At VMware Explore 2022, VMware made several announcements related to new cloud networking technologies to provide the tools and features organizations need to provide security in the age of modern applications and workloads. Three project names were released, VMware Project Northstar, VMware Project Trinidad, and VMware Project Watch. Let’s take a look at the question: What is VMware Project Northstar VMware Project Trinidad, and VMware Project Watch?
Fundamental shifts in networking and security
Customers today already embrace the cloud operating model and want this same agility and operational efficiency model for their on-premises environments. There are still challenges in enterprise IT on-premises environments for duplicating this model for on-premises environments. Even when there is automation around the process, there may still be hurdles regarding change control, ticketing, and other workflows.
Legacy tools and hardware are bottlenecks for on-premises systems
One of the primary challenges facing organizations today that want to have the same software-defined capabilities on-premises as they do in the cloud is the legacy hardware appliances, firewalls, and other discreet networking gear. While these devices are high-performance, proprietary, and very well-designed, they present agility and cloud scalability bottlenecks.
These are scale-up architectures rather than the scale-out architectures available in cloud environments. We need to look to software to get to where cloud technologies are on-premises. What if we could take firewalls, IDS, load balancers, analytics, etc., and break these into literally 10,000 small pieces and parts and define them in software?
Every server in your fleet now becomes either a web server, a database, a high-performance firewall, a load balancer, etc. Your data center no longer has rigid, expensive, proprietary appliances. It simply uses racks of x86 servers. This is how the public cloud does it. It creates more agility, operational efficiency, and better security.
The security stack is not just in the perimeter but everywhere! Any node could be running these servers, such as firewall, IDS, and analytics.
Data processing units (DPUs) and SmartNICs with Processing Offload
A new type of chip is becoming available called a SmartNIC. It allows taking the processing off the host and placing it on the NIC. First announced as Project Monterey, VMware now has the ability to run these security processes on the data processing unit (DPU) or SmartNIC. The NIC becomes a “computer on a chip” architecture. This offloads these processes from the CPU.
What kind of processing savings does it allow? VMware noted the following:
- 15% of each core can be freed up from processing overhead coming from security processes
- If you have 128 cores, high-density server = 128 cores x 15% provides a very strong argument for offloading this to a SmartNIC
Advantages of operational efficiency using SmartNICs
- You can run high levels of throughput from any given node
- Racks of x86
- No proprietary appliances, tickets, taps
- It provides a zero-trust operating model
VMware provides a complete set of networking and security services
VMware provides a full set of services, not just switching and routing. They also offer the whole stack of networking and security services, including:
- Load balancers
- Cloud connectivity
- Service Mesh/HCX
What is VMware Project Northstar?
VMware has now announced VMware Project Northstar. They have taken the management plane of the virtual networking infrastructure and delivered it as-a-Service. it will be the hub that allows for creating seamless and secure connectivity across private and public cloud environments. It provides a true cross-cloud service delivered in a multi-cloud infrastructure.
Reinvented DMZ environment
VMware has taken the concept of the DMZ and broken this into many smaller services and components. This is delivered across the Internet. It is called Secure Access Services Edge (SASE) for user-facing services. This includes firewalls, advanced security, web proxies, etc.
VMware’s security solution has an Elastic App Secure Edge (EASE) for server-facing capabilities. It is replacing all the services traditionally found in the DMZ that rely on legacy hardware firewalls, etc.
New Security Features in the NSX Advanced Load Balancer
At VMware Explore 2022, VMware is announcing new capabilities for the NSX Advanced Load Balancer. These include the following:
- Advanced application security – Web app firewalling and advanced bot detection.
It also enhances the security capabilities of its web application firewall, malware detection, security analytics, and DDoS protection. These enhancements at the edge help customers maintain a consistent security posture with operational simplicity, extending protection from traditional to cloud-native container-based applications deployed across multi-cloud environments. VMware NSX ALB’s ability to enforce API security policies in line with application delivery traffic helps customers protect their north-south APIs.
New Security Features Gateway Firewall
It can now scale across 8 nodes and look like one logical firewall. You can provide different capacities and scale up or down to meet demand. It can run in public cloud, private cloud, hosted service, or anywhere the workload needs to be. VMware now offers advanced threat prevention capabilities with IDPs, malware analysis, sandboxing, URL filtering, TLS proxy, stateful firewall, and stateful Network Address Translation (NAT) that extend centralized security controls to physical and virtual workloads at the data center and cloud edge
What is VMware Project Watch?
This exciting new project provides secure connectivity from application to application and does it intelligently, deciding whether the application should be able to communicate or not. It dramatically simplifies putting Layer 7 inspection in the traffic path between multi-cloud infrastructure.
VMware Project Watch provides an advanced app-to-app policy control solution to help with continuous risk and compliance assessment. In technology preview, Project Watch helps network security and compliance teams to continuously observe, assess, and dynamically mitigate risk and compliance problems in composite multi-cloud applications.
VMware is Strengthening its Lateral Security capabilities
For VM-based applications, we need an end-to-end view. With Carbon Black, VMware has a good idea of how the endpoint behaves. With NSX in the data center, we can see the network is being traversed and how network traffic interacts with the application.
In container-based applications, there may be hundreds or thousands of microservices. The architecture is different. Each of the microservices is built with an internally facing API. In the container world, the API is the endpoint. You need to understand, observe, and protect those internal APIs.
Embedded network detection and visibility into Carbon Black’s Endpoint protection platform
One of the new announcements coming from VMware Explore for lateral security improvements is embedding network detection and visibility into Carbon Black Cloud’s endpoint protection platform. This is now available to select customers in early access. It provides extended detection and response (XDR) telemetry and adds network detection and visibility to endpoints with no changes to infrastructure or endpoints. These new features will give customers extended visibility into their environment across endpoints, workloads, and networks.
What is VMware Project Trinidad?
The new VMware Project Trinidad deploys sensors on Kubernetes clusters and uses machine learning with various business logic to detect anomalous behavior in east-west traffic between microservices to extend VMware’s API security and analytics.
How VMware is bolstering security across the board
VMware provides one of the most robust and fully-featured networking and security solutions across the board with the SASE, EASE, and VMware Cloud DR solutions. With VMware Cloud DR, you get a purpose-built ransomware recovery-as-a-service solution that enables safe recovery that prevents the re-infection of IT and line-of-business production workloads. It does this by using an innovative on-demand isolated recovery environment on VMware Cloud on AWS. Guided recovery workflows allow customers to identify recovery point candidates quickly, validate restore points using embedded behavioral analysis, and recover data with minimal loss.
We have considered the question: What is VMware Project Northstar VMware Project Trinidad and VMware Project Watch? These are great new VMware solutions and projects that will help take the networking and security capabilities of VMware’s networking and security portfolio to the next level. The new support of DPUs, specifically SmartNICs, will help drive innovation across the networking and security space and save precious compute resources in racks of x86 servers.
Learn more about this announcement and others at the VMware Explore 2022 site:
Read my other coverage of VMware Explore 2022 announcements here:
- VMware vSphere 8 vSAN 8 and VMware Cloud Foundation+ Released New Features – Virtualization Howto
- What is VMware Aria? – Virtualization Howto
- VMware vSAN 8 – What’s New? Technical Deep Dive – Virtualization Howto
- VMware Anywhere Workspace Announcements at VMware Explore 2022 – Virtualization Howto