New Benchmark Audit Highlights VMware NSX Platform's Ability to Deliver a DMZ Anywhere
(4 months ago)
WESTMINSTER, Colo: Coalfire, a trusted provider of independent, comprehensive cybersecurity advisory services, today announced the publication of a new whitepaper that reviews the efficacy of the "DMZ Anywhere" architecture enabled by VMware NSX.
The whitepaper, VMware NSX DMZ Anywhere Cybersecurity Benchmark (A Micro-Audit of NSX DMZ Anywhere), evaluates VMware NSX capabilities to support security policy enforcement, network segmentation and network visibility requirements. This audit is a follow on to the 2016 Micro-Segmentation Benchmark Report that evaluated VMware NSX micro-segmentation capabilities to enable a Zero Trust network architecture.
The findings of the audit led Coalfire to render the opinion that when deployed with the services identified in the whitepapers, the capabilities of VMware NSX help to facilitate the security and visibility necessary for the protection of assets in a DMZ. Coalfire formed the following opinion based on the results of the testing efforts:
1.VMware NSX Distributed Firewall (DFW) can provide significant and real protections against intra-segment east-west threats and in inter-segment north-south DMZ transfers between tiers of the tested Windows and Linux three-tier workloads.
2.VMware NSX satisfies NIST SP 800-125B requirements through the ability to support network segmentation, policy-based controls, nested security group constructs, tight integration with VMware objects/meta-data, and the completeness/utility of NSX tools (Application Rule Manager and Endpoint Monitoring).
3.VMware NSX Application Rule Manager and Endpoint Monitoring confirm a support path for the deployment of a Zero Trust network security implementation that can be realized with NSX software-defined networking for DMZs.
4.VMware NSX service insertion and traffic steering with technology partner, Palo Alto Networks' next-generation firewall can support Layer 4 - Layer 7 threat mitigation in Layer 2 and Layer 3 DMZ designs.
5.VMware NSX service insertion and traffic steering with technology partner, Check Point's next generation firewall can support Layer 4 - Layer 7 threat mitigation in Layer 2 and Layer 3 DMZ designs.
These combined capabilities help facilitate the security and visibility necessary for the protection of assets in a DMZ. The granularity and scalability of security control, along with visibility to data flows in support of operational planning and responsiveness for the software-defined data center, make it possible for customers to deploy a "DMZ Anywhere" with VMware NSX.
"Organizations moving workloads to the cloud can leverage the concept of DMZ Anywhere to strengthen their logical borders to untrusted networks and reduce lateral movement within the network, leveraging the granular policy-based controls and network segmentation functionality," said Chris Krueger, managing principal, Cyber Engineering with Coalfire.
The whitepaper is available for download from the VMware website:
VMware NSX DMZ Anywhere Cybersecurity Benchmark (A Micro-Audit of NSX DMZ Anywhere)
Coalfire is recognized and respected as one the country's leading independent compliance and cybersecurity testing facilities. The white paper on VMware NSX contains example use cases for deployments and a check-box guide to the performance of the IDN against the detailed requirements of the PCI DSS standard.