Recipe #2 : How Device42 Helps Microsegment Your SDN

This is the second in a series of recipes for things you can do with Device42 that you may not have thought of.

VMware NSX and Cisco ACI are two popular networking applications designed to provide a secure software-defined network (SDN). There’s a heated rivalry between the two companies as they battle for market share, but each application has advantages on paper that turn into disadvantages in practice. Specifically, our customers have found that microsegmentation–a standout security feature in both applications–can cause significant communication problems during implementation. Here’s how Device42 can smooth it out.

What do ACI and NSX bring to the table?

Both ACI and NSX are designed to transform enterprise networks by adding more security, attaching them to the cloud, and giving administrators more control.

In our experience, VMware NSX is typically favored by infrastructure and cloud teams. Its particular selling point is the ability to deliver microsegmentation. Microsegmentation is the ability to break down an internal network into virtualized segments which extends down to the VM or workload level. This enhances security by preventing attackers from moving between segments.

Over 60 percent of organizations say that their main security challenge is securing enterprise applications in highly distributed environments. Microsegmentation is the perfect solution to this problem.

Meanwhile, Cisco ACI is often promoted by network administrators. ACI stands for “application centric infrastructure,” and it was released as a way for administrators to configure networks without having to manually set up routers and switches. Instead, administrators can take seamless control of their infrastructure using policies and automation.

ACI is also an adept security tool in terms of implementing microsegmentation. With over 50 percent of companies estimated to have adopted microsegmentation by the end of 2019, it’s important that both NSX and ACI support this technique. Unfortunately, the security advantages of microsegmentation conceal a hidden drawback.

Microsegmentation : great for security, less so for implementation

Let’s start by saying that there’s nothing wrong with microsegmentation. Microsegmentation is great, it lives up to its promise as a security technique, and anyone who hasn’t already implemented microsegmentation should think seriously about doing it.

The problem isn’t with microsegmentation per se. It’s the applications themselves that are being segmented. Microsegmentation hinders communication among applications and there’s rarely the proper documentation to help users work around it.

Here’s a fairly common user story. It’s 2:00 am, you’re implementing an application in a microsegmented environment and it doesn’t work. It should work, you’ve configured everything correctly according to developer specifications, but core functions are still failing to respond.

After checking the firewall logs you discover that the application is trying to access ports that are currently blocked. You unblock those ports and the application starts working partially. The application data is moving through the newly-opened ports, but they soon encounter other ports which are blocked. You continue opening ports this way until the application works properly, but it’s now 4:00 am, you’re behind schedule, other people are being rousted out of bed, and nothing is fun.

Applications aren’t being designed with microsegmentation in mind

The problem here is that your application has been shipped with incomplete documentation. It’s not necessarily the developer’s fault–they created the application on the assumption that nearly every kind of connection would be permitted, as long as it was behind the organization’s primary firewall. With many of these transactions blocked by default, the application doesn’t function as it should.

East-west transactions between applications now account for up to 77 percent of all data center traffic. Microsegmentation is a trend going in the opposite direction, which means that administrators should be prepared for resistance. Although NSX and ACI are both good data center management tools with the ability to easily implement microsegmentation, they both need an additional capability which will help them overcome friction related to their applications’ opaque connectivity requirements. That capability is provided by Device42.

Device42 augments microsegmentation tools with clear visibility

Application dependency mapping in Device42 can help administrators see, in a single glance, exactly which ports must be open to allow the applications to communicate perfectly, even before they‘re deployed. Device42 connects natively with both NSX and ACI, allowing you to improve communications and take advantage of the security inherent in microsegmentation.

For more information on Device42 and how you can use it to improve your security and network administration, download a free demo today!

Share this post

About the author