Recap of the Service-defined Firewall Launch

About a month ago, VMware launched the Service-defined Firewall to supplement the traditional perimeter firewall’s susceptibility to lateral movement of attacks. Because traditional perimeter firewalls are designed to safeguard the network against malicious north-south traffic, once breached, they are inadequate for detecting and containing attacks that spread swiftly across east-west network communication paths. In fact, 59% of attacks involve attempted lateral movement[1] and 67% of organizations lack full confidence that they can avoid a data breach[2], which suggest that merely piling on perimeter protection is no longer effective.


Attacks moving laterally across the network

Once an attack breaches the perimeter, it is capable of moving laterally unchecked across the environment.


The Service-defined Firewall shifts the advantage from attackers to defenders by reducing the attack surface of applications inside the network perimeter. Instead of “chasing threats” and relying on a reactive approach to firewalling, the Service-defined Firewall focuses on understanding and enforcing “known good” application behavior. By understanding an application’s topology down to the originating processes that generate network traffic, the Service-defined Firewall has the unique ability to control application behavior that extends beyond simple L7 packet inspection and AppID. This level of control enables the operationalization of strategies like micro-segmentation and process whitelisting, which strengthen the overall security posture within the network perimeter when combined with more traditional firewall strategies like identity-based firewalling and app control.

Furthermore, the Service-defined Firewall employs the App Verification Cloud, which combines AI and human intelligence to establish a verified model of “known good” application behavior. These models enable customers to create best guidelines for enforcement and more importantly, are capable of configuring security policies that adapt to rapid changes in application services. Because the Service-defined Firewall is delivered by VMware NSX and enhanced with VMware AppDefense, both of which are embedded within the vSphere hypervisor, it is an intrinsic component of the application infrastructure. This provides an additional layer of isolation between the controls and the attack surface itself, and as a result, even if a workload is compromised, the Service-defined Firewall cannot be simply turned off. Lastly, the Firewall leverages a distributed architecture, delivering consistent protection across on-premise, hybrid, and even multi-cloud environments. This consistency extends to heterogenous workloads that include VMs, containers, and bare-metal servers.


The Service-defined Firewall offers protection at a granular level by locking down on the intended behavior of the workloads.

The Service-defined Firewall offers protection at a granular level by locking down on the intended behavior of the workloads.


First Impressions

Feedback from analysts and thought leaders in the industry have been consistently supportive. According to Doug Cahill, Group Director and Senior Analyst with the Enterprise Strategy Group, the Service-defined Firewall is

“significant because it leverages host and network context via AppDefense and NSX, respectively, to apply contextual, adaptive access control policies, hence the positioning of the offering as an internal versus external firewall.”[3]

Eric Hanselman, chief analyst at 451 Research, voiced similar sentiments, stating,

“VMware’s approach leverages expanded context to put more power behind a ‘known good allow’ approach. Allow lists aren’t new, but the challenge has historically been that there were limits to the depth of information available to characterize the known good. The greater perspectives that are available to them make this approach a lot more powerful and scalable.”[4]

In a slightly different tone, Chris Key, CEO of Verodin, leveraged the company’s Security Instrumentation Platform (SIP) to validate the effectiveness of Service-defined Firewall in identifying and stopping threats. After experimenting the method in both Detect and Prevent mode, the new firewalling solution detected or prevented 100% of the malicious attacks used in the test sequence. Key further elaborated,

“These tests, performed using Verodin SIP, demonstrate the VMware Service-defined Firewall’s ability to reduce the attack surface with minimal effort. Common attacker tactics and techniques become increasingly difficult to execute when the infrastructure itself is enforcing known-good application behavior and communications.”[5]

Closing Thoughts

As applications develop rapidly, they will continue to disperse throughout complex, distributed environments. Ensuring that these applications are adequately protected at the workload level will become exponentially difficult and without implementing a solution that provides transparent visibility into the infrastructure, the goal will remain elusive. Gone are the days of relying solely on perimeter protection that traditional firewalls provide. Yes, these are still necessary and should serve as foundation to achieve an overall, effective security posture, but it is evident that we must also pay attention to the inside of the network perimeter. On average, 230,000 new malware samples are produced every day, and 84% of organizations claim that traditional security solutions do not work.[6] Chasing threats will always be an uphill battle, and it is imperative that we place just as much importance in mitigating lateral movement of threats and reducing the attack surface.

To learn more about the key differentiators behind VMware Service-defined Firewall through live demos, solution overviews, and white papers, visit



[1] Source: “Quarterly Incident Response Threat Report,” July 2018, Carbon Black

[2] Source: “Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture,” February 2019, Balbix, INC.

[3] Source:

[4] Source:

[5] Source:

[6] Source: