News

VMware's Service-Defined Firewall Aims to 'Massively Reduce the Attack Surface'

• By Wendy A. Hernandez
• 03/12/2019

Last week at the RSA Conference in San Francisco, VMware Inc. announced it was launching a new VMware Service-Defined Firewall, a first of its kind in the industry, according to the company.

This "internal firewalling" approach aims to reduce the attack surface for both cloud and on-premises environments by combining the capabilities of VMware's NSX platform and its AppDefense security product.

"Intrinsic security is different than integrated security," said Tom Gillis, VMware's senior vice president and general manager, networking and security business unit, in a prepared statement. "Integrated security repackages existing solutions, such as taking a traditional firewall and making it a blade in a data center switch. It doesn't fundamentally change the firewall. Intrinsic security takes advantage of the unique attributes that are built in to the virtualization platform, allowing us to create very new and unique security services. The new VMware Service-defined Firewall is focused on internal network firewalling and changes the game by validating known good application behavior, rather than chasing threats."

According to the announcement, VMware Service-Defined Firewall uses an Application Verification Cloud to "build an accurate map of the intended 'known good' state of the application," which allows the solution to then perform full stateful inspection using the layer 7-capable adaptive security policies.

Additional unique capabilities, as described by the company, include: Protection from the guest OS, where the "Service-Defined Firewall solution leverages VMware's intrinsic ability to inspect the guest OS and application without being resident in the guest." So if an attacker gains root access, the Service-Defined Firewall solution cannot be bypassed. And with the Service-Defined Firewall being run anywhere an application is running, the solution is highly distributed, so "policies can be consistently enforced without complex hairpinning of traffic across cloud environments."

For more details about the VMware Service-Defined Firewall, go here.