VMware has launched the new VMware Service-defined Firewall, an approach to internal firewalling that reduces the attack surface for on-premise and cloud environments with security that, the company says, is an intrinsic part of the infrastructure.
Through the capabilities of VMware NSX and VMware AppDefense, the VMware Service-defined Firewall combines application visibility and understanding of known good application behavior with intelligent, automated, and adaptive firewalling capabilities to help better protect apps, data, and users.
“Intrinsic security is different than integrated security,” explained Tom Gillis, senior vice president and general manager, networking and security business unit, VMware. “Integrated security repackages existing solutions, such as taking a traditional firewall and making it a blade in a data center switch. It doesn’t fundamentally change the firewall. Intrinsic security takes advantage of the unique attributes that are built in to the virtualization platform, allowing us to create very new and unique security services. The new VMware Service-defined Firewall is focused on internal network firewalling and changes the game by validating known good application behavior, rather than chasing threats.”
According to VMware, the idea of focusing on the known good behavior of an application has been tried before, but the challenge has always been in getting a complete understanding of the application. Some solutions have installed agents in the guest to accomplish this, but agent-based solutions add complexity and have limited appeal because if an attacker gets root, which provides complete control of a host, they can simply bypass the agent. In addition, as applications have become more distributed, security needs to be distributed too. It’s impractical to hairpin east-west traffic to a hardware device or a virtual instantiation of it for inspection.
The VMware Service-defined Firewall solution takes a different approach to firewalling that focuses on assets that enterprises know well—applications they themselves have deployed—rather than scrutinizing the unknown. This solution works on bare metal, VM, and container-based application environments, and will support hybrid cloud environments such as VMware Cloud on AWS and AWS Outposts in the future. Enterprises can use this solution as their sole firewall solution for their internal needs.
For more information, read the solution brief on the VMware Service-defined Firewall.