VMware, Inc., detailed the company’s strategy to help organizations turn the advantage from attackers to defenders with a new security approach that focuses on applications more than infrastructure, and shrinks the attack surface rather than chasing threats.
With a broadening portfolio of software-based solutions that span the cloud to the end user, VMware launched the new VMware Service-defined Firewall, an innovative approach to internal firewalling that reduces the attack surface for on-premises and cloud environments with security that is an intrinsic part of the infrastructure. Through the proven capabilities of VMware NSX and VMware AppDefense, the VMware Service-defined Firewall combines unprecedented application visibility and understanding of known good application behavior with intelligent, automated and adaptive firewalling capabilities to help better protect apps, data and users.
“Security, for the most part, is not working,” said Rajiv Ramaswami, chief operating officer, products and services, VMware. “Applications are more distributed, deployed across multiple private and public clouds, using many different types of infrastructure and accessed from many different devices. Security sprawl – too many products, agents, and interfaces deployed across an organization – creates complexity for security management. VMware’s strategy is to remove the complexity inherent with security today and deliver a security approach that is intrinsic from endpoint to cloud.”
As organizations race to implement digital transformation initiatives, they are faced with a complex environment that favors attackers. According to Ponemon Institute, “data breaches continue to be costlier and result in more consumer records being lost or stolen, year after year” and with the average total cost of a data breach in ASEAN being $2.53M(1). At the same time, Asia Pacific’s spending on security-related hardware, software, and services is forecast to reach $28.76 billion in 2022, an increase of more than 20 percent over the forecast period 2017-22, according to IDC(2).
VMware believes the industry needs to shift from a model centered on chasing bad to one focused on ensuring good, and to focus on applications rather than infrastructure. VMware’s approach simplifies security, making it intrinsic rather than bolted on, and aligns security to apps and data. This provides unprecedented visibility into applications that extend beyond the datacenter to deliver a more secure digital workspace, helping secure any device for any employee who accesses apps and data from anywhere.
“Intrinsic security takes advantage of the unique attributes that are built in to the virtualization platform, allowing businesses to create very new and unique security services,” said Tom Gillis, senior vice president and general manager, networking and security business unit, VMware. “The new VMware Service-defined Firewall is focused on internal network firewalling and changes the game by validating known good application behavior, rather than chasing threats.”
The VMware Service-defined Firewall solution takes a completely different approach to firewalling that focuses on assets that enterprises know well—applications they themselves have deployed—rather than scrutinizing the unknown. This solution works on bare metal, VM and container-based application environments, and will support hybrid cloud environments such as VMware Cloud on AWS and AWS Outposts in the future. Enterprises can use this solution as their sole firewall solution for their internal needs. The VMware Service-defined Firewall is unique in the following ways:
• Application Verification Cloud: Using machine intelligence from millions of VMs globally, the solution’s Application Verification Cloud builds an accurate map of the intended “known good” state of the application. Once a verified understanding of known good application behavior is established, the solution can generate adaptive security policies for the Service-defined Firewall solution that is layer 7 capable and can perform full stateful inspection.
• Protected from the Guest: The Service-defined Firewall solution leverages VMware’s intrinsic ability to inspect the guest OS and application without being resident in the guest. This means that even if an attacker gains root access, they cannot bypass the Service-defined Firewall solution. The Service-defined Firewall solution can also detect and block malicious traffic on the network. Beyond that, this system can introspect the guest itself and identify and stop any malicious behavior within the OS or application at run time. This unique capability is equivalent to a new approach to network firewalling and host IPS.
• Distributed in Software: the traditional approach to hardware firewalling requires “hairpinning” traffic out of the virtual environment and into a hardware appliance for scanning. This is inefficient and difficult to scale, particularly for modern applications that have many components or services that run across many servers and can often span different clouds. Based entirely in software, the VMware Service-defined Firewall is highly distributed which means it runs wherever the application runs, across clouds. This means policies can be consistently enforced without complex hairpinning of traffic across cloud environments.