Dr. Rajiv Ramaswami, Executive Vice President and General Manager, Networking and Security BU, VMware shares insights with Jasmine Desai, on how VMware is witnessing adoption across all customer segments for NSX capabilities, including micro segmentation and how it can totally change the way networking is done.
Could you elaborate on micro-segmentation stack in NSX?
Presently, micro-segmentation is driving 40% of VMware NSX sales. When it comes to micro-segmentation, analogy used here can be of a house with lot of rooms. Once you get past the security guard it is quite free as not every room is guarded. This is also exactly the case with most modern datacenters today.
The other analogy is that within a house lot of people are moving around. Not many people come and go outside/inside, but the movement within is a lot. This problem gets multiplied 100/1000 times in a datacenter. Datacenters have perimeter firewall, which is providing firewall at the entrance where traffic comes in and goes out. However, sometime attacks happen on the inside. In this case, the perimeter firewall does not do anything. Secondly, if an attacker does manage to get through the firewall the area inside is wide open. The amount of traffic inside the datacenter is 10 to 100 times more than what is going in and out. This is a classic problem that since there is too much traffic inside, you cannot protect it. The only way to protect this inside traffic is with micro-segmentation.
Micro-segmentation offers protection close to the source and destination of the traffic. It could be coming from a server, VM, an application etc. With our software based distributed firewall, we put in an enforcement point or a gate. It cannot work if the traffic has to be sent to the firewall and then back again. A traditional firewall cannot handle that kind of volume of traffic. On the other hand, micro-segmentation allows to do fine-grain policing as it distributed.
Which are the most basic use-cases for micro-segmentation?
The most basic use-case is just protecting the east-west traffic. Thus, if one application or one server is compromised it should not affect anything else. Other use-cases could be in many environments where organizations use VDI or there are lot of mobile users. Organizations also want to protect and segregate those users. Based on who the user is, their access has to be controlled. The VDI has a one-on-one correspondence with VM running on a server. One can provide the enforcement right at that VM.
When it comes to NSX, mostly everyone has made investment in physical infrastructure. For most organizations they do not want to solve a problem they do not have. The only way of solving it is by deploying NSX. Once they realize that they can solve this problem, they make room for it either from security budget or virtualization budget and use that to deploy NSX on top of brown-field. It is not about ripping and replacing anything. As long as they have a virtualized environment they can install NSX.
Closed mind-set has often been seen as a reason in not wanting to adopt VMware NSX. How can this be changed?
Organizations have to think about where they are going as an enterprise. If they are going digital, running applications on public/ private clouds, then they have to think about how they are going to organize IT teams to deliver services that are needed by the internal customer. Traditional way had separate networking, server and storage team. All this has to be put together because at the end of the day organization is delivering software based infrastructure. There are more and more organizations building cloud teams. These cloud teams have all of these functions built into a single team. That is how they are overcoming the people and organizational barriers.
How is VMware NSX different than Cisco ACI?
It is not an either/or discussion for us. We have lot of deployment on top of Cisco infrastructure. Cisco is used as a physical network of choice in many cases by many customers. The general notion is that Cisco does physical network, VMware does virtual network. There is some overlap between us and Cisco but we do not do physical network and they do not do virtual network overlay as well as we can do. We are also very tightly integrated when it comes to virtual overlays. We are very tightly integrated into VMware provisioning stack. If an organization wants to automate the provisioning, then we are really well equipped to do that as we are tightly integrated into vCentre admin. That allows customer to seamlessly deploy.
Where is the growth for VMware NSX coming from?
As a global business, we exceeded last year and more than doubled in the first and second quarter in terms of bookings. Fundamentally that is happening because the opportunity is huge. We have still only captured a small portion of the market, even though we are growing very quickly. NSX has 1,700 customers and vSphere has 500,000 customers. We still have lot of opportunity ahead of us. What we find is that most of it is a matter of working with the customers, help them understand what this technology can do for them, helping them build business cases and ROI models. We have done lot of work building case-studies and how customers have used this to operationalize their environments. For example, Nike runs their whole Nike.com on VMware with NSX. Other examples are that of Johnson&Johnson,Citibank, GE who have deployed VMware NSX.