New internal firewall solution locks down known good behavior at both the network and host level to massively reduce the attack surface
SAN FRANCISCO / RSA CONFERENCE, March 05, 2019 (GLOBE NEWSWIRE) -- VMware, Inc. (NYSE: VMW), today launched the new VMware Service-defined Firewall, an innovative approach to internal firewalling that reduces the attack surface for on-premises and cloud environments with security that is an intrinsic part of the infrastructure. Through the proven capabilities of VMware NSX and VMware AppDefense, the VMware Service-defined Firewall combines unprecedented application visibility and understanding of known good application behavior with intelligent, automated and adaptive firewalling capabilities to help better protect apps, data and users.
“Intrinsic security is different than integrated security,” said Tom Gillis, senior vice president and general manager, networking and security business unit, VMware. “Integrated security repackages existing solutions, such as taking a traditional firewall and making it a blade in a data center switch. It doesn’t fundamentally change the firewall. Intrinsic security takes advantage of the unique attributes that are built in to the virtualization platform, allowing us to create very new and unique security services. The new VMware Service-defined Firewall is focused on internal network firewalling and changes the game by validating known good application behavior, rather than chasing threats.”
The idea of focusing on the known good behavior of an application has been tried before, but the challenge has always been in getting a complete understanding of the application. Some solutions have installed agents in the guest to accomplish this, but agent-based solutions add complexity and have limited appeal because if an attacker gets root, which provides complete control of a host, they can simply bypass the agent. In addition, as applications have become more distributed, security needs to be distributed too. It’s impractical to hairpin east-west traffic to a hardware device or a virtual instantiation of it for inspection.
The VMware Service-defined Firewall solution takes a completely different approach to firewalling that focuses on assets that enterprises know well—applications they themselves have deployed—rather than scrutinizing the unknown. This solution works on bare metal, VM and container-based application environments, and will support hybrid cloud environments such as VMware Cloud on AWS and AWS Outposts in the future. Enterprises can use this solution as their sole firewall solution for their internal needs. The VMware Service-defined Firewall is unique in the following ways:
“Protecting our applications and patient data is critical, and anything we do to improve security ultimately impacts patient safety. One of the biggest security challenges we face is staying ahead of threats due to the proliferation of applications and the rapid pace at which our applications are now changing,” said Christopher Frenz, Assistant Vice President of Information Security at Interfaith Medical Center. “We trust VMware to provide us with effective solutions for securing our applications and we are really pleased to see the approach VMware is taking in pushing the envelope on internal firewalling with the Service-defined Firewall.”
VMware Service-Defined Firewall Stands Up to Real-World Attack Scenarios
To validate the effectiveness of the VMware Service-defined Firewall, VMware teamed with Verodin, a leader in enabling organizations to measure, manage, and improve their cybersecurity effectiveness. VMware leveraged Verodin’s Security Instrumentation Platform (SIP) to validate that the VMware Service-Defined Firewall can effectively identify and stop threats whether they are known or unknown. While running the solution in both Detect and Prevent mode, the VMware Service-Defined Firewall detected or prevented 100 percent of the malicious attacks used in the Verodin test sequence.
“Defenders are tasked with securing business-critical applications they don’t operationally own or control. Rapid application development and the rising complexity of distributed and hybrid environments further increase the difficulty of securing these applications exponentially,” said Christopher Key, CEO at Verodin. “Verodin SIP provides organizations with the evidence required to prove that their controls are delivering the desired protection in real-world production environments. “These tests performed using Verodin SIP demonstrate the VMware Service-Defined Firewall’s ability to reduce the attack surface with minimal effort. Common attacker tactics and techniques become increasingly difficult to execute when the infrastructure itself is enforcing known-good application behavior and communications.”
Read the full report here: https://go.verodin.com/vmware-service-defined-firewall/
VMware software powers the world’s complex digital infrastructure. The company’s cloud, networking and security, and digital workspace offerings provide a dynamic and efficient digital foundation to over 500,000 customers globally, aided by an ecosystem of 75,000 partners. Headquartered in Palo Alto, California, VMware is committed to being a force for good, from its breakthrough innovations to its global impact. For more information, please visit https://www.vmware.com/company.html.
VMware, NSX, AppDefense, Service-defined Firewall, and VMware Cloud are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and other jurisdictions. This article may contain hyperlinks to non-VMware websites that are created and maintained by third parties who are solely responsible for the content on such websites.
Roger T. Fortier
VMware Global Communications