which is a big focus of VMware NSX. Today’s next-generation firewalls, IDS, and IDP solutions rely on dedicated hardware to get the job done at wire rate. If we were to move all of a next-generation firewall’s functions onto a standard 16-core production server running Linux, VMs, and the full-blown licensed NSX in the hypervisor, we likely chew up at least 25% of the capacity, before we add the NG firewall application. It could take as many as four such servers when the application is under peak load if we need to sustain 20G by directional load.

If we want to protect all East-West traffic, in addition to North-South, a server per 10G link likely will be needed up to provide enough next-generation firewall capabilities when under full wire-rate load. This seems to indicate that the price will be a barrier to full-blown adoption, unless the operational value of having such security functions controlled by NSX Manager really can be shown to justify the expenditure

So the economics prove that there is no free lunch. In other words, the value in abstracting or virtualizing, namely, the added flexibility as well as the potential for greater productivity, comes at a cost that may be a lot more than what today’s budgets can bear.

Stay tuned for a follow-up article that describes how ARIA Cybersecurity can apply intelligent off load to help relieve many of these underlying server core costs.

Learn how you can improve your overall security approach for faster, more cost-effective incident response. Download our whitepaper, “Automated Investigative Response: Intelligent Cyber-Threat Identification for Meeting Compliance Deadlines.”