The challenge with most security products is that they run within the OS, which affects OS and application performance...
and overall user experience. VMware security products circumvent those issues by running outside the OS.
Too often, security breaches occur as a result of improperly patched systems or poor security practices. Security is a full-time job, one that requires a small army of IT staff to test and update software around the clock. Unfortunately, some businesses aren't willing to make that level of commitment or deal with the service interruptions it requires.
To resolve this issue, businesses typically look for security products that bridge the gap between doing regular software updates and causing minimal interruptions. VMware security products aim to find that balance between user experience, performance and security.
NSX brings security to the single server level
One thing that sets VMware NSX apart from other networking products is its security capabilities. Microsegmentation enables the networking administrator to place a custom firewall around each VM during deployment. NSX also enables you to put routers in place to filter and dictate traffic flow in real time, which makes it the gatekeeper for communication to and from your VM.
Although organizations have always been able to filter traffic in this way with physical equipment, NSX makes it more cost-effective, and it takes these perimeter concepts and brings them to the single server level.
What makes NSX a viable security offering is that it works in line with your VMs and doesn't require an agent or modification to your existing OS. The fact that NSX works inline and in memory has been critical to its success because it doesn't affect OS performance or make the configuration aspect visible to the user. Most security admins prefer security to be out of sight and out of mind, and NSX provides that.
AppDefense monitors behavior at the hypervisor level
The most recent addition to VMware's security product portfolio, AppDefense, works along the same lines as NSX by enforcing per-VM microsegmentation at the application layer. AppDefense is a single node application. Rather than scan for malicious code or incoming threats, AppDefense monitors an application, identifies abnormal behavior and takes action to correct it.
The concept of waiting for something to go wrong before taking action is new to the security world, but, given that so many applications have a wide installation footprint, it's easier to remove a single node than to remove the entire application. The horizontal application stack enables AppDefense to monitor behavior at the hypervisor level rather than as an agent.
AppDefense works with NSX to create a lateral defense. One major issue with the modern data center is the horizontal attack plane -- once an attacker finds a point of entry, the internals of the data center are easily exposed. While intrusion detection systems work to identify existing issues, they don't do any remediation. Putting defensive measures below the applications and OS stack makes security more effective and nondisruptive.
Although the approach VMware takes to security sounds ideal, the downside is the cost. Licensing an environment of VMware security products can be expensive, and the level of integration they provide requires experience with multiple products, which might entail additional staff training or hiring a consultant.