VMware Fundamentals: Network Event Broker

VMware Network Event Broker: Bridging Visibility Gaps in the Distributed Enterprise

The modern enterprise is rarely confined to a single data center. Hybrid and multicloud adoption are the norm, driven by cost optimization, business agility, and disaster recovery needs. This distributed reality introduces significant challenges for network security and observability. Traditional network monitoring tools struggle to provide consistent visibility across these disparate environments, leaving security teams blind to potential threats and operations teams hampered in troubleshooting performance issues. Zero-trust architectures, increasingly vital for security, demand granular event data for continuous verification. VMware Network Event Broker (NEB) addresses these challenges by providing a centralized, scalable, and secure platform for collecting, processing, and distributing network events across the entire infrastructure – regardless of where workloads reside. VMware’s strategic investment in NEB reflects its commitment to providing a unified security and observability fabric for the modern, distributed enterprise, particularly for organizations heavily invested in VMware’s virtualization and cloud management platforms.

What is Network Event Broker?

Network Event Broker isn’t simply a log aggregator; it’s a purpose-built event streaming platform designed for the unique demands of modern networks. Its origins lie in the need to efficiently handle the massive volume of network telemetry generated by VMware NSX, but it has evolved to ingest events from a wide range of sources, including physical firewalls, cloud security groups, and endpoint detection and response (EDR) systems.

At its core, NEB consists of three key components:

• Collectors: Lightweight agents deployed strategically throughout the infrastructure to gather network events. These collectors support various protocols like NetFlow, sFlow, IPFIX, and syslog.
• Broker: The central processing engine responsible for normalizing, enriching, and routing events based on defined policies. It leverages a distributed architecture for scalability and resilience.
• Subscribers: Systems that consume the processed events. These can include Security Information and Event Management (SIEM) platforms, analytics tools, orchestration engines, and custom applications.

Typical use cases center around security monitoring, threat hunting, network performance analysis, and compliance reporting. Industries adopting NEB include financial services (for fraud detection and regulatory compliance), healthcare (for protecting patient data and ensuring HIPAA compliance), and manufacturing (for securing operational technology (OT) networks).

Why Use Network Event Broker?

Infrastructure and security teams face a growing burden of complexity. Without a centralized event management solution, they struggle with:

• Visibility Silos: Events are scattered across multiple systems, making it difficult to correlate data and identify patterns.
• Scalability Challenges: Traditional SIEMs often struggle to ingest and process the high volume of network telemetry generated by modern environments.
• Data Enrichment Gaps: Raw event data lacks context, hindering effective analysis and response.
• Slow Incident Response: Manual correlation and investigation processes lead to delayed detection and remediation of security incidents.

Consider a financial institution implementing a zero-trust network. They need to continuously monitor network traffic for anomalous behavior, such as unauthorized access attempts or data exfiltration. Without NEB, correlating events from NSX distributed firewall, physical firewalls, and endpoint security solutions would be a manual, time-consuming process. NEB automates this correlation, providing security analysts with a unified view of network activity and enabling faster, more effective incident response.

Key Features and Capabilities

1. Universal Event Collection: Supports a wide range of event sources and protocols (NetFlow, sFlow, IPFIX, syslog, NSX Data Plane Firewall Logs, etc.). Use Case: Ingesting logs from both on-premises NSX-T and AWS Network Firewall.
2. Event Normalization: Converts events from different sources into a standardized format, simplifying analysis. Use Case: Standardizing syslog messages from Cisco firewalls and Palo Alto Networks firewalls.
3. Event Enrichment: Adds contextual information to events, such as geolocation data, asset information, and threat intelligence feeds. Use Case: Enriching IP addresses with geolocation data to identify potential threats originating from suspicious locations.
4. Scalable Architecture: Distributed broker architecture handles high event volumes without performance degradation. Use Case: Supporting a large-scale financial trading platform generating millions of network events per second.
5. Policy-Based Routing: Routes events to specific subscribers based on defined criteria. Use Case: Sending security-related events to the SIEM and performance-related events to an analytics platform.
6. Real-time Event Processing: Processes events in real-time, enabling immediate detection and response to security threats. Use Case: Detecting and blocking malicious traffic in real-time based on threat intelligence feeds.
7. Data Filtering: Filters out irrelevant events, reducing noise and improving analysis efficiency. Use Case: Filtering out internal traffic to focus on external threats.
8. Event Aggregation: Aggregates events over time, providing insights into long-term trends. Use Case: Identifying peak network usage times to optimize resource allocation.
9. Secure Event Transport: Encrypts events in transit and at rest, protecting sensitive data. Use Case: Protecting sensitive financial data transmitted over the network.
10. API-Driven Automation: Provides APIs for automating event collection, processing, and routing. Use Case: Integrating NEB with an SOAR platform to automate incident response workflows.

Enterprise Use Cases

1. Financial Services – Fraud Detection: A global bank uses NEB to collect and analyze network events from its trading platforms, data centers, and cloud environments. By enriching events with threat intelligence feeds and applying machine learning algorithms, the bank can detect and prevent fraudulent transactions in real-time, minimizing financial losses and protecting its reputation. Setup: Collectors deployed on NSX-T, AWS VPCs, and physical firewalls. Policies configured to route suspicious traffic to a fraud detection system. Outcome: Reduced fraudulent transactions by 20% and improved compliance with regulatory requirements.
2. Healthcare – HIPAA Compliance: A large hospital network leverages NEB to monitor network access to patient data, ensuring compliance with HIPAA regulations. NEB collects events from firewalls, intrusion detection systems, and endpoint security solutions, providing a comprehensive audit trail of all network activity. Setup: Collectors deployed on network perimeter and within the hospital’s internal network. Policies configured to alert security teams to unauthorized access attempts. Outcome: Improved HIPAA compliance and reduced risk of data breaches.
3. Manufacturing – OT Security: A manufacturing company uses NEB to secure its operational technology (OT) network, protecting critical infrastructure from cyberattacks. NEB collects events from industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, providing visibility into potential threats. Setup: Collectors deployed on OT network segments. Policies configured to detect and block malicious traffic targeting ICS/SCADA systems. Outcome: Enhanced OT security and reduced risk of production disruptions.
4. SaaS Provider – DDoS Mitigation: A SaaS provider utilizes NEB to detect and mitigate Distributed Denial of Service (DDoS) attacks. NEB analyzes network traffic patterns in real-time, identifying anomalous activity indicative of a DDoS attack. Setup: Collectors deployed at the network edge. Policies configured to automatically redirect malicious traffic to a DDoS mitigation service. Outcome: Reduced downtime and improved service availability during DDoS attacks.
5. Government – Threat Hunting: A government agency uses NEB to proactively hunt for advanced persistent threats (APTs) targeting its critical infrastructure. NEB collects and analyzes network events from various sources, providing security analysts with the data they need to identify and investigate suspicious activity. Setup: Collectors deployed across the agency’s network infrastructure. Policies configured to prioritize events based on threat intelligence feeds. Outcome: Improved threat detection capabilities and reduced risk of successful cyberattacks.
6. Retail – PCI DSS Compliance: A large retailer uses NEB to monitor network traffic associated with credit card transactions, ensuring compliance with PCI DSS standards. NEB collects events from firewalls, intrusion detection systems, and web application firewalls, providing a comprehensive audit trail of all cardholder data access. Setup: Collectors deployed in the cardholder data environment (CDE). Policies configured to alert security teams to unauthorized access attempts. Outcome: Maintained PCI DSS compliance and reduced risk of credit card fraud.

Architecture and System Integration

graph LR
    A[Network Sources (Firewalls, NSX, Cloud)] --> B(NEB Collectors);
    B --> C{NEB Broker};
    C --> D[SIEM (Splunk, QRadar)];
    C --> E[Analytics Platform (VMware Aria Operations)];
    C --> F[SOAR Platform];
    C --> G[Threat Intelligence Feeds];
    subgraph Security & Observability Stack
        D
        E
        F
        G
    end
    style A fill:#f9f,stroke:#333,stroke-width:2px
    style B fill:#ccf,stroke:#333,stroke-width:2px
    style C fill:#ccf,stroke:#333,stroke-width:2px
    style D fill:#f9f,stroke:#333,stroke-width:2px
    style E fill:#f9f,stroke:#333,stroke-width:2px
    style F fill:#f9f,stroke:#333,stroke-width:2px
    style G fill:#f9f,stroke:#333,stroke-width:2px

NEB integrates seamlessly with other VMware solutions, such as NSX for network security, Tanzu for application security, and Aria Suite for observability and automation. It also integrates with third-party systems like Splunk, QRadar, and various cloud security platforms. IAM is handled through integration with existing identity providers (e.g., Active Directory, Okta). Logging and monitoring are typically handled by VMware Aria Operations or a third-party SIEM. Network flow is secured using TLS encryption. Policy controls are enforced through role-based access control (RBAC) and granular event filtering rules.

Hands-On Tutorial

This example demonstrates deploying a NEB collector on a vSphere host using the VMware CLI (vCLI).

Prerequisites:

• vSphere environment with vCenter Server access.
• vCLI installed and configured.

Steps:

1. Download the NEB Collector OVA: Obtain the NEB Collector OVA file from the VMware Marketplace.
2. Deploy the OVA:

   ovftool -df=/path/to/neb-collector.ova -n=neb-collector -t=vmx -ds="Datastore Name" -host="ESXi Host IP"

1. Power on the VM:

   vim-cmd vmsvc/poweron neb-collector

1. Configure the Collector: Access the collector’s web interface (typically via IP address) and configure it to connect to your NEB Broker. Specify the event sources (e.g., NetFlow enabled interfaces).
2. Test Event Flow: Generate network traffic and verify that events are being received by the NEB Broker and forwarded to your SIEM.
3. Tear Down: Power off and delete the NEB Collector VM.

Pricing and Licensing

NEB is licensed based on CPU cores. Pricing tiers vary depending on the features and support level. As of late 2023, a typical 8-core license can range from $5,000 to $10,000 per year. For a small environment with 2 servers each with 16 cores, the annual cost could be around $20,000 - $40,000. Cost-saving tips include optimizing event filtering to reduce data volume and leveraging VMware’s subscription services for bundled pricing.

Security and Compliance

Securing NEB involves several key steps:

• Network Segmentation: Isolate the NEB infrastructure from other networks.
• Access Control: Implement RBAC to restrict access to sensitive data and configuration settings.
• Data Encryption: Encrypt events in transit and at rest.
• Regular Audits: Conduct regular security audits to identify and address vulnerabilities.

NEB supports compliance with various industry standards, including ISO 27001, SOC 2, PCI DSS, and HIPAA. Example configurations include enabling TLS encryption for event transport and implementing strict access control policies based on the principle of least privilege.

Integrations

1. NSX: Direct integration with NSX Data Plane Firewall Logs provides granular visibility into network security events.
2. Tanzu: Integrates with Tanzu Service Mesh to collect and analyze microservice traffic data.
3. Aria Suite: Leverages Aria Operations for monitoring and troubleshooting NEB performance.
4. vSAN: Collects events related to vSAN storage performance and security.
5. vCenter: Integrates with vCenter Server to enrich events with virtual machine and host information.

Alternatives and Comparisons

Feature	VMware Network Event Broker	AWS Network Firewall	Splunk Enterprise Security
Focus	Network Event Streaming & Processing	Network Firewall	SIEM
Event Sources	Broad (NetFlow, sFlow, Syslog, NSX)	AWS VPC Flow Logs	Diverse (Logs, Events)
Scalability	Highly Scalable, Distributed	Scalable, Managed Service	Scalable, Requires Infrastructure
Cost	Core-based licensing	Pay-as-you-go	Subscription-based
Integration	VMware Ecosystem	AWS Ecosystem	Broad, Requires Configuration

• When to choose NEB: Ideal for organizations heavily invested in VMware infrastructure seeking a centralized, scalable, and secure event management solution.
• When to choose AWS Network Firewall: Suitable for organizations primarily using AWS cloud services and needing a managed network firewall.
• When to choose Splunk Enterprise Security: Best for organizations needing a comprehensive SIEM solution with advanced analytics capabilities.

Common Pitfalls

1. Insufficient Collector Deployment: Deploying too few collectors can lead to event loss. Fix: Ensure adequate collector coverage based on network traffic volume.
2. Overly Broad Event Collection: Collecting all events can overwhelm the system and increase costs. Fix: Implement granular event filtering to focus on relevant data.
3. Lack of Event Enrichment: Raw event data lacks context, hindering analysis. Fix: Configure event enrichment to add contextual information.
4. Ignoring Security Best Practices: Failing to secure the NEB infrastructure can expose sensitive data. Fix: Implement network segmentation, access control, and data encryption.
5. Poor Policy Configuration: Incorrectly configured policies can lead to inaccurate event routing and missed alerts. Fix: Thoroughly test and validate all policies before deploying them to production.

Pros and Cons

Pros:

• Centralized event management
• Scalable architecture
• Seamless integration with VMware ecosystem
• Enhanced security visibility
• Improved incident response

Cons:

• Licensing costs can be significant
• Requires dedicated infrastructure (unless using a cloud deployment)
• Initial configuration can be complex
• Dependent on VMware ecosystem for optimal value

Best Practices

• Security: Implement network segmentation, access control, and data encryption.
• Backup: Regularly back up NEB configuration and data.
• DR: Implement a disaster recovery plan to ensure business continuity.
• Automation: Automate event collection, processing, and routing using APIs.
• Logging: Enable comprehensive logging for auditing and troubleshooting.
• Monitoring: Monitor NEB performance using VMware Aria Operations or a third-party monitoring tool.

Conclusion

VMware Network Event Broker is a powerful solution for organizations seeking to improve network security and observability in the distributed enterprise. For infrastructure leads, it provides a unified platform for managing network events across hybrid and multicloud environments. For architects, it enables the implementation of zero-trust architectures and advanced threat detection capabilities. For DevOps teams, it streamlines incident response and improves application performance. To fully realize the benefits of NEB, consider starting with a proof-of-concept (PoC) to validate its capabilities in your environment. Explore the detailed documentation available on the VMware website and reach out to the VMware team for expert guidance.