Shrink the application attack surface with a new approach to firewalling”

What is a Service-Defined Firewall?

In February 2019 at the RSA Security Conference in San Francisco, VMware® announced the launch of a new solution based on VMware’s NSX and AppDefense products called “VMware Service-Defined Firewall”. 

So, you may be asking what is a Service-Defined Firewall? Well this solution has been designed to help mitigate against threats that are inside a datacentre or cloud–network.   

If you are thinking “I have a very good perimeter firewall and defences; nothing will get past those, so why bother?” then please do read on! According to the Carbon Black “Quarterly Incident Response Threat Report” of July 2018, 59% of attacks involved attempted lateral movement. Let’s think about that for a moment, not only did the attacker manage to get inside the datacentre or cloud network but they then tried to instigate some form of lateral attack.  

VMware’s Service-Defined Firewall establishes a verified understanding of known good application behaviour from which it generates adaptive security policies to shrink the applications attack surface consistently, across on-premises and multi-cloud environments.

VMwares road to the service-defined firewall

How is the Service-Defined Firewall different from a traditional enterprise firewall?

Most firewalls are designed to try, and block known threats at the network perimeter. The Service-Defined Firewall is a new breed of firewall that goes beyond Layer 7 Inspection to protect applications inside a datacentre or cloud network. You can consider the Service-Defined Firewall to be an evolution of micro-segmentation. 

VMware’s Service-Defined Firewall is in an intrinsic position to be built directly into the vSphere hypervisor, without needing any additional agents or applications to be deployed. This means the core components for VMware’s Service-Defined Firewall are isolated from the attack surface. 

The solution also benefits from a cloud-based service from VMware that combines AIML (Artificial Intelligence/Machine Learning) and human intelligence to build and verify a “known good” application behaviour. 

The above image shows the make-up of VMware’s Service-Defined Firewall.

How is the Service-Defined Firewall different from Micro-segmentation? 

The Service-Defined Firewall makes use of NSX’s micro-segmentation. However, the Service-Defined Firewall undertakes correlation of workload behaviours with expected network behaviours, along with OS integrity monitoring and verification. Which enables the solution to protect you from a myriad of different attack vectors.  

How is the Service-Defined Firewall different from traditional Next-Generation Firewalls?

The VMware Service-Defined firewall is not competing with or intending to replace the perimeter firewall. The solution is intended to fill the void that typical perimeter firewalls or other security solutions leave by not being able to fully protect against lateral movement within the datacentre or cloud-network, while remaining outside of the attack surface i.e. integration within the hypervisor and being abstracted from the guest operating system of the virtual machine.  

The solution is also entirely in software which not only allows the VMware solution to enforce policies consistently across heterogenous workloads but also allows for a distributed architecture which given the level of hybridity customers are asking us for today is a massive enabler.   

VMware’s Service-Defined Firewall is available now. If you want to find out more and understand how your organisation can benefit from the VMware Service-Defined Firewall and other VMware security solutions, contact us.   

 Xtravirt are a VMware Master Services Competent Partner and certified to design and deploy VMware products and solutions.  We can work with you to find a solution that is right for your organisation. 

 Useful links: 

VMware Service-Defined Firewall  

VMware NSX Datacenter  

VMware AppDefense