It’s not unnecessary, but a perimeter firewall is not enough. Picture this: innocent end-user at a mid-size commercial firm clicks on an email link originating in a phishing email attack. Sigh. The bad actor is now already behind the firewall. Without lateral controls, the exploit can quickly propagate throughout the network. In fact, according to our recent Threat Landscape Report, email is still the number one vector to deliver malware, and 4% of all emails are malicious. So if you have 701 emails in your inbox right now (no? just me?) 28 of them may be malicious. Yikes.
Most data center traffic happens within the data center and behind perimeter firewalls—a.k.a. east-west traffic, internal traffic, or lateral traffic—as opposed to north-south traffic, which is inbound/outbound. Likewise, most of the high-profile attacks in recent times have involved malware sitting inside the network, moving laterally from server to server and remaining undetected for months. This is what causes real damage. You simply need more visibility and control in east-west traffic to prevent attackers’ lateral movement.
Perimeter Firewalls Weren’t Made to Secure East-West Traffic
It’s true, traditional appliance-based firewalls are certainly necessary to secure the network perimeter. But they weren’t made to secure traffic inside the network—the growing east-west flows that move laterally inside the data center.
According to a Forrester study, seven out of 10 enterprises reported being handicapped by an overreliance on perimeter firewalls and believed that they were overprovisioning these firewalls, which can be expensive. Fifty-seven percent agreed this meant a tradeoff between coverage and operational flexibility and agility.
The two traffic flows have different volumes and characteristics, and most firewalls today weren’t built to be used interchangeably. Yet appliance-based perimeter firewalls are still being provisioned for east-west traffic monitoring. Problem is, the work around involves tactics such as hairpinning traffic, which ultimately creates traffic jams during volume spikes, thus increasing costs and decreasing control and performance. Here’s a real-life example of why this matters:
A global telecommunications company with hundreds of millions of users in more than a dozen countries needed to protect business-critical, consumer-facing mobile application infrastructure. To do so, it needed to segment and secure large amounts of network traffic on in-house infrastructure using an internal firewall approach. The telecom decided to deploy a hardware-based firewall as its internal firewall solution.
It didn’t take long for the company to begin experiencing performance issues. The appliance-based solution could not scale to protect all the workloads and traffic across the telecom’s dev/test, production, and DMZ zones. Because the traffic was hair–pinned to and from the firewall appliances, the company experienced performance problems during traffic spikes when new versions of the application were released.
The Solution: Internal Firewalling
It’s time to rethink data center firewalling. Securing the internal network is complex. And IT security professionals can no longer shoehorn traditional application-based firewalls for this use case.
Internal firewalls, such as VMware’s NSX Service-defined Firewall, are data center firewalls that protect east-west (internal) traffic across private and public cloud environments at the granularity of workloads. Network security professionals use these firewalls to mitigate risk, prevent lateral movement of attackers, and ensure compliance with the stated security policies of their organizations.
Take a deep dive into the concept of internal firewalling in this easy-to-read eBook: Internal Firewalls for dummies. (We promise, no one will call you a dummy if you download this guide!)
VMware Named Market Leader in Firewall
Announced at this year’s RSA Conference by CyberDefense Magazine, VMware was named a winner of the Global InfoSec Award as Market Leader in Firewall. One of VMware’s core beliefs is that we need structural and architectural changes to how organizations approach security. This means taking a fresh look at how we approach issues such as internal data center security—and it’s exactly what prompted us to deliver the VMware NSX Service-defined Firewall.
One of the foundations of VMware Security, the NSX Service-defined Firewall is a unique, distributed, scale-out internal firewall that protects all east-west traffic across all workloads without network changes. This radically simplifies the security deployment model. It includes a distributed firewall, advanced threat protection, and network traffic analytics. With the VMware NSX Service-defined Firewall, security teams can protect their organizations from cyberattacks that make it past the traditional network perimeter and attempt to move laterally.
What Sets the Service-defined Firewall Apart
- Distributed, granular enforcement: The NSX Service-defined Firewall provides distributed and granular enforcement of security policies to deliver protection down to the workload level, eliminating the need for network changes.
- Scalability and throughput: Because it’s distributed, the Service-defined Firewall is elastic, with the ability to auto scale as workloads spin up or down.
- Intra-application visibility: The Service-defined Firewall automatically determines communication patterns across all types of workloads, makes security policy recommendations based on those patterns, and checks that traffic flows conform to deployed policies.
- Declarative API: With the NSX Service-defined Firewall, security teams can move at the speed of development to deliver a true public cloud experience on premises.
- Advanced Threat Prevention: With the NSX Service-defined Firewall, security teams can easily deploy advanced threat prevention capabilities such as distributed IDS/IPS, network sandboxing, and network traffic analysis / network detection and response (NTA/NDR) to protect against known and zero-day threats.
With these capabilities, customers can deploy network segments rapidly to get the speed and flexibility they need to quickly create and reconfigure network segments or virtual security zones by defining them entirely in software. The NSX Service-defined Firewall also allows users to prevent the lateral movement of attacks by extending east-west security with stateful Layer 7 firewalling, including AppID- and UserID-based policies, as well as advanced threat protection. VMware’s solution enables customers to meet regulatory requirements via its inspection of all traffic, which provides complete coverage to eliminate blind spots with a distributed IDS/IPS delivered in software. Finally, customers can easily create, enforce, and automatically manage granular micro-segmentation policies between applications, services, and workloads across multi-cloud environments to achieve zero trust.
A Customer Success Story: U.S. Senate Federal Credit Union
A great example of an organization that leveraged VMware’s NSX Service-defined Firewall is the United States Senate Federal Credit Union (USSFCU). They turned to VMware for a unified solution that stretches from the perimeter to the data center and across both network and virtual desktop infrastructure (VDI) with granular policy controls to protect applications, services, and workloads. With VMware’s Service-defined Firewall, USSFCU fortified their environment with streamlined east-west monitoring, remediation, and blocking capabilities that deliver impressive visibility and granular control. USSFCU protects Horizon virtual desktops by using NSX to segment the digital workspaces and inspect their traffic flows for any threats trying to move laterally. Firewall policies are applied to VDI workloads to mitigate threats from otherwise vulnerable users and desktops.