Security Segmentation Assessment is a new feature in Security Services Platform (SSP) 5.0 that enhances Security Intelligence by delivering a comprehensive, data-driven view of the organization’s current security posture. It not only highlights segmentation gaps but also provides actionable recommendations to harden your environment against modern threats.
This capability is available with both VMware vDefend Firewall and VMware vDefend Advanced Threat Prevention license SKUs.
USE CASE
Traditional perimeter firewalls are no longer sufficient to defend against sophisticated threats, such as ransomware. Once inside the network, attackers often exploit open ports and insecure protocols to move laterally—unchecked by perimeter controls that lack visibility into East-West traffic, which now constitutes over 90% of datacenter communication.
Modern applications are distributed, dynamic, and multi-tiered—making them difficult to protect using legacy approaches. Security Segmentation Assessment accelerates the deployment of the vDefend Distributed Firewall (DFW) by identifying where segmentation is missing and where risks remain.
It delivers:
- A Segmentation Score based on observed flows and firewall configurations, offering a clear snapshot of how well your infrastructure and applications are protected.
- A Segmentation Report that surfaces high-risk workloads, communication chains, and potential blast radii.
- Tailored guidance for implementing DFW to close gaps, enforce least privilege, and move toward a zero-trust security model.
When used in conjunction with Security Intelligence recommendations and auto-publishing, organizations can fast-track their journey to effective micro-segmentation.
SOLUTION
Micro-segmentation is a phased journey—culminating in a security model where all unidentified traffic is dropped by default. Reaching this goal typically involves:
- Identifying and grouping workloads by application
- Defining inter-application isolation
- Mapping the required ports and protocols
Security Segmentation Assessment adapts to your current stage in this journey by offering two scoring modes:
- Strict Mode – For environments where segmentation is complete and all essential firewall rules are in place.
- Relaxed Mode – For environments still in transition, where applications and rules are being actively defined.
The Segmentation Score is determined by various factors:
- Distributed Firewall In Operation – Reflects the operational state of DFW and Malicious IP blocking in the environment under consideration.
- Infrastructure Protection – Quantifies the percentage of Infrastructure Traffic (DHCP, DNS, LDAP/Secure LDAP, NTP) that is protected by a non-default DFW rule. (A default rule is defined as a rule with Src=Any, Dst=Any, Service=Any and Action=Allow).
- Environment Protection – Quantifies the percentage of workloads in the environment that are covered by at least one rule configured under the Environment Category in DFW.
Zone segmentation rules are typically configured under this category. This section of the score is to ensure that all workloads are assigned to an appropriate zone, and zone protection rules are in place to isolate or allow communication between them. - Application Protection – Quantifies the percentage of application workloads that are covered by at least one rule configured under the Application Category in DFW and percentage of Application Traffic that is protected by a non-default DFW rule. More importantly, it rewards the DFW consumer for dropping all unidentified traffic both at the application level and datacenter level. The distribution of weightage within the Application Protection section is determined by the mode selected during score computation.
- Workloads without Obsolete OS & Risky Protocols – Quantifies the percentage of workloads in the environment that are neither running Obsolete OS nor Risky Protocols.
The Segmentation Report delivers:
- A detailed breakdown of the Segmentation Score, analyzing up to 30 days of flow data and firewall policies to assess protection levels across all workloads. It is recommended to at least run the report over an interval of 7 days to derive accurate analysis and recommendations.
- Visibility into vulnerabilities caused by risky protocols, outdated operating systems, or exposure to public IP addresses.
Actionable insights that complement existing Security Intelligence recommendations, allowing for rapid iteration and continuous posture improvement.
Summary
Security Segmentation Assessment empowers organizations to proactively strengthen their lateral security posture. By integrating seamlessly with vDefend Distributed Firewall and VMware Cloud Foundation, it provides the intelligence and automation needed to defend against ransomware and other advanced threats—while accelerating the path to a zero-trust architecture.
