VMware has had front row seats to the digital transformation that has touched virtually every organization. We’ve been there (and helped drive!) the journey from monolithic applications hosted on a single server, to distributed apps running in VMs, to further decentralization in the form of cloud-native apps composed of microservices. Now, we’re watching the proliferation of public clouds, the up and coming space of serverless and the adoption of functions as a service as ways to build and deploy applications faster than ever.

Cyber Security Challenges of Today

It’s this vantage point that also gives us clear line of sight to one of the biggest cyber security challenges that modern enterprises face: as their applications become more distributed, an organization’s attack surface significantly increases. Despite all of the advancements and innovation in the way applications are built, we have not seen the same rate of progress with respect to the way applications are secured.

Adopting a zero-trust network security model in an enterprise environment remains incredibly hard to achieve.

  • How do you know what security policies to create?
  • How do you enforce those policies consistently across on-premises physical and virtual environments, let alone the public cloud?
  • How do you enforce them across different types of workloads (bare metal servers, VMs, containers)?
  • How do you maintain security policies as developers continually make changes to their apps?

What VMware has Done

For the better part of a decade, VMware has helped customers reduce the attack surface of their environments. In 2013, when VMware NSX Data Center was launched, micro-segmentation immediately became one of the most valuable and deployed use cases for the product. Customers were able to define network security policies from a single location and enforce those policies in a distributed manner, entirely in software and without the need for specialized hardware or

Since then, we’ve learned that the more flexibility we can give customers in the definition and enforcement of security policies, the better they can reach the level of segmentation they desire in their environment. As a result, we’ve introduced features such as:

  • Identity-based firewalling
  • Ability to create policies based on workload-level attributes
  • Moved up the stack from basic Layer 4 port blocking to do stateful Layer 7 enforcement
  • Introduced the ability to automatically deploy and dynamically adapt policies based on continual changes to applications

Announcing the VMware Service-defined Firewall

Today, we are launching the VMware Service-defined Firewall. The VMware Service-defined Firewall is a new approach to firewalling, different from that of traditional perimeter firewalls, due to the fact that it solves a different problem than perimeter firewalls.

Advantages of Our New Approach to Firewalling

The VMware Service-defined Firewall reduces the attack surface inside the network perimeter. Unlike perimeter firewalls that must filter traffic from an unlimited number of unknown hosts, the VMware Service-defined Firewall has the advantage of deep visibility into the hosts and services that generate network traffic. The solution uses this visibility to determine the expected – or “known good” – behavior of applications and verifies that this behavior is, in fact, known good behavior by analyzing it with the Application Verification Cloud. Finally, the VMware Service-defined Firewall automatically generates the necessary security policies to consistently enforce the application’s known good behavior across heterogenous workloads and both private and public clouds.

VMware has been working on solving the problem of reducing attack surface inside the network perimeter for the better part of a decade.


This launch marks a turning point in the way that internal network security will be viewed by the industry moving forward. Ultimately, the Service-defined Firewall will provide the answer for securing environments comprised of applications that span the timeline of technology, from mainframes to microservices to whatever comes next.


Learn More about VMware Service-defined Firewall

Here are resources to learn more about the capabilities and features of the VMware Service-defined Firewall: