This content is part of the Essential Guide: The ins and outs of VMware security products and features

VMware firewall strategy to focus on 'known good' behavior

VMware is taking a different approach to firewalls by focusing on 'known good' behavior to better police east-west traffic within enterprise environments.

SAN FRANCISCO -- VMware wants to reduce enterprises' attack surface, and the vendor is taking a different approach with firewalls to accomplish the goal.

The virtualization software maker introduced VMware Service-defined Firewall during the RSA Conference 2019 to reduce attack surfaces within enterprise environments. The VMware firewall service focuses on "known good" behavior of the applications and cloud services that communicate across a distributed network.

Part of VMware's new security strategy is to rethink how firewalls work. VMware CEO Pat Gelsinger said everyone knows and understands firewalls, which sit at the edge of networks and monitor an organization's incoming/outgoing, or "north and south," traffic. "But in today's multi-cloud, microservices world, there ain't no edge," Gelsinger said during his keynote address Thursday.

VMware also wanted to move away from the industry's hyperfocus on threats, which he believes is actually a massive detriment to enterprise security.

"We're rushing rapidly into a domain of diminishing returns," Gelsinger said "and by comparison we believe we need to fundamentally be reducing the attack surface instead of chasing after the latest threat."

Rather than try to block all unknown activity or potential threats, Gelsinger said, the VMware firewall identifies and permits approved behavior for applications and services that run across both cloud and on-premises environments.

"What are the core things that are supposed to be happening rather than the 50 million that aren't supposed to be happening?" Gelsinger asked RSA attendees. "And when we understand those good behaviors, [we can] enforce known good and do it at the networking level -- how they're communicating with each other -- and at the application level."

At an RSA Conference media event, Tom Gillis, senior vice president and general manager of VMware's networking and security business unit, and Tom Corn, senior vice president and general manager of VMware security products, also shared their views on how the Service-defined Firewall can reduce the attack surface for enterprises.

Gillis likened conventional firewalls to Transportation Security Administration agents on Thanksgiving, the busiest travel day of the year, flooded with thousands of unknown passengers and looking for any and all signs of suspicious behavior. The VMware firewall, he said, doesn't try to identify and block unknown threats but instead only allows the known good of approved applications and services.

Monitoring east-west traffic within an enterprise network is crucial because it can help reduce threat actors' ability to move laterally, Gillis said. He used the example of the Equifax breach; after the initial intrusion, the threat actors were able to obtain credentials and move freely throughout the network for weeks. The VMware Service-defined Firewall, he said, would have been able to block the unauthorized east-west traffic within the Equifax network.

A product like the Service-defined Firewall can't work without understanding how applications and microservices work at a granular level, according to Corn. And because of VMware's wide installed base, the company has visibility into millions of workloads, Corn said, which gives VMware the ability to identify the known good behaviors.

We're not predicting the death of the firewall. Firewalls are good. We just think people need the right solution for the right task.
Tom GillisSVP and GM of networking and security business unit, VMware

The VMware Service-defined Firewall isn't intended to replace traditional network firewalls, Gillis said, but those products aren't suited to police the east-west traffic within large enterprise environments.

"We're not predicting the death of the firewall. Firewalls are good," he said. "We just think people need the right solution for the right task."

Conversely, VMware competitor Microsoft said during its own RSA session that firewall technology is outmoded and it touts zero-trust security as the path forward. Other software vendors also hold the view that firewalls aren't appropriate for today's dispersed, device-driven computing practices. VMware said in a blog post this week that adopting a zero-trust network security model in an enterprise environment remains incredibly hard to achieve. Their Service-defined Firewall is the alternative.

The success of VMware's reimagined firewall will likely depend on how well the company can identify known good behaviors, according to Eric Hanselman, chief analyst at 451 Research.

"VMware's approach leverages expanded context to put more power behind a 'known good allow' approach," he said. "Allow lists aren't new, but the challenge has historically been that there were limits to the depth of information available to characterize the known good. The greater perspectives that are available to them make this approach a lot more powerful and scalable."

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing