Hydra 1303

All News Items

NSX-T Firewalling

from the Hydra High Council Dec 9th 2020
In this blog post we will be covering one of the most important aspects for customers… security.

NSX-T provides security for East-West and North-South traffic using services such as the Distributed Firewall and the Gateway Firewall. But before getting into details on how these security services work, let's talk about some of the challenges with traditional security.

Traditional Security Design

A traditional datacenter security implementation will have at a minimum a perimeter firewall to control of what leaves and enter the datacenter.

Datacenter with Perimeter Firewall

If this were a house, we've effectively locked the front door. But what if a malicious person is able to break this first line of defense? Once inside, there won't be any protection within the datacenter.

Malicious Person (or evil cat) Breaking Through the Perimeter Firewall

We could add a second line of defense inside the datacenter with a firewall in front of every server (microsegmentation), but traditionally, this has not been operationally feasible.

And there are additional complications to consider. What if the workload needs to be migrated to another host, cluster, or datacenter? We need to make sure that its security policies will be enforced at the destination.

Workload Live-Migrated to Different Datacenter

Another challenge with traditional security is the way rules are enforced. Traditional firewalls do not prevent lateral communication between workloads in the same L2 segment. This means that in order to have the firewall apply security policies between workloads, they have to be placed in different L2 segments to force traffic to traverse the firewall.

Firewall Enforcing Rules Between Workloads on Different L2 Segments

NSX-T security services are much more flexible compared to the traditional approach and can easily overcome these challenges.

NSX-T Firewalls

NSX-T has two main firewalls: Distributed Firewall and Gateway Firewall

The Distributed Firewall lives in the kernel of the hypervisor and it controls traffic entering and leaving the vNIC of each virtual machine. Every vNIC will have a connection table tracking the flows and a firewall table containing all of the rules.

Firewall at the vNIC Level

This level of granularity is what we call microsegmentation and it cannot be achieved with traditional security. If you think about it, it's like placing a physical firewall at the door (vNIC) of every VM, controlling the I/O path. This means that microsegmentation rules can be applied to workloads in the same L2 segment.

Workloads can also be migrated to another host, cluster or datacenter and their security policies will follow.

Security Policies Follow the VM

The Gateway Firewall is configured at the Tier-0 and Tier-1 northbound-facing interface. It

provides a Perimeter Firewall that can be used in conjunction with the physical Perimeter Firewall. It requires an Edge Cluster to host the SR component.

Gateway Firewall

Additional Security Services

In addition to the Distributed Firewall and Gateway Firewall, NSX-T also supports a Distributed IDS which connects to a repository called Trustwave to download intrusion detection signatures. Using these signatures, the Distributed IDS can identity attackers attempting to exploit a known OS or application vulnerability.

In NSX-T 3.1, a Distributed IPS was introduced which can block attacks based on signatures configured for inspection.

URL Analysis is another security service. It monitors users' access to external websites. It classifies websites into different categories and assigns a reputation score. For now, it only provides insight into which websites are being accessed. Currently, it isn't possible to allow or drop traffic based on the reputation score or category of a particular website.

Third-party vendors supported by NSX-T can also insert their security services. Examples include agentless antivirus, anti-malware, IDS, IPS, NGFW, etc… that can be leveraged to strengthen and expand your security capabilities.


The design and function of NSX-T security differs from traditional security in significant ways. Traditional security is built around a fixed physical infrastructure topology, requiring often suboptimal designs to work around physical limitations. In contrast, NSX-T builds its security around the application instead of the physical topology. Where the application is located is much less important because the security follows the workload itself.

Hopefully, this blog post brings some clarity to better understand NSX-T Firewalling!!