VMware's internal Service-defined Firewall reimagines firewalling

VMware's internal firewall uses a global view of known-good behavior at the network and host level to minimize the attack surface for on-premises and cloud environments.

VMware is ready to bring its intrinsic security approach to firewalls. Rather than solely tackling the threat of the moment, the age-old technology will focus on reducing the attack surface. The goal is to harden the infrastructure so there are fewer places attackers can break in.

"It's time for security to come up to speed and be designed for today's data centers and applications," said Ambika Kapur, vice president of product marketing for VMware's network security business unit.

VMware's Service-defined Firewall

The Service-defined Firewall runs in the hypervisor where, if the infrastructure gets compromised in any way, it's very difficult for attackers to turn it off. To achieve this, the firewall combines its NSX network virtualization platform and host-inspecting AppDefense capabilities. It uses application visibility and an understanding of known-good application behavior with intelligent, automated and adaptive firewalling capabilities to lock down apps, data and users.

This approach ensures security is highly distributed, which is critical for modern data centers.

"The old constructs of taking a single appliance -- virtual or physical -- and putting it in one place to grab traffic and backhaul it to this appliance for scanning is expensive and isn't an elegant security solution," Kapur said.

A traditional perimeter firewall essentially functions to filter traffic from a near-infinite collection of unknown hosts. In doing so, it attempts to figure out what's good versus bad and keep the bad stuff out in a world where attackers skillfully disguise bad as good.

An internal firewall is smarter. Its job is to protect well-known assets from any attacks that get past the perimeter. The Service-defined Firewall inspects the network in a complete context -- in a Layer 7 stateful way.

VMware's Application Verification Cloud

Along with its internal firewall, VMware created the Application Verification Cloud. It takes all of the intelligence and visibility at the host and network level -- along with more than 3 million behavior maps created for known-good behavior at the host level -- and applies machine learning and human oversight to build an accurate map of known-good behavior.

"We have the intelligence and visibility, and the Service-defined Firewall brings those together and uses all of it to provide the defense," Kapur explained. "Machine learning and human oversight builds a level of accuracy that's unprecedented, and then that logic gets pushed down to enforcement."

You can still deploy NSX firewalling capabilities even if you don't use it in any other capacity. ... NSX and our firewalling capabilities aren't just limited to the VMware environment; they run in bare metal, public cloud environments or with containers.
Ambika KapurVice president of product marketing for VMware's network security business unit

When it comes to enforcement, many alternative firewalls provide a binary action -- either allowed or blocked. The Service-defined Firewall can block, allow or quarantine, depending on the kind of information coming down and what you deem appropriate.

VMware also addresses modern traffic patterns.

"Most people apply north-south perimeter logic to defend the inside of a data center," Kapur said. "That doesn't make a lot of sense, because traffic patterns have shifted. Many are flowing east-west now. If you know the assets and the applications you're running, a better approach is to come up with a good map of what's running and the allowed behaviors of the infrastructure, and then lock it down. By doing this, you reduce the surface area of attack to anything that doesn't fit allowed behavior -- it's simply not allowed."

For organizations that run NSX, turning on internal firewall capabilities is a breeze, Kapur said.

"But you can still deploy NSX firewalling capabilities even if you don't use it in any other capacity," she said. "It runs everywhere. NSX and our firewalling capabilities aren't just limited to the VMware environment; they run in bare metal, public cloud environments or with containers."

Advantages of VMware's firewalling method

VMware's firewalling approach offers two broad benefits for enterprise security, according to Mike Fratto, analyst at 451 Research.

"One is technical, and the other is operational," he said. "VMware is using AppDefense's capabilities to inspect what's occurring in virtual machines (VMs) from outside and to interact with them. Since there's no agent running in the VM, there's no agent to be killed by an attacker -- making it extremely difficult, if not impossible, to bypass."

"Host code should not leak out, so being installed in the hypervisor and having privileged access to the virtual machine, customers can be assured that AppDefense and the monitoring and control it implements can't be disabled by an attacker," Fratto explained. "With the visibility that AppDefense has to see not only how VMs communicate with each other, but also which processes in the VMs are running and communicating, it can determine what's normal application behavior versus abnormal and block network access to just that process. That's important, because it allows authorized activities to continue, but denies unauthorized activities."

The operational benefit is in "discovering and analyzing application behavior and then building an access policy that only allows necessary communications paths down to the process level," Fratto said. "Once IT has confidence the application behavior has been modeled, a policy is generated that could take hours or days for IT to build by hand. That policy can be scaled as the application layer tiers scale. AppDefense also logs connections and errors, so it's easy to see what was attempted during an attack."

Setting the initial policy is only one step in an application's lifecycle.

"As applications are updated, how they communicate can also change with a blocking policy, which could mean an application policy breaks the application," Fratto added. "The Application Verification Cloud learns what is normal across VMware's customer base and can be used to verify if new or updated software is legitimate."

Is VMware's Service-defined Firewall taking off? Yes -- more than 10,000 customers already use it. Test sequences run by Verodin Inc., a company that validates cybersecurity effectiveness, on its Security Implementation Platform found VMware's Service-defined Firewall was able to detect and prevent 100% of the malicious attacks thrown at it.

"Common attacker tactics and techniques are increasingly difficult to execute when the infrastructure itself is enforcing known-good application behavior and communications," noted Christopher Key, CEO of Verodin.

Dig Deeper on Network security