Post-NSX Service Insertion: Navigating the Future of VMware Security and Monitoring

Broadcom, which acquired VMware, recently announced the end of availability for NSX Network Introspection for Security after the NSX 4.2.x release or until October 11, 2024, whichever is earlier. Specifically, this means the Service Insertion "punt" feature is discontinued, with negative consequences for many customers.

This is a big deal. VMware workloads that are monitored and protected by tools that ingest packets, such as firewall, IDS/IPS, NDR, NPM, and APM, will suddenly go dark. These tools commonly rely on Service Insertion "punt" for traffic acquisition, particularly for lateral ("East-West") traffic which is where today's threat actors operate. Gigamon provides a different approach to tapping traffic which guarantees uninterrupted visibility for security and monitoring tools in your VMware environment.

In a nutshell, NSX-T deployments with service-inserted third-party tools such as firewalls that use "punt" are no longer possible. Thanks to Gigamon, security and monitoring of VM workloads is forever supported with both NSX-T service-inserted "copy" as well as GigaVUE® Universal Cloud Tap (UCT-V) without relying on the VMware's service insertion functionality.

What This Means

VMware's Network Introspection for Security can be closely associated with what is often referred to as the "Service Insertion" feature within the NSX platform. While Network Introspection is the process of analyzing and securing network traffic, Service Insertionis the mechanism that enables this process by integrating third-party security services into the NSX environment. Thus, service insertion is a broader feature that constitutes network introspection as one of its key capabilities.

Service Insertion uses two techniques to handle specific types of network traffic for deeper inspection or analysis: "punt" and "copy." Punt is typically used to redirect traffic to a third-party entity (e.g., a firewall) which can then take action before the data reaches the intended receiver. This technique can introduce latency. The copy technique is used for continuous monitoring of traffic for security analysis, compliance checks, or forensic purposes without compromising the flow of the original traffic.

See the Figure 1 scenario to see how "punt" is used by next-gen firewalls for deployments relying solely on firewall for securing virtual workloads.

[Link]Figure 1. Traffic punted to firewall for further inspection to be discontinued by Broadcom.

As a result of the end of availability, next-generation firewalls in the current state would not be able to protect the network traffic that poses a potential risk. Most of the ransomware attacks in the past year proliferated laterally in hybrid cloud environments.

The Gigamon Deep Observability Pipeline Helps You Maintain Security and Monitoring of VMware Environments

Gigamon offers the GigaVUE Cloud Suite™ for VMware to provide customers with deep observability into VMware workloads. GigaVUE-FM Fabric Manager works with VMware vCenter and NSX-T to automatically deploy the GigaVUE V Series to gain insight into lateral traffic flows between VMs to track lateral threats.

GigaVUE Cloud Suite is supported and widely deployed in all VMware environments, including NSX-T. Gigamon will continue to integrate and support these deployments with no impact.

See the Figure 2 scenario to see how the GigaVUE V Series uses Service Insertion "copy" technique to collect traffic directly from vSwitch and feed it to the tools stack.

[Link]Figure 2. Traffic is directly collected from vSwitch using "copy" technique.

In the future, if Broadcom discontinues availability for the NSX-T Service Insertion "Copy" feature, that will still have no impact to Gigamon customers. This is because GigaVUE Cloud Suite offers the option of GigaVUE Universal Cloud Tap (UCT) functionality for VM workloads (UCT-V) at no additional cost, which enables collecting traffic from each VM directly without relying on NSX-T Service Insertion functionality.

See the Figure 3 scenario to see how Gigamon enables NSX-T customers to continue getting access to telemetry inside NSX-T workloads using GigaVUE UCT-V.

[Link]Figure 3. GigaVUE UCT-V collects traffic directly from VMs with no reliability on NSX-T Service Insertion.

For customers who do not want to rely on NSX-T Service Insertion, we recommend using UCT-V as part of GigaVUE Cloud Suite instead. This also enables you to send data at faster rates and does not inherently limit traffic throughput, which may be a requirement for NSX-T deployments with higher volumes of traffic.

Summary

Gigamon can guarantee VM-to-VM monitoring and security with discontinued Service Insertion "punt" functionality and is future-proofed (with GigaVUE UCT-V) for any scenario that may arise because of discontinued support for Service Insertion "copy" functionality.

Gigamon further future-proofs organizations if they choose to move virtual workloads to VM alternatives like Nutanix, move VMs to the public cloud, or refactor to containers. You can "choose your own journey," and with Gigamon you'll never lose network-level visibility for security in a hybrid cloud environment. To learn more visit GigaVUE Cloud Suite.

To learn more about GigaVUE UCT, I invite you to attend Gigamon Visualyze Bootcamp, September 10-12, 2024, and join the session "To Tap or Not to Tap and When is an Agent Not an Agent"​.

Public link

Please use the above public link if you want to share this noodl on another website.