8/22/2023: VMware SASE Orchestrator is now VMware Edge Cloud Orchestrator™, and VMware SD-WAN Client is now VMware SD-Access™! Click here to read the press release from VMware Explore Las Vegas 2023.
VMware continues to integrate advanced security into VMware SASE™ with Enhanced Firewall Service, based on VMware’s proven NSX security technology. The Enhanced Firewall Service is integrated into VMware SD-WAN Edges, allowing customers to leverage the power of NSX security with existing physical and virtual VMware SD-WAN™ appliances. Enterprises benefit from simplified management, streamlined operations, and VMware’s advanced threat intelligence capabilities.
As a part of VMware SASE, firewall management will be integrated into the VMware SASE Orchestrator. VMware SASE components are managed in an integrated way, no matter the service. This approach simplifies operations and avoids the need for separate security management.
The Enhanced Firewall Service improves performance and eliminates the need for legacy firewalls at branch locations—while still providing comprehensive security solutions. This feature is yet another reason why customers can confidently choose VMware’s single-vendor, cloud-native, cloud-delivered SASE offering.
Features of the VMware SD-WAN Enhanced Firewall Service
Organizations must modernize their network infrastructures to be more agile and competitive in this rapidly evolving era of distributed applications and workforces. As working from anywhere moves from a trend born of necessity to an accepted way to do business, IT teams are dealing with increasing complexity and an increasing number of network threats.
The session- and application-aware stateful firewall integrates new threat protection components and features that simplify management. Support for intrusion detection systems (IDS) and intrusion protection systems (IPS) and hosted firewall logging as-a-service are available through a VMware SD-WAN add-on subscription license.
Advanced branch protection with IPS/IDS
Enhanced Firewall Service integrated with VMware SD-WAN Edge is based on industry-proven VMware NSX security technology. It filters traffic between VLANs, between branches, and between a branch and a data center (on-premises or cloud data center). It prevents unauthorized access to branch office networks, detects threats, and prevents potential data exfiltration. As a result, it significantly strengthens SD-WAN branch security.
The IDS/IPS function of the Enhanced Firewall Service improves overall branch network security. IDS and IPS detect potential security breaches by monitoring network traffic, analyzing it for malicious/suspicious activities, and taking actions to prevent potential attacks. They work together to detect and remove potentially harmful traffic before it enters or leaves the network. Overall, the firewall’s IDS/IPS function built into the Edge aids in protecting enterprise branch networks from cyber threats.
VMware SASE is committed to providing industry-leading solutions and embracing product compliance and certifications. VMware SD-WAN Edge Firewall is certified by ICSA Labs and the Edges are FIPS 140-2 compliant.
Hosted firewall logging
Firewall logging as-a-service provides a secure and scalable solution designed for organizations of all sizes. It allows all firewall logs to be centralized in a single cloud location, making it easy to track and analyze security events across multiple sites and applications. The service will aggregate logs across VMware SASE services. This cloud-based firewall logging provides real-time visibility into network traffic and security events, allowing administrators to detect and respond to threats more quickly. The hosted firewall logging service can also provide audit trails required for regulatory compliance such as PCI, HIPAA, and GDPR.
L4-L7 application-aware stateful inspection
The firewall’s L4-L7 stateful inspection function is built into the Edge’s data plane. It inspects incoming and outgoing packets and is session-aware. By maintaining a stateful connection table, the firewall allows only legitimate connections and returning traffic, while blocking all other traffic from external sources. The stateful firewall is also application-aware, which means that it can identify and block malicious application traffic.
Distributed denial-of-service attack prevention
Denial of service is one of the most common attacks that enterprises experience daily. Various measures are incorporated to protect all VMware SD-WAN components. The firewall’s built-in network and flood protection function on the Edge can detect and drop connections above the configured rate (“flooding”). It can also automatically block TCP-based, ICMP-based, and other known attacks.
Traffic segmentation
VMware SD-WAN allows users to carve up the network using segments or VRFs. Users can not only separate the various types of traffic (corporate, voice, guest, PCI, etc.) but also apply different firewall policies unique to each segment. For example, you can isolate guest traffic on a dedicated segment and disable the corporate VPN capabilities, thereby reducing the risk of lateral movement of threats in the network.
Templatized firewall policy
The VMware SD-WAN Edge firewall provides out-of-the-box templates for easy policy creation and management. This template-based firewall policy allows administrators to quickly create security rules based on different criteria and easily apply them to multiple Edges at different sites, bringing consistency across the entire corporate network and gaining granular control.
Unified management and security monitoring
All VMware SASE components are centrally managed from the SASE Orchestrator. From a security standpoint, centralized monitoring and management enable administrators to quickly make decisions and respond to potential security events across the organization, reducing the risk of data breaches and other security incidents.
Enhanced Firewall Service improves overall branch network security by detecting unauthorized access to corporate network assets, mitigating threats, and defending against cyber attacks. Today’s distributed enterprises will benefit from user traffic protection, consolidated hardware, simple and unified management, reduced operational overhead, and overall cost savings. Enhanced Firewall Service built into VMware SD-WAN is crucial to enterprises’ digital transformation initiatives.
