First – the most common security architectures seen today revolve around building a strong perimeter defense with a primary goal to keep threats from penetrating the data center. When a threat does inevitably breach the inner sanctum, however, this design allows it to move freely through even the most sensitive of information.
Second – there is a need for manual intervention when it comes to deploying and managing an expanding data center. This can result in costly mistakes and noticeable slowdown of growth and expansion.
A software defined data center (SDCC) approach enables fundamentally better data center security. Fortinet leverages VMware NSX, the network virtualization pillar of the SDCC, to fully automate FortiGate-VMX 2.0 for advanced protection of server-to-server traffic inside the data center.
In turn, NSX enables FortiGate-VMX security nodes to be automatically deployed and allow effective, automated configuration of security policies per workload – providing maximum consistency and visibility into threats while reducing error-prone manual intervention.
FortiGate-VMX 2.0 further integrates with NSX to implement a new model for consuming network and security services. It allows IT administrators to provision and assign firewall policies and security applications to application workloads in real time.
In VMware NSX-enabled data centers, FortiGate-VMX deployments are fully automated to address elastic workloads and constantly changing ESXi clusters. Policy is dynamically synchronized with all FortiGate-VMX instances in the complete security cluster. This solution supports re-balancing of workloads in an ever-changing environment.
The NSX distributed firewall is a stateful firewall that runs in the kernel and does L2-L4 traffic filtering. NSX enables policy to be applied at the virtual layer and intercepts traffic at the hypervisor level, not allowing any workload to bypass inspection and occasionally, selectively, steering traffic to FortiGate-VMX based on policy for advanced inspection.
VMware NSX provides inherent network isolation and trust zones to make micro-segmentation easier than ever before. IT administrators can describe the service functions and workload characteristics to designate proper security policies for app, web or data tiers by asking questions like, “What will this workload be used for?” and “Who can access the workload?’
Micro-segmentation merges these characteristics to define inherited policy attributes as they are added to the security cluster, without the need to configure firewall rules and complex access control policies.
The layered approach to security policy filtering, and mapping workload characteristics, allows administrators to segment a single policy into sub-policies and create a network segment to apply those rules. It also provides the server-to-server inter-VM traffic visibility in the SDDC.
There are two main components in the solution:
FortiGate-VMX Service Manager communicates directly with the NSX environment. It registers the FortiGate-VMX security service to allow for enablement and auto-deployment of required FortiGate-VMX security nodes. The management plane flow is two-way in that the FG-VMX service manager supplies service definitions to the NSX manager, while the NSX manager sends updates to the FortiGate-VMX service manager about new or updated dynamic security groups and objects, upon which policy is based in real time.
FortiGate-VMX Service Manager obtains proactive security threat updates from FortiGuard and synchronizes those updates to all FortiGate-VMX security nodes.
Next Steps: One use case where Fortinet and VMware NSX are helping our customers is with managing network security at branch locations and remote offices. Find out how you can transform security at your branch locations by reading our white paper, "Three Use Cases for Transforming Branches with Fortinet Secure SD-WAN"