VMware, which has staked its reputation on micro-segmentation over the past few years, is building on that expertise with a firewall that helps protect applications and data from inside the perimeter.
Unlike other firewall solutions which focus on protection outside the network perimeter, the VMware Service-Defined Firewall flips the model on its head, focusing on applications and data inside the perimeter. It’s designed to address the problems that arise when bad actors find out how to get around or through the perimeter and take free reign once they're inside.
VMware's new solution is a deep integration between VMware’s NSF network virtualization and security software and AppDefense, a data center endpoint security product that protects applications running in virtualized environments. The VMware Service-Defined Firewall allows organizations can gain greater visibility and control over application behavior at the kernel layer, including visibility into guest VM processes and behaviors.
One of the solution’s key differentiators is the Application Verification Cloud, which verifies known good application behavior instead of trying to identify and block every thread it finds. With this information, it generates adaptive security policies, which are formed by information from verification cloud combined with artificial intelligence and human intelligence.
“It’s more than whitelisting,” explained Matt De Vincentis, VMware’s director of networking and security product marketing. “It’s basically saying, ‘this is good, so if there is a deviation from that, I know that’s bad.’ But unlike whitelisting, our service uses machine learning and human intelligence: actual security people who can verify whether or not an application is good.”
Because the Service-Defined Firewall is built into the hypervisor, information is distributed throughout the infrastructure. This addresses one of the major challenges with traditional firewalls—trying to place them throughout the network at the right points.
There are, of course, other ways to protect the inside of data center and cloud networks. Some organizations choose to repurpose standard next-generation firewalls for the job. But those are designed to work at the edge of the network to block traffic from unknown hosts, not to understand data center applications.
“Part of the secret sauce is the fact that it runs from within the hypervisor, so it has a lot more visibility and understanding of the actual applications running on top of it,” De Vincentis said. “So we can create a much better firewall and much stronger security policy because it understands the applications.”
Other organizations rely on micro-segmentation to protect the inside of the network. It’s a good approach and one that works for a lot of organizations. But today, VMware doesn’t believe that micro-segmentation alone is enough: keeping data and applications safe today requires much more intelligence. By incorporating micro-segmentation into this solution, VMware believes it has the solution.
“At the core, this is about reducing the attack surface and in a way, this about prevention, not the cure,” De Vincentis said. “It’s about significantly reducing the attack surface and focusing on validating known good application behavior—in effect, taking the approach of trying to prevent attacks and threats from getting into the network to begin with, rather than trying to identify threats.”