You can use NSX Distributed Firewall (DFW) for Macro-Segmentation (Security Zones) and Micro-Segmentation. Distributed Firewall provides complete L2-L7 East-West visibility and enforcement, with automated policy formulation. It works on both Physical Servers and VMs on ESXi and Physical Network changes are not required. By using DFW, it is possible to segment in any matter desired. There are four basic types of segmentation, many of which can coexist – each applied in different sections of the environment.

  • Zone Segmentation: Zone Segmentation can be as general as segmenting production from non-production, or it may be a far more detailed segmentation by business unit, function, or product offering. The point is that each zone is defined independently of segments, VLANs, data centers, or other constructs. Zones are entirely logical definitions which can be used to define security policy.
  • VLAN Segmentation: VLAN segmentation is most commonly used by replacing the legacy firewall infrastructure. In this model, an IP segment is the defining element for a source or destination of the security policy.
  • Application Segmentation: Application segmentation is used to define a logical security ring around an application. Because applications are not frequently understood in detail, it can be convenient to simply define a tag for a given application and apply this tag to all its components and allow full communication between said elements. This brings greater security than a large zone definition which can have multiple applications, without requiring detailed understanding for micro-segmentation.
  • Micro-Segmentation: Micro-segmentation is a security model where communication between elements is defined as explicitly as possible. At its extreme, micro-segmentation can be the explicit definition of communication between pairwise elements. Clearly this is operationally complex, thus NSX offers micro-segmentation based on tags which allows explicit definition by groups. For example, you can define a rule which allows SSL but only TLS version 1.3 to the tagged secure web servers. Based on needs of your organization, you can segment each of those manners in different areas.

With NSX, all of these segmentation approaches are not exclusive but can coexist. You can decide to segment a lab in a zone model by just setting up a boundary around it and a DMZ environment in a micro-segmentation. You can segment non-production environments just by applications whereas you can further segment the production applications containing sensitive customer data using VLAN. The change of one security model to another is accomplished through a simple policy push, without the need to re-architect any networking infrastructure.