Traditional data centre security has long relied on a perimeter-based approach—imagine a castle with high walls and a single guarded entrance. This model worked well when applications lived in predictable locations and traffic patterns were relatively simple. However, today’s dynamic, cloud-native environments have fundamentally changed the game.

Modern applications span multiple clouds, containers spin up and down in seconds, and workloads migrate freely across infrastructure. The traditional perimeter has dissolved. Attackers who breach the perimeter can move laterally through the network with alarming ease, exploiting the lack of internal segmentation. This is where the VMware vDefend Security Services Platform (SSP) revolutionizes the approach to network security. vDefend SSP simplifies how organizations achieve zero-trust and private cloud security goals by cutting through complexity and providing a comprehensive lateral security implementation. 

vDefend Security Services Platform

VMware vDefend SSP is a software-defined, hypervisor-integrated security solution architected to protect VCF private cloud workloads—including both critical and non-critical workloads. The SSP is a highly scalable platform that hosts vDefend security features, including:

• Security Intelligence
• Network Detection and Response (NDR)
• Malware Prevention Service (MPS)
• Network Traffic Analysis (NTA)
• Security Segmentation Reports

Note: SSP replaces the older NSX Application Platform (NAPP) and offers a more streamlined, simplified deployment model with enhanced workflows for security administrators. 

Some of the key features of SSP include:

1. Rapid Deployment of Distributed Firewall via Security Journey Workflow.
2. Distributed Firewall Rule Analysis. Helps in identifying duplicate and superseding rules.
3. Importing metadata via CSV files for automated tag assignment and security group creation.
4. Distributed Firewall Agent deployment for Bare Metal Workloads.
5. Detect Fileless Malware.

SSP provides real-time assessments of security segmentation for zero-trust private cloud initiatives and policy suggestions to close potential security gaps. 

The image below, taken from Broadcom’s official documentation, shows a high-level architecture of the SSP Platform.

Some of the key benefits of the SSP platform are:

1. Simplifies Deployment: Offers an easier deployment process compared to its predecessor, NAPP.
2. Enhanced Security: Provides enhanced firewall capabilities and advanced threat prevention (ATP) features.
3. Centralized Monitoring: Collects metrics and status events from vDefend Firewall, ATP, and SSP itself for centralized monitoring and troubleshooting.
4. Advanced Threat Prevention: Combines multiple detection technologies like Intrusion Detection/Prevention System (IDS/IPS) and network sandboxing with NDR for comprehensive threat analysis.
5. Security Reporting: SSP helps track progress on security segmentation and provides a report to show the effectiveness of security policies.

Components of vDefend Security Services Platform

The two main components of the vDefend SSP are:

1. SSP Installer (SSPI): The lifecycle management appliance (deployed as OVA) that automates deployment and management of the SSP cluster. The installer provides a web interface to manage the environment. 
2. SSP Instance: The actual Kubernetes-based security platform with Controllers (control plane) and Workers (data plane for security services). The K8 clusters run pods for the SSP security features (Intelligence/NDR, etc.). 

In a typical VCF environment, the SSP installer is deployed in the VCF Management Domain, and SSP is deployed in the Workload Domain. The SSP instance currently has a one-to-one mapping with the NSX manager. If your workload domains have dedicated NSX, you would need to deploy SSP in each workload domain.  

Note: A single SSP installer instance can be used to deploy SSP across multiple VCF domains. 

SSP Network Topology

The following image (from Broadcom documentation) shows the sample network placement for the SSP. The SSPI and SSP can be deployed on the same network where other infra components (NSX, vCenter, etc.) are deployed.

In a VCF environment, the SSPI will be deployed on the infrastructure management network in the mgmt domain; the SSP instance can be on a dedicated network in the workload domain, and this network must have reachability from the infra mgmt network. 

And that’s it for this post.

In the next post of this series, I will demonstrate the deployment/configuration of the SSPi appliance. Stay tuned!!!

I hope you enjoyed reading this post. Feel free to share this on social media if it’s worth sharing.