VMware has had front row seats to the digital transformation that has touched virtually every organization. We’ve been there (and helped drive!) the journey from monolithic applications hosted on a single server, to distributed apps running in VMs, to further decentralization in the form of cloud-native apps composed of microservices. Now, we’re watching the proliferation of public clouds, the up and coming space of serverless and the adoption of functions as a service as ways to build and deploy applications faster than ever.
It’s this vantage point that also gives us clear line of sight to one of the biggest cyber security challenges that modern enterprises face: as their applications become more distributed, an organization’s attack surface significantly increases. Despite all of the advancements and innovation in the way applications are built, we have not seen the same rate of progress with respect to the way applications are secured. Adopting a zero-trust network security model in an enterprise environment remains incredibly hard to achieve. How do you know what security policies to create? How do you enforce those policies consistently across on-premises physical and virtual environments, let alone the public cloud? How do you enforce them across different types of workloads (bare metal servers, VMs, containers)? How do you maintain security policies as developers continually make changes to their apps?
For the better part of a decade, VMware has helped customers reduce the attack surface of their environments. In 2013, when VMware NSX Data Center was launched, micro-segmentation immediately became one of the most valuable and deployed use cases for the product. Customers were able to define network security policies from a single location and enforce those policies in a distributed manner, entirely in software and without the need for specialized hardware or agents.
Since then, we’ve learned that the more flexibility we can give customers in the definition and enforcement of security policies, the better they can reach the level of segmentation they desire in their environment. As a result, we’ve introduced features like identity-based firewalling, and the ability to create policies based on workload-level attributes. We’ve also moved up the stack from basic Layer 4 port blocking to do stateful Layer 7 enforcement. And we’ve introduced the ability to automatically deploy and dynamically adapt policies based on continual changes to applications.
All of this brings us to our announcement
Today, we are launching the VMware Service-defined Firewall. The VMware Service-defined Firewall is a new approach to firewalling, different from that of traditional perimeter firewalls, due to the fact that it solves a different problem than perimeter firewalls. The VMware Service-defined Firewall reduces the attack surface inside the network perimeter. Unlike perimeter firewalls that must filter traffic from an unlimited number of unknown hosts, the VMware Service-defined Firewall has the advantage of deep visibility into the hosts and services that generate network traffic. The solution uses this visibility to determine the expected – or “known good” – behavior of applications and verifies that this behavior is, in fact, known good behavior by analyzing it with the Application Verification Cloud. Finally, the VMware Service-defined Firewall automatically generates the necessary security policies to consistently enforce the application’s known good behavior across heterogenous workloads and both private and public clouds.
VMware has been working on solving the problem of reducing attack surface inside the network perimeter for the better part of a decade.
This launch marks a turning point in the way that internal network security will be viewed by the industry moving forward. Ultimately, the Service-defined Firewall will provide the answer for securing environments comprised of applications that span the timeline of technology, from mainframes to microservices to whatever comes next.
To learn more about the capabilities of the VMware Service-defined Firewall, watch a demo of the solution in action, and read the Service-defined Firewall Effectiveness Validation report by Verodin, visit the Service-defined Firewall Solution page.