Introduction to VMware Service Defined Firewall

In a recent announcement at RSA Conference, VMware moved further into the security sector with the announcement of Service – Defined Firewall. Along with evolution of digital transformation where organizations are looking for solutions to increase employees  productivity, organizations are looking for solutions to provide business productivity applications on the employee devices along with security. With the approach, Business applications are changing rapidly from a traditional framework to a distributed architecture. These business applications now might consist of many distinct services running on heterogeneous workloads that are networked might be networked together. This networking between the heterogeneous workloads results in the increase of complexity and size of the application attack surface.

Key issues in Application Security

As new applications architectures are distributed across both private and public clouds, network teams are struggling to find ways to ensure security and automation for an application driven network. The key issues they see are

  • Increased Attack Surface – New Applications are now comprised network between set of distributed services running across private and public clouds as well as in VMs, containers, and on bare-metal hosts. They are no longer a simple monolithic stack on a single server that can be easily secured. This explosion of services on the network has significantly increased the attack surface of an organization.
  • Rapid Application Change – Application developers are continually making changes to applications and deploying new services, which in turn require changes to security policies on a regular basis.

How VMware Solution Defined Firewall works?

The VMware Service-defined Firewall solution takes a new approach and is designed specifically to mitigate threats inside a Data Center or a Cloud Network. Instead of focusing on the ways to scrutinize an unknown organizations, using Service-Defined firewall organizations can now focus on securing ways to secure the assets that organizations know well and the applications they developed. VMware Service – Defined firewall combines the capabilities of VMware  NSX network virtualization platform and VMware Security product App Defense. VMware NSX provides network and application visibility and VMware App Defense protects the workloads by monitoring their intended state.

Perimeter firewall solutions generally filters traffic coming from the unknown host but won’t be able to help much to filter East-West traffic within perimeter where deep contextual understanding of traffic is required. Perimeter firewalls lack deep understanding of application topology, host insights and know good behavior of application. Secondly, perimeter firewalls primarily rely on port block to control the traffic which can cause serious performance challenges while controlling East – West traffic.

The VMware Service-Defined Firewall helps accomplishing this with the following capabilities:

  1. Provides a deep application visibility and control by having a deep visibility into application services and their behavior along with application topology. As VMware Service – Defined Firewall is built directly into the vSphere Hypervisor, it alleviates the need for additional agent to be installed.
  2. Leveraging App Verification Cloud VMware Service Defined Firewall analyses known good application behavior across VMware footprint. It helps customers to quickly profile their own applications behaviors and create the best policies for enforcement. It intelligently configure and adapt security policies in case of any changes in application services.
  3. To deliver ubiquitous protection, you can deploy VMware Service Defined Firewall wherever application may be running. It works with bare metal, virtual machine (VM), and container-based application environments, and will support hybrid cloud environments such as VMware Cloud on AWS (Amazon Web Services) and AWS Outposts in the future.

To validate the effectiveness of the VMware Service-defined Firewall, VMware teamed with Verodin, a leader in enabling organizations to measure, manage, and improve their cybersecurity effectiveness. VMware leveraged Verodin’s Security Instrumentation Platform (SIP) to validate that the VMware Service-Defined Firewall can effectively identify and stop threats whether they are known or unknown. While running the solution in both Detect and Prevent mode, the VMware Service-Defined Firewall detected or prevented 100 percent of the malicious attacks used in the Verodin test sequence.