One of the main selling points of VMware’s NSX virtualization platform is the ability to implement a zero-trust security policy at scale. (VMware’s marketing term micro-segmentation is the same as what’s commonly referred to as zero trust.) In theory, a zero-trust security policy prevents unauthorized access from servers within the same network. But is VMware’s solution is enough for the typical enterprise, or are additional products or solutions needed for a complete approach?

The scalability challenge

Zero-trust network security isn’t a new concept — vendors such as Palo Alto Networks have been providing Layer 2 firewall capability for years. A Layer 2 firewall filters traffic at the MAC address, which is unlike a traditional firewall that blocks traffic at the IP addressing layer (also known as Layer 3).

Typically, network traffic can’t be filtered between two hosts on the same Layer 2 network, allowing intruders to directly attach or access servers via a compromised node on the same network. Zero-trust removes the inherit trust between two nodes on the same Layer 2 network; this is achieved by passing all traffic destined for a server with sensitive data through a Layer 2 firewall such as Palo Alto’s firewall. Only filtered traffic reaches secure nodes.

Scalability has been the challenge for traditional solutions. Even the most robust solution can’t scale for the largest networks (Palo Alto’s largest solution scales to 120Gbps in throughput). Most organizations may find the robust solutions’ costs prohibitive or that the solutions aren’t large enough — or, the challenge of having stretched VLANs across data centers may add inefficiency or cost to the design.

Zero-trust security via the hypervisor

VMware’s NSX leverages the power of the hypervisor along with the virtualized network topology. NSX comes with a virtual firewall capable of performing L2 filtering; VMware claims that NSX L2 filtering performance throughput scales out with each added node.

NSX is fully integrated with vCenter, so firewall rules are created or destroyed as virtual machines (VMs) or vApps are created or destroyed. As compute power grows, so does L2 filtering capability.

NSX is capable of filtering any traffic that is destined or leaves a VM; therefore, traffic between a physical host and a VM can be filtered. NSX can’t filter traffic between two physical hosts — it also can’t filter traffic between two VMs on a non-NSX compatible hypervisor such as Hyper-V. This limitation means there’s a potential gap in zero-trust coverage. A second solution such as Palo Alto would need to be introduced. The result may be one management domain for physical workloads and a separate management domain for virtual workloads.


If your organization is looking to implement a software defined-data center based on VMware vSphere, then NSX is a strong option for implementing zero-trust security. However, if you still heavily rely on physical workloads or Hyper-V in addition to VMware vSphere, then a careful analysis of your network topology and data location will need to be performed to ensure NSX meets the security profile of your environment.

Recent retail breaches have had an element of exposure from compromised nodes on the same network as secured nodes. Has these events prompted your organization to look into zero-trust network security? Share your experiences in the comment section.

Note: TechRepublic, Tech Pro Research, and ZDNet are CBS Interactive properties.