VMware has launched its new VMware Service-defined Firewall, an “innovative” approach to internal firewalling that would reduce the attack surface for on-premises and cloud environments with security that is an intrinsic part of the infrastructure.
Through the capabilities of VMware NSX and VMware AppDefense, the VMware Service-defined Firewall would combine application visibility and understanding of known good application behavior with intelligent, automated and adaptive firewalling capabilities to help better protect apps, data and users.
“Intrinsic security is different than integrated security,” said Tom Gillis, senior vice president and general manager, networking and security business unit, VMware. “Integrated security repackages existing solutions, such as taking a traditional firewall and making it a blade in a data center switch. It doesn’t fundamentally change the firewall. Intrinsic security takes advantage of the unique attributes that are built in to the virtualization platform, allowing us to create very new and unique security services. The new VMware Service-defined Firewall is focused on internal network firewalling and changes the game by validating known good application behavior, rather than chasing threats.”
The VMware Service-defined Firewall solution would take a different approach to firewalling that focuses on assets that enterprises know well – applications they themselves have deployed – rather than scrutinizing the unknown.
This solution would work on bare metal dedicated servers, VM and container-based application environments, and will support hybrid cloud environments such as VMware Cloud on AWS and AWS Outposts in the future.
The VMware Service-defined Firewall would feature the following:
- Application Verification Cloud – VMware’s position in the host would allow the Service-defined Firewall to gain a deep understanding of an application and its 100’s or even 1,000’s of micro-services through all their variations over time. Using machine intelligence from millions of VMs globally, the solution’s Application Verification Cloud would build an accurate map of the intended ‘known good’ state of the application. Once a verified understanding of known good application behavior is established, the solution can generate adaptive security policies for the Service-defined Firewall solution that is layer 7 capable and can perform full stateful inspection.
- Protected from the Guest – The Service-defined Firewall solution leverages VMware’s intrinsic ability to inspect the guest OS and application without being resident in the guest. This would mean that even if an attacker gains root access, they can not bypass the Service-defined Firewall solution. The Service-defined Firewall solution can also detect and block malicious traffic on the network. Beyond that, this system can introspect the guest itself and identify and stop any malicious behavior within the OS or application at run time. This unique capability would be equivalent to a new approach to network firewalling and host IPS.
- Distributed in Software – the traditional approach to hardware firewalling requires ‘hair-pinning’ traffic out of the virtual environment and into a hardware appliance for scanning. This would be inefficient and difficult to scale, particularly for modern applications that have many components or services that run across many servers and can often span different clouds. Based entirely in software, the VMware Service-defined Firewall is highly distributed which means it runs wherever the application runs, across clouds. This would mean that policies can be consistently enforced without complex hair-pinning of traffic across cloud environments.
“Protecting our applications and patient data is critical, and anything we do to improve security ultimately impacts patient safety,” said Christopher Frenz, Assistant Vice President of Information Security at Interfaith Medical Center. “One of the biggest security challenges we face is staying ahead of threats due to the proliferation of applications and the rapid pace at which our applications are now changing. We trust VMware to provide us with effective solutions for securing our applications and we are really pleased to see the approach VMware is taking in pushing the envelope on internal firewalling with the Service-defined Firewall.”
To validate the effectiveness of the VMware Service-defined Firewall, VMware teamed with Verodin, a provider of services measuring, managing, and improving their cyber security effectiveness. VMware leveraged Verodin’s Security Instrumentation Platform (SIP) to validate that the VMware Service-Defined Firewall can effectively identify and stop threats whether they are known or unknown.
“Defenders are tasked with securing business-critical applications they don’t operationally own or control. Rapid application development and the rising complexity of distributed and hybrid environments further increase the difficulty of securing these applications exponentially,” said Christopher Key, CEO of Verodin. “Verodin SIP provides organizations with the evidence required to prove that their controls are delivering the desired protection in real-world production environments. “These tests performed using Verodin SIP demonstrate the VMware Service-Defined Firewall’s ability to reduce the attack surface with minimal effort. Common attacker tactics and techniques become increasingly difficult to execute when the infrastructure itself is enforcing known-good application behavior and communications.”