Nutanix.dev

Nutanix Flow Security Best Practices Part 1 – What is Flow Network Security?

Nutanix.dev - Nutanix Flow Security Best Practices Part 1 - What is Nutanix Flow Network Security

Table of Contents

In this multi-part series, the goal is to first familiarize you with the solution and then provide guidance on preparing to deploy Flow Network Security and help you learn the constructs that form your policy framework.

So, what is Flow Network Security?  By now, you may have heard the name, read about it or had a conversation about it with a Nutanix employee.  First off, and in most basic terms, Flow Network Security is built-in security for workloads that run on Nutanix AHV, our native hypervisor.  Think of it more as a feature or solution rather than a separate “product”.

While AHV has been available for many years, one thing became obvious as customers were looking to have more security options in their Nutanix environment; we didn’t have a Nutanix-developed solution to provide network security.

Enter microsegmentation.  Network virtualization got its beginning as a Stanford University research project that ultimately became a startup and commercial solution from Nicira, circa 2007.  VMware acquired Nicira in 2012 and the solution became, as you may know, NSX, which offered software-defined networking and microsegmentation functionality.  Since this time, other software companies have brought their own solutions to market.  

Before Flow Network Security was GA, Nutanix customers using AHV either had no microseg solution, used a third-party, or used a combination of network segmentation and in some cases, complex firewall policies and security zones.  The challenge with using 3rd-party microsegmentation solutions with AHV is the complexity and cost in both deployment and Day 2 operations.

So, what does microsegmentation do or solve for?  As opposed to network segmentation where you create VLAN’s and subnets to separate workloads and use access control lists to control traffic, microsegmentation allows for finer-grained control of traffic using a stateful Layer 4 firewall.  Imagine building custom policies for application traffic without the need for additional physical or virtual Next-Gen Firewalls.  As an administrator, you define policies and rules for only required communication to a given application or service. Flow Network Security is managed by our multi-cluster management tool called Prism Central, and policies are distributed to each node in the clusters under its control. As opposed to most competitive solutions in the market, we do not require any in-guest agents to function, as Flow Network Security is native to the AHV hypervisor.  

As traffic traverses the AHV network, a rapid evaluation is made as to whether these connections are part of a policy and ruleset.  We evaluate items such as source IP, destination IP, protocol, port among others to determine if traffic is allowed or blocked.  The evaluation order is as follows:

Diagram Description automatically generated
Flow Network Security traffic evaluation order

What are the benefits of microsegmentation with Flow Network Security?

Although there can be many benefits depending on the environment or use case, here are some key advantages gained from use of it:

  • Gain visibility:  You may have heard the term “I don’t know what I don’t know”.  This comes into play when working to understand how your applications work and all the dependencies for VM’s, Services, or traffic outside the application.  Flow Network Security allows you as an administrator to monitor or discover the traffic associated with a policy, making it easier to understand what should be necessary for an application to function and still be secured.  Longer-term traffic history and security planning can also be provided by use of Flow Security Central, our SaaS-based, integrated platform.  For more information on Flow Security Central see Nutanix Bible page for Flow Security Central.

Example of Flow Network Security policy in Monitor mode:

Graphical user interface Description automatically generated with medium confidence
Flow Network Security policy in Monitor mode
  • Secure E-W traffic:  The goal of microsegmentation, especially as it applies to your strategy for defense-in-depth or Zero Trust, is to enforce policies when you are ready.  Once you have a full understanding of what is required to secure the app by limiting the ports open for communication and refining your ruleset, you can feel confident in policy enforcement and know you’ve added additional controls to your workloads.
  • Limit Ransomware attack surface:  One of the primary concerns of any organization is the threat and damage that can be caused by Ransomware.  By effective use of microsegmentation solutions such as Flow Network Security, your goal is to limit the number of open ports available for communication, thereby limiting the damage that could occur from lateral movement of malicious code.  Securing critical services and workloads first will help you reduce the chance of a hacker taking control and encrypting these data assets and gain time to respond to the attack and take action.
  • Less reliance on Next-Gen Firewalls:  As stated earlier, many organizations have relied on traditional firewalls with often complex policies and security zones to secure workloads in the DC.  However, these policies don’t have the app-centric methods in use by microsegmentation solutions such as Flow Network Security.  Flow Network Security is native to the AHV hypervisor and much simpler to deploy and gain time to value over traditional methods.  Additionally, in most environments deep-packet inspection is not necessary for E-W traffic inside the datacenter.  This allows for efficient use of firewall resources for Internet security and allows for Flow Network Security to do its job of securing workloads running on your Nutanix infrastructure.
  • Maintain Regulatory Compliance:  In the past, organizations were required to physically isolate in-scope and out-of-scope workloads to maintain various compliance controls and pass audits.  With the advent of virtualization, network controls and other security solutions, this is no longer necessary.

The Nutanix platform offers the advantage of sizing your clusters based on compute, memory and storage resources required to efficiently manage your workloads  So, whether you have PCI, HIPAA, NIST or other regulatory requirements, you can isolate these workloads from non-compliant ones and ensure you are not wasting costly resources often caused by physical separation and duplication of infrastructure.

Now that you understand the advantages of microsegmentation and Flow Network Security, look for our upcoming series on Flow Network Security how-to’s.

Related Resources

© 2024 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. Certain information contained in this post may relate to or be based on studies, publications, surveys and other data obtained from third-party sources and our own internal estimates and research. While we believe these third-party studies, publications, surveys and other data are reliable as of the date of this post, they have not independently verified, and we make no representation as to the adequacy, fairness, accuracy, or completeness of any information obtained from third-party sources.