The last 12 months have been incredibly exciting for the security business at VMware. Last year at RSA Conference 2019, VMware CEO Pat Gelsinger outlined our Intrinsic Security strategy in his keynote presentation, “3 Things the Security Industry Isn’t Talking About”. We also announced the VMware Service-defined Firewall, a stateful Layer 7 data center firewall. As pioneers of micro-segmentation, the Service-defined Firewall extended our leadership in protecting east-west traffic in the data center.

Later in the year, we announced two major acquisitions –Avi Networks and Carbon Black. The acquisition of Carbon Black brought to VMware an industry-leading endpoint security platform, and made the entire industry take notice of VMware’s intentions to transform security. With Avi Networks, we acquired a software-defined, elastic, and high-performance load balancer that comes equipped with a full-featured web application firewall (WAF). Maintaining the momentum in building out our security portfolio for the digital enterprise, we announced the VMware NSX Distributed Intrusion Detection and Prevention System which will bring advanced threat controls to the Service-defined Firewall.

At RSA Conference 2020, we are introducing VMware Advanced Security for Cloud Foundation, a modern data center security solution for today’s private and public clouds. This solution will include VMware Carbon Black technology, NSX Distributed IDS/IPS, and VMware NSX Advanced Load Balancer with WAF capabilities. The solution will tightly integrate with VMware Cloud Foundation, the industry-leading solution for data centers, and enable our customers to replace multiple legacy security solutions in the data center with unified protection that’s easier to operationalize.

VMware Data Center Security Solutions

VMware Security is Intrinsic, and that makes it better.

At VMware, we are taking an intrinsic approach to delivering security  – building it into the infrastructure everywhere workloads are deployed, with deep inspection of the workloads and the associated network traffic. When you design security upfront as part of the infrastructure, you can build it differently and it works better.

Take the example of firewalling – traditional appliance-centric firewalls require significant network redesign and hair-pinning of data center traffic. With the VMware Service-defined Firewall, we have distributed the firewall to every workload reducing blind-spots while radically simplifying the operational model. This is simply not practical with appliance-centric firewalls, whether based on hardware or virtual machine (VM).

World-Class Data Center Security

VMware Cloud Foundation operates at the heart of an intrinsically secure, software-defined data center where organizations house their most sensitive data and business-critical applications. Cloud Foundation comes with VM-level encryption to protect unauthorized data access both at-rest and in-motion, network micro-segmentation, and encryption for data-at-rest. The new VMware Advanced Security for Cloud Foundation will provide advanced security at strategic points in the data center covering workloads, network, and web applications. The solution will enable security that’s simply turned on from the start, not deployed later, and will follow workloads wherever they go through their lifecycle. Let’s look at the capabilities of each of the components of the solution.

VMware Carbon Black Technology

According to the 2019 Data Breach Investigations Report from Verizon, the number one asset category involved in breaches are servers. With the workloads running on these servers, protecting them is the foundation for strong data center security. VMware Carbon Black technology protects workloads with Real-time Workload Audit/Remediation, Next-Generation Antivirus (NGAV), Endpoint Detection & Response (EDR). It is being tightly integrated with vSphere to yield an “agentless” solution, reducing the need to insert antivirus or other agents. In a survey commissioned by VMware and conducted by Forrester Consulting, more than half of the enterprises surveyed reported managing 20 or more agents(1). Carbon Black technology offers customers much-desired operational simplification, plus it is harder to tamper with since it is in a separate trust domain.

NSX Distributed IDS/IPS for the Service-defined Firewall

The NSX Distributed IDS/IPS will augment the VMware Service-defined Firewall for securing east-west data center traffic. The Service-defined Firewall provides stateful Layer 7 security controls at each workload, with a control plane that can scale to the order of tens of thousands of individual firewalls. Leveraging the distributed architecture of the Service-defined Firewall, the NSX Distributed IDS/IPS will bring advanced threat detection capabilities to data center traffic at each hop. In contrast, traditional firewalls force operators to inspect traffic selectively due to cost and complexity. Using intrinsic knowledge of the running applications, NSX Distributed IDS/IPS will curate the signatures evaluated at each workload to reduce false positives. This can greatly reduce the operational overhead of manual signature tuning that operators struggle with today. This novel architecture changes the game for IDS/IPS elevating it from mere check-box item to meet compliance needs, to an actionable inspector of east-west network traffic that can detect and block the lateral movement of threats.

NSX Advanced Load Balancer with Web Application Firewall

Vulnerable web servers are often used as the entry point for modern attacks. The NSX Advanced Load Balancer with web application firewall provides application security to safeguard this frequent point of attack. Traditional hardware-based solutions are notoriously complex to manage. They are either massively over-provisioned for peak traffic or end up turning off security filtering under heavy loads. In contrast, the scale-out software architecture of the NSX Advanced Load Balancer enables capacity to scale elastically with traffic, while delivering our customers up to 60% in operational savings(2). The NSX Advanced Load Balancer with web application firewall uses its deep understanding of applications, automated learning, and app-specific policies to provide better security with lower false positives.

Internal Data Center Protection

No More Trade-off between Security and Simplicity

Companies are bolting on dozens of security products in their data center to protect themselves. This is creating massive operational complexity, with most organizations struggling with integration challenges and misaligned controls. The previously mentioned Forrester survey also found that 57% of IT security professionals agree they err on the side of fewer/broader security policies to allow for more flexibility, despite leaving significant security vulnerabilities and agility. The result: attacks are still getting through and moving laterally within the data center, going undetected, often for months, as they locate, harvest and exfiltrate sensitive data.

The new VMware Advanced Security for Cloud Foundation will bring together world-class workload protection, intrusion detection and prevention, and web application firewall for public and private clouds based on VMware Cloud Foundation.  The data center has outgrown legacy security products. It’s time to modernize by adopting distributed, scale-out software solutions that reduce costs and complexity and enable the agility that the business needs!

Citations

  1. To Enable Zero Trust, Rethink Your Firewall Strategy’ – a Forrester Consulting thought leadership paper commissioned by VMware, February 2020
  2. Internal VMware Analysis over a two year period from May 2017 to June 2019) conducted for top Avi Networks customers