Today we are happy to introduce the Service-defined Firewall Validation Benchmark report and Solution Architecture document. Firewalls and firewalling technology have come a very long way in thirty years. To understand how VMware is addressing the demands of modern application frameworks, while addressing top concerns for present day CISO’s, let’s take a brief look at the history of this technology.

 

A Brief Firewall History

Over time, the network firewall has grown up, from initially being very basic to more advanced with the inclusion of additional features and functionality. The network firewall incrementally incorporated increasingly complex functionality to address many threats in the modern security landscape.

While the network firewall initially progressed rapidly to keep pace with the development of network technology and rapid evolution of network threat vectors, over the past decade there has been very little in terms of innovation in this space. The requirements of next-generation (NGFW) haven’t changed tremendously since its late 2000’s introduction to the market, and with the uptick in adoption of modern micro-services based architectures into the modern enterprise, applications are becoming more and more distributed in nature, with growing scale and security concerns around the ephemeral nature of the infrastructure.

Micro-services, which leverage a highly distributed architecture, have significantly increased the number of attack vectors or surface area of attack available for malicious actors to exploit. Moreover, many of these distributed architectures have made the network edge more porous. Additionally, the ephemeral nature of the modern application architecture has also decreased the visibility of threat intelligence for security teams tasked with maintaining their relative security posture.

Traditional Perimeter Firewall Architecture Problems

Here at VMware, we had a realization that the architectural nature (both from a feature/functions standpoint, as well as the actual placement in the overall architecture) of the traditional perimeter firewall is problematic to many of these modern trends happening in the data center. Some points to consider:

  • Potential sub-optimal data forwarding creating network choke points
  • Force infrequent and manual policy changes
  • Inadequate and inflexible model for granular policy definition
  • Lacks any application context or service awareness
  • Failure to keep pace with modern development practices (Agile, Dev/Ops, CI/CD), often leaving gaps in coverage relative to the continuous change

 

Modern Firewall Considerations

Simply put, there’s a massive increase in complexity with modern application architectures and the traditional perimeter firewalls do not solve the internal security problem. What is the internal security problem? Glad you asked—in speaking with many customers we believe we have defined what an internal firewall should do to address the growing security concerns and ever evolving attacks malicious actors are launching to compromise businesses.

Few would argue against the need to protect internal assets, particularly in light of a study released last year, that concluded the cost of a data breach in 2018 averaged out to be $3.86 Million.

Additionally, consider how much the industry has spent on protecting the perimeter to date. Many modern breaches you hear about on the news start from well-known vulnerabilities, but after the initial exploit, spread laterally within the environment because the internal security problem hasn’t been addressed. It’s time to add security back into the application. The application needs to be self-protecting in a defense-in-depth model. In the past, it was always relying on external things that wrap the application and the data. The distributed nature of modern applications increases the importance of the application’s ability to inherently be much more resilient and resistant to attacks.

We believe this requires a fundamental shift in security mindset and can be addressed in a few high-level ways:

 

Enter VMware’s Service-defined Firewall

VMware launched the Service-defined Firewall earlier this year. This solution asks one simple question—instead of chasing threats by relying on a reactive approach to firewalling, what if a firewall could reduce the attack surface of applications inside the perimeter by understanding and enforcing known good application behavior? By gaining system and service level insight to an application’s topology (e.g., down to an originating process that generates network I/O), the Service-defined Firewall has the unique ability to control application behavior using a variety of techniques.

As an example, the Service-defined Firewall combines AI and human intelligence to establish a verified model of known good application behavior. This combined with the additional network-centric constructs like L7 packet inspection and AppID, strengthen the overall security posture within the network perimeter, even more so when supplemented with more traditional firewall strategies like identity-based firewalling and tiered segmentation. From an overall architecture standpoint, the intrinsic nature of the Service-defined Firewall dictates the isolation between the controls and the attack surface itself, which becomes very important because even if a workload is compromised, the Service-defined Firewall cannot simply be disabled or by-passed.

This is how VMware is able to deliver consistent protection for your modern applications across the many places modern applications can live:

 

Putting the Service-defined Firewall to the Test

The VMware Service-defined Firewall Benchmark report has been released! VMware sponsored Coalfire, an independent cybersecurity advisory and assessment firm, to create this industry-first Service-defined Firewall benchmark report.

Coalfire conducted a micro-audit of the Service-defined Firewall capabilities to develop this benchmark report detailing the efficacy of VMware’s solution as a security platform. The micro-audit process included testing Service-defined Firewall features and functionality against simulated zero-day threats following common steps of the cyber kill chain model.

The results of this attack sequence are shown below:

Coalfire’s examination and testing of the Service-defined Firewall solution utilized simulated real-world exploits that depict likely hacker or attacker behavior in actual production network scenarios. The methodology used simulated real-world attacks that begin with the successful compromise of a vulnerable and exploitable machine within the network and then follow with attack propagation to other virtual or physical machines that share network access with the exploited VM.

Service-defined Firewall Resources

Please read the full report to learn all the in-depth technical details and testing methodologies.

Resources to Get Started:
Technical Resources: