One of the primary topics that finds its way to the top of most conversations today is security. Organizations are constantly trying to find better, more effective, and more efficient ways to secure their networks and data. VMware announced an exciting new addition to their security solutions with the announcement of a new Service-Defined Firewall that allows businesses to have an automated and adaptive solution to securing internal workloads. The Service-Defined Firewall is set to address the limitations of the traditional perimeter firewall and allow organizations to redefine the ability to secure workloads internally from all types of threats. In this overview we will take a look at the VMware Service-Defined Firewall Features to see what this new offering includes, how it works, and what problems it addresses for organizations today.
Traditional Perimeter Firewall Limitations
The traditional perimeter firewall has been a staple in the enterprise for decades now. The truth of the matter is it has served a valuable purpose in keeping hosts and end users shielded from connecting directly to the “dirty” Internet. However, to say that a perimeter firewall is well-suited to protect and provide security for all resources that internal to your network and today’s applications would be a gross overstatement.
The sheer complexity of today’s applications and the hybrid nature of today’s networks create challenges to securing resources that have not been seen in times past. Couple this with the fact that attackers today are more knowledgeable, have better tools and resources than ever before. This creates a scenario where the traditional means of securing networks and applications is just not enough.
Traditional perimeter firewalls are designed to filter traffic as it is coming from the WAN into the DMZ or internal networks. It was never designed to be a point of security between internal resources once traffic was inside the internal network and moving laterally between hosts and other resources inside. This east/west movement inside the network is extremely dangerous, especially if an attacker is able to make it inside the internal network.
Additional key disadvantages when looking at the traditional perimeter firewall when it comes to a total security solution for internal traffic to protect today’s modern applications include:
- Traditional perimeter firewalls only work off of filtering traffic from unknown hosts
- Traditional perimeter firewalls generally work off the premise of blocking or allowing ports
- Traditional perimeter firewalls are a bottleneck in network performance for applications
Unknown Hosts – Traditional firewalls work off the concept of communicating with unknown hosts that are attempting to gain access to internal resources and deciding based on rules and other mechanisms whether to grant that traffic or not. However, this is not an extremely efficient means of intelligent network traffic decision making as the perimeter firewall has no understanding of what “good” or “normal” traffic via application connectivity really looks like.
Port Blocking – Blocking or allowing ports is an age-old way of deciding whether network connectivity is allowed or blocked. The problem with this approach is that attackers can often utilize legitimate allowed ports to send or carry malicious traffic.
Performance Bottleneck – Using a perimeter firewall to filter traffic for internal resources such as routing and scrutinizing traffic between zones/interfaces creates a “hair-pinning” effect where all traffic is relegated to a single interface and has to flow through this interface on the traditional perimeter firewall which creates a network “choke point”.
VMware’s Service-Defined Firewall is designed to address each of the problems above and create a much more efficient, modern, and effective way to secure internal resources. Let’s see how.
VMware Service-Defined Firewall Features
What is the new VMware Service-Defined Firewall exactly? Essentially, the Service-Defined Firewall is the evolution of VMware software-defined network and security solutions that have come together into one cohesive solution that creates an effective molding of both network and security technologies that harmoniously work together. The Service -Defined Firewall brings together the functionality and capabilities of both VMware NSX Data Center and VMware AppDefense into a powerful combined solution leveraging both technologies intelligently. When looking at the timeline of VMware technologies including both NSX software-defined networking and the other part of the solution, VMware AppDefense, we see the following:
- 2013 – NSX introduced allowing micro-segmentation
- 2017 – Context-aware micro-segmentation (Micro-segmentation 2.0)
- 2018 – VMware AppDefense released
- 2019 – Comprehensive application zero trust (Service-Defined Firewall)
The below infographic from VMware helps to add visual representation to the above timeline.
Unlike the traditional perimeter firewall that has been in place in the enterprise for decades, the Service-Defined Firewall establishes what “known good” application behavior looks like and then generates adaptive security policies to shrink the application attack surface across today’s hybrid environments.
This is done with the following:
Deep Application Visibility and Control – VMware’s ESXi hypervisor is positioned perfectly to be conduit for learning the known good behavior since this is what workloads are running on top of. The Service-Defined Firewall is built directly into the vSphere hypervisor which offers tremendous benefits on many levels. This allows the Service-Defined Firewall to be an integral part of the application infrastructure, there are no agents required to gain the visibility needed, and performance is at line-speed since the firewall is part of the OS kernel.
App Verification Cloud – VMware’s App Verification Cloud is a cutting-edge AI-enabled intelligent cloud that is able to build a profile of known good application behavior from which the Service-Defined Firewall is able to tie into, allowing it to make intelligent decisions upon which to form the adaptive security policies. This allows organizations the ability to quickly profile application behavior to establish the “known good” fingerprint of “normal” application behavior.
Automated Adaptive Security Policies – The power of the Deep Application Visibility and Control along with the App Verification Cloud culminates in the ability of the Service-Defined Firewall to be able to provide “Automated & Adaptive Security Policies”. This means the Service-Defined Firewall can automatically create and provision security policies that define what applications can and can’t do based on the profile of normal application behavior that has been determined.
True Software-Defined Solution – The Service-Defined Firewall is a true software-defined solution that can run on-premises, across multi-cloud and heterogeneous environments that can be comprised of VMs, containers, and even bare-metal servers. The distributed architecture of the Service-Defined Firewall is accomplished completely in software without the reliance on any physical hardware security devices.
The Service-Defined Firewall is a true software-defined solution that enables micro-segmentation at Layer 7 and also allows controlling the services that generate the network traffic being controlled. The new and exciting functionality with Service-Defined Firewall is the solution is truly adaptive that allows security policies to be automatically adapted to applications as they change over time.
Why This is Needed Now?
Today’s applications are becoming increasingly more complex and span across various network and infrastructure landscapes including cloud, hybrid-cloud, and multi-cloud environments. This requires that organizations have a deeper level of application visibility and control of not only the network, but also the services that comprise the applications. Today’s security vulnerabilities and requirements necessitate that organizations implement a zero-trust model that assumes the attacker has already made it inside the network.
These security concerns, the complexity of applications, and the multi-faceted infrastructure and network environments today require that organizations bolster security and control at every level. This includes the internal network. By leveraging powerful AI intelligence, control of the services that comprise applications, and the automation of network security policies to enforce known good application communication, the Service-Defined Firewall gives organizations the tools needed to meet today’s application security challenges.
The Service-Defined Firewall is a culmination of years of VMware’s evolution of their NSX Data Center product as well as the new AppDefense technology. By bringing the two together into one effective solution, the Service-Defined Firewall has been born. The product overcomes the weaknesses of the traditional perimeter firewall and allows taking a modern approach to securing applications and data with a zero-trust, application layer micro-segmentation stance. By controlling the services that comprise the applications and the network together, the Service-Defined Firewall brings the once disaggregate layers into one cohesive, controlled entity. This is done intelligently by using the App Verification Cloud to “learn” known good application behavior and enforce this good behavior by way of policy. This is a truly powerful solution from VMware that will no doubt take security and control for applications to the next level.