Public cloud infrastructure introduces unique security challenges. Organizations need to ensure the confidentiality, integrity, and availability of their data and applications in the face of ever-evolving threats. Implementing robust security controls, managing access permissions, and complying with industry-specific regulations can be complex in an environment controlled by a provider.
Today, we are happy to announce that to address these challenges, we are providing some advanced security features out of the box as part of VMware Cloud on AWS core service. Now customers can strengthen the security posture of their hybrid cloud infrastructure with advanced security capabilities such as Layer 7 Application ID, FQDN Filtering, and User Identity-based Firewall (IDFW). Starting Feb 1, 2024, these features are available at no extra cost in all the SDDCs (new and existing SDDCs). These features are available via VMware Direct as well as AWS Resell routes to market.
Now, let’s look at the details of these advanced security capabilities:
Layer 7 Application ID– With this capability, customers can create micro-segmentation security policies at more granular level for specific application after determining which workloads comprise application and what network traffic is necessary for application and restrict any other traffic thus reducing the attack surface.
FQDN Filtering– With this capability, security administrators can define firewall rules that explicitly provide access to a set of FQDNs and can control or restrict access to remote services & sites.
User Identity-based Firewall (IDFW): With this capability, customers can create firewall rules based on Active Directory or LDAP user groups in order to provide granular access control to applications.
In addition to the features mentioned above, a free trial of the Distributed IDS/IPS functionality is available to all customers starting from February 1, 2024 until April 30, 2024. Following the trial period, customers will be presented with options to either subscribe to the IDS/IPS service or to continue using it on a pay-as-you-go basis.
Distributed IDS/IPS: With VMware NSX Distributed IDS/IPS, customers gain protection against attempts to exploit vulnerabilities in workloads on VMware Cloud on AWS. Distributed IDS/IPS is an application-aware deep packet inspection engine that can examine and protect traffic inside the SDDC. Customers can detect and prevent lateral threat movement within the SDDC using the intrinsic security capabilities of Distributed IDS/IPS
Why are these capabilities important from customers’ point of view? What are some of the key benefits for customer? Let’s check those out.
Key benefits of advanced security capabilities:
Granular resource isolation: VMware NSX with Layer 7 Application ID provides a higher level of security by isolating and protecting individual applications or application components. It allows organizations to define granular security policies specific to each application, which helps in minimizing the attack surface and prevent lateral movement within the network. In the event of a security breach, the impact can be contained within the affected application segment, limiting the potential damage.
Stronger policy enforcement: VMware FQDN filtering in firewall rules offers granular control, dynamic rule updates, improved user experience, enhanced security, scalability and flexibility, compliance and policy enforcement, and integration with DNS-based threat intelligence. These benefits help organizations strengthen their network security, protect against threats, and ensure appropriate access to resources while maintaining a high level of control and flexibility.
Reduced risk of unauthorized access: VMware User-Identity Firewall offers benefits such as user-centric access control, alignment with the zero-trust model, adaptive access policies, enhanced visibility and auditing, and integration with other NSX security capabilities. By focusing on user identities and their access privileges, identity firewalls strengthen network security, reduce the risk of unauthorized access, and provide a more flexible and dynamic approach to access control.
Simplified security management: In VMware NSX Layer 7 Application ID, security policies are tied directly to the application, making security management more streamlined. Instead of managing complex network rules, administrators can focus on defining and enforcing policies at the application layer. This simplifies security operations, reduces the risk of misconfigurations, and makes it easier to maintain a secure environment as applications evolve or new applications are deployed.
Higher flexibility and agility: VMware NSX Layer 7 Application ID allows for greater flexibility and agility in deploying and managing applications. As applications become more distributed and dynamic, traditional network-based segmentation can become restrictive. Layer 7 Application ID enables organizations to apply security controls regardless of the underlying network infrastructure, making it easier to migrate applications across different environments (e.g., on-premises, cloud, containers) without compromising security.
Enabled Zero-Trust architecture: VMware NSX Layer 7 Application ID aligns with the principles of Zero Trust architecture, where every communication and access request is verified and authenticated, regardless of the network location. By implementing fine-grained security policies at the application level, organizations can adopt a Zero Trust approach, ensuring that only authorized traffic is allowed and reducing the risk of lateral movement or privilege escalation by attackers.
Improved incident response and forensics: In the event of a security incident, VMware NSX Layer 7 Application ID provides better visibility and control over application traffic. Security teams can quickly identify affected applications, isolate compromised components, and conduct forensics at a granular level. This improves incident response capabilities and reduces the time to detect, investigate, and remediate security issues within specific application segments.
What’s Next:
All customers will be automatically entitled to the advanced security features on Feb 1, 2024. To avail these features, customers simply need to activate the ‘NSX Advanced Firewall’ service from the Integrated Services Tab under the NSX Advanced Firewall tile on VMware Cloud Console. If you would like to learn more technical details about these features, check out this TechZone article and a deep-dive blog. And if you have any further questions, please contact your VMware or AWS representative to learn more.
Resources:
For more information related to VMware Cloud on AWS, here are some more learning resources for you:
