NSX-T vs. NSX-V – Key Differences and Pitfalls to Avoid

While working with many customers on segmentation projects, we often get questions about alternative products to Guardicore. This is expected, and, in fact, welcome, as we will take on any head-to-head comparison of Guardicore Centra to other products for microsegmentation.

One of the common comparisons we get is to VMware NSX. And specifically, we get a lot of questions from customers about the difference between VMware’s two offerings in this space, NSX-T vs NSX-V. Although many security and virtualization experts have written about the differences between the two offerings, including speculation on whether or not these two solutions will merge into a single offering, we think we offer a unique perspective on some of the differences, and what to pay attention to in order to ensure segmentation projects are successful. Also, regardless of which product variant an organization is considering, there are several potential pitfalls with NSX that are important to understand and consider before proceeding with deployment.

NSX-V (NSX for “vSphere”) was the first incarnation of NSX and has been around for several years now. As the name suggests, NSX-V is designed for on-premises vSphere deployments only and is architected so that a single NSX-V manager is tied to a single VMware vCenter Server instance. It is only applicable for VMware virtual machines, which leaves a coverage gap for organizations whose use a hybrid infrastructure model. The 2019 RightScale State of the Cloud Report in fact shows that 94% of organizations use the cloud — with 28% of those prioritizing hybrid cloud – with VMware vSphere at 50% of private cloud adoption, flat from last year. So, given the large number of organizations embracing the cloud, interest in NSX-V is waning.

NSX-T (NSX “Transformers”) was designed to address the use cases that NSX-V could not cover, such as multi-hypervisors, cloud, containers and bare metal servers. It is decoupled from VMware’s proprietary hypervisor platform and incorporates agents to perform microsegmentation on non-VMware platforms. As a result, NSX-T is a much more viable offering than NSX-V now that hybrid cloud and cloud-only deployment models are growing in popularity. However, NSX-T remains limited by feature gaps when compared to both NSX-V and other microsegmentation solutions, including Guardicore Centra.

While the evolution to NSX-T was a step in the right direction for VMware strategically, there are a number of limitations that continue to limit NSX’s value and effectiveness, particularly when compared to specialized microsegmentation solutions like Guardicore Centra .

The following are some of the key pitfalls to avoid when considering NSX.

• Solution Complexity
  VMware NSX requires multiple tools to cover the entire hybrid data center environment. This means NSX-V for ESXi hosts, NSX-T for bare-metal servers, and NSX-Cloud for VMware cloud hosting. In addition, it is a best practice in any microsegmentation project to first start with visibility to map flows and classify assets where policy will be applied. This requires a separate product, vRealize Network Insight (vRNI). So, a true hybrid infrastructure requires multiple products from VMware, and the need to synchronize policy across them. This leads to more complexity and significantly more time to achieve results. In addition, vRNI is not well-integrated into NSX, which makes the task of moving from visibility to policy a long and complex process. It requires manual downloading and uploading of files to share information between tools.But don’t just take our word for it. A recent Gartner report, Solution Comparison for Microsegmentation Products, April 2019, stated that VMware NSX “comes with massive complexity and many moving parts”. And, when considering NSX for organizations that have implemented the VMware SDN, there is additional complexity added. For example, the network virtualization service alone requires an architecture that consists of “logical switches, logical routers routers, NSX Edge Nodes, NSX Edge Clusters, Transport Nodes, Transport Zones, the logical firewall and logical load balancers,” according to Gartner. Not to mention all the manual configuration steps required to implement.
• Overspending on Licensing
  For many organizations, segmentation requirements develop in stages. They may not even consciously be beginning a microsegmentation project. It could start as a focused need to protect a critical set of “digital crown jewels” or subsets of the infrastructure that are subject to regulatory requirements. VMware’s licensing model for NSX does not align well with practical approaches to segmentation like these. When deploying NSX, an organization must license its entire infrastructure. If a segmentation project only applies to 20 percent of the total infrastructure, NSX licenses must be purchased for the remaining 80 percent regardless of whether they will ever be used.
• Management Console Sprawl
  As mentioned above, detailed infrastructure virtualization is a critical building block for effective microsegmentation. You can’t protect what you can’t see. While microsegmentation products integrate virtualization and microsegmentation into a single interface, NSX does not include native visualization capabilities. Instead, NSX requires the use of a separately licensed product, vRealize Network Insight, for infrastructure visibility. This adds both cost and complexity. It also makes it much more difficult and time-consuming to translate insights from visualization into corresponding microsegmentation policies. The impact is significant, as it puts additional resource strain on already over-taxed IT resources and results in less effective and less complete segmentation policies.
• Limited Visibility
  Even when NSX customers choose to deploy vRNI as part of an NSX deployment, the real-time visibility it provides is limited to Layer 4 granularity. This does not provide the level of visibility to set fine-grained, application-aware policies to protect against today’s data center and cloud infrastructure threats. As environments and security requirements become more sophisticated, it is often necessary to combine Layer 4 and Layer 7 views to gain a complete picture of how applications and workloads work and develop strategies for protecting them. Also, while real-time visibility is critical, historical visibility also plays an important role in segmentation. IT environments – and the threat landscape – are constantly changing, and the ability to review historical activity helps security teams continuously improve segmentation policies over time. However, NSX and vRNI lack any historical reporting or views.
• Enforcement Dependencies and Limitations
  As with visualization, it is important to be able to implement policy enforcement at both the network and process levels. Native NSX policy enforcement can only be performed at the network level.It is possible to achieve limited application-level policy control by using NSX in conjunction with a third VMware product, VMware Distributed Firewall. However, even using VMware Distributed Firewall and NSX together has significant limitations. For example, VMware Distributed Firewall can only be used with on-premises vSphere deployments or with VMware’s proprietary VMware Cloud for AWS cloud deployment model. This makes it non-applicable to modern hybrid cloud infrastructure.
• Insufficient Protection of Legacy Assets
  While most organizations strive to deploy key applications on modern operating systems, legacy assets remain a fact of life in many environments. While the introduction of agents with NSX-T broadens platform coverage beyond the VMware stack, operating system compatibility is highly constrained. NSX-T agent support is limited to Windows Server 2012 or newer and the latest Linux distributions. Many organizations continue to run high-value applications on older versions of Windows and Linux. The same is true for legacy operating systems like Solaris, AIX, and HP-UX. In many ways, these legacy systems are leading candidates for protection with microsegmentation, as they are less likely than more modern systems to have current security updates available and applied. But they cannot be protected with NSX.
• Inability to Detect Breaches
  While the intent of microsegmentation policies is to proactively block attacks and lateral movement attempts, it is important to complement policy controls with breach detection capabilities. Doing so acts as a safety net, allowing security teams to detect and respond to any malicious activities that microsegmentation policies do not block. Detecting infrastructure access from sources with questionable reputation and monitoring for network scans and unexpected file changes can both uncover in-progress security incidents and help inform ongoing microsegmentation policy improvements. NSX lacks any integrated breach detection capabilities.

With the introduction of NSX-T, VMware took an important step away from the proprietary microsegmentation model it originally created with NSX-V. But even NSX-T requires customers to lock themselves into a sprawling collection of VMware tools. And some key elements, such as VMware Distributed Firewall, remain highly aligned with VMware’s traditional on-premises model.

In contrast, Guardicore Centra is a software-defined, microsegmentation solution that was designed from day one to be platform-agnostic. This makes is much more effective than NSX at applying microsegmentation to any combination of VMware and non-VMware infrastructures.

Centra also avoids the key pitfalls that limit the usefulness of NSX.

For example, Centra offers:

• Flexible licensing that can be applied to a subset of the overall infrastructure if desired.
• Visualization capabilities that are fully integrated with the microsegmentation policy creation process.
• Visibility and integrated enforcement at both Layer 4 and Layer 7 for more granular microsegmentation control.
• Extensive support for legacy operating systems, including older Windows and Linux versions, Solaris, AIX, and HP-UX.
• Fully integrated breach detection and response capabilities, including reputation-based detection, dynamic deception, file integrity monitoring, and network scan detection.

Before considering NSX, see first-hand how Guardicore Centra can help you achieve a simpler and more effective microsegmentation approach.