Welcome to the WEI Tech Exchange Blog

Maximize Data Center Security With Fortinet and VMware

Written by Greg LaBrie | May 14, 2019 12:45:00 PM

As enterprises continue to invest in virtualization, keeping a data center – and the data and applications they store – secure is the cornerstone of success. There are two security concerns that are quickly becoming the most prominent, and Fortinet has answers to them both.

First – the most common security architectures seen today revolve around building a strong perimeter defense with a primary goal to keep threats from penetrating the data center. When a threat does inevitably breach the inner sanctum, however, this design allows it to move freely through even the most sensitive of information.

Second – there is a need for manual intervention when it comes to deploying and managing an expanding data center. This can result in costly mistakes and noticeable slowdown of growth and expansion.

Fortinet Offers Software Defined Data Center Security Solutions

A software defined data center (SDCC) approach enables fundamentally better data center security. Fortinet leverages VMware NSX, the network virtualization pillar of the SDCC, to fully automate FortiGate-VMX 2.0 for advanced protection of server-to-server traffic inside the data center.

In turn, NSX enables FortiGate-VMX security nodes to be automatically deployed and allow effective, automated configuration of security policies per workload – providing maximum consistency and visibility into threats while reducing error-prone manual intervention.

FortiGate-VMX 2.0 further integrates with NSX to implement a new model for consuming network and security services. It allows IT administrators to provision and assign firewall policies and security applications to application workloads in real time.

Automated Provisioning And Orchestration Via Fortinet VMware NSX

In VMware NSX-enabled data centers, FortiGate-VMX deployments are fully automated to address elastic workloads and constantly changing ESXi clusters. Policy is dynamically synchronized with all FortiGate-VMX instances in the complete security cluster. This solution supports re-balancing of workloads in an ever-changing environment.

The NSX distributed firewall is a stateful firewall that runs in the kernel and does L2-L4 traffic filtering. NSX enables policy to be applied at the virtual layer and intercepts traffic at the hypervisor level, not allowing any workload to bypass inspection and occasionally, selectively, steering traffic to FortiGate-VMX based on policy for advanced inspection.

Persistent Data Center Security Utilizing VMware NSX Micro-Segmentation

VMware NSX provides inherent network isolation and trust zones to make micro-segmentation easier than ever before. IT administrators can describe the service functions and workload characteristics to designate proper security policies for app, web or data tiers by asking questions like, “What will this workload be used for?” and “Who can access the workload?’

Micro-segmentation merges these characteristics to define inherited policy attributes as they are added to the security cluster, without the need to configure firewall rules and complex access control policies.

The layered approach to security policy filtering, and mapping workload characteristics, allows administrators to segment a single policy into sub-policies and create a network segment to apply those rules. It also provides the server-to-server inter-VM traffic visibility in the SDDC.

VMware NSX Enables Full Automation Of FortiGate VMX In The Data Center

There are two main components in the solution:

  • FortiGate-VMX Service Manager not only registers the security service definitions with NSX, but centralizes license management and configuration synchronization with all FortiGate-VMX Security Node instances
  • Fortinet FortiGate-VMX Security Node processes run-time traffic and enforces policy

FortiGate-VMX Service Manager communicates directly with the NSX environment. It registers the FortiGate-VMX security service to allow for enablement and auto-deployment of required FortiGate-VMX security nodes. The management plane flow is two-way in that the FG-VMX service manager supplies service definitions to the NSX manager, while the NSX manager sends updates to the FortiGate-VMX service manager about new or updated dynamic security groups and objects, upon which policy is based in real time.

FortiGate-VMX Service Manager obtains proactive security threat updates from FortiGuard and synchronizes those updates to all FortiGate-VMX security nodes.

Next Steps: One use case where Fortinet and VMware NSX are helping our customers is with managing network security at branch locations and remote offices. Find out how you can transform security at your branch locations by reading our white paper, "Three Use Cases for Transforming Branches with Fortinet Secure SD-WAN"