SAN FRANCISCO — VMware moved deeper in the security sector at the RSA Conference, unveiling an internal firewall it calls a Service-defined Firewall.
The product combines the capabilities of VMware’s NSX virtualization platform, which provides network and application visibility, and its first security product App Defense, which protects workloads by monitoring them against their intended state. And it adds automated and adaptive firewall capabilities to the mix.
It works with bare metal, virtual machine (VM), and container-based application environments, and will support hybrid cloud environments such as VMware Cloud on AWS (Amazon Web Services) and AWS Outposts in the future.
It’s a “true firewall,” said Tom Gillis, senior vice president and general manager of VMware’s networking and security business unit. “It’s not port blocking. We have stateful, Layer 7 inspection of the network connection. We have the advanced inspection of the host itself. And it’s coupled with automatic generation of the firewall rules based on this knowledge and understanding of how the application behaves.”
Rather than chasing threats the Service-defined Firewall validates good behavior of an application, Gillis said. This isn’t a new idea, but earlier solutions — like installing agents in the guest to accomplish this — add additional challenges. Agent-based solutions add complexity, and if an attacker gets root, which provides complete control of a host, they can simply bypass the agent.
How It Works
The Service-defined Firewall takes a different approach because VMware’s position in the host allows it a deep understanding of an application and all of its microservices through all their variations over time. Using machine intelligence from millions of VMs globally, the product’s Application Verification Cloud builds an accurate map of the intended “known good” state of the application. Once a verified understanding of known good application behavior is established, the Service-defined Firewall can generate adaptive security policies.
It also uses VMware’s ability to inspect the guest operating system (OS) and application without being resident in the guest. This means that even if an attacker gains root access they cannot bypass the Service-defined Firewall. Additionally, the new product can detect and block malicious traffic on the network, and it can introspect the guest itself and identify and stop any malicious behavior within the OS or application at runtime.
And because it is software based, the VMware Service-defined Firewall is highly distributed. It runs wherever the application runs, across clouds. This means policies can be consistently enforced without “hairpinning” traffic — moving it out of the virtual environment and into a hardware appliance for scanning — across cloud environments.
“We’re not replacing the perimeter firewall,” Gillis said. “Those play an important part of the solution. But everyone knows that you can’t rely entirely on a perimeter firewall because stuff still gets through. The combination of a traditional perimeter firewall, coupled with an internal firewall such as our Service-defined Firewall, makes for a stronger security solution.”
It also builds on the idea of “intrinsic security” that VMware CEO Pat Gelsinger discussed at last week’s MWC Barcelona event.
This is different than integrated security, which essentially repackages existing products, Gilles said. “Let’s take a firewall and make it a blade in a data center switch. You’re not fundamentally changing the firewall.”
Intrinsic security, on the other hand, takes advantage of the attributes that are built into the virtualization platform. “That allows us to do things that we think are quite unique in the industry,” Gilles said.