VMware today announced what it is positioning as the first service-defined firewall at the RSA Conference 2019.
Tom Gillis, senior vice president and general manager for the networking and security business unit at VMware, said rather approaching cybersecurity in terms of just physical and virtual machines or even applications, organizations increasingly will need to think in terms of securing services that span multiple data centers.
A service-defined firewall builds on the microsegmentation and machine learning analytics that VMware already provides via its VMware NSX network virtualization overlay and VMware AppDefense offerings to establish a known good profile of any application, said Gillis. The VMware Service-Defined Firewall leverages those capabilities to make it possible to deploy a firewall wherever any application needs to run, including applications based on microservices that need to have the same security policies applied consistently across a distributed computing environment, he said.
That approach doesn’t eliminate the need for traditional network firewalls to block network ports, he noted. However, it does provide a programmatic approach to DevSecOps based on the microsegmentation inherently provided by a network virtualization overlay, which eliminates much of the need to artificially move traffic around a network based on the location of the firewall.
To validate this service-centric approach to cybersecurity, VMware enlisted the aid of Verodin to conduct tests, which showed that a VMware Service-Defined Firewall can effectively identify and stop threats both known and unknown. While testing the VMware Service-Defined Firewall in both Detect and Prevent mode, the test showed 100 percent of the malicious attacks used in the Verodin test sequence were either detected or prevented.
VMware has been making a case of a new Layer-7-based approach to cybersecurity based on the known good attributes of applications for several years now. The challenge many organizations face when considering that approach is that while VMware hypervisors are widely deployed, the number of organizations running both NSX and AppDefense is relatively small. VMware is arguing that being able to provide a much more secure IT environment will help justify the cost of acquiring NSX and AppDefense.
The more the management of cybersecurity converges across networking, application and cybersecurity functions, the easier it becomes for VMware to make its case. But in many organizations, the decisions made regarding the various levels of security in the application stack remain fragmented. Cybersecurity professionals, for example, are familiar with firewalls, but not so much network virtualization. Not many cybersecurity professionals think in terms of securing services, either.
Regardless of the approach taken, however, it’s clear that increased convergence thanks to the rise of best DevSecOps processes is inevitable. VMware is clearly hoping that, as it makes its case for adopting network virtualization, it will be only a matter of time before everyone across the IT environment starts to appreciate the merits of allowing only applications that are known to be good to run rather than constantly spending time hunting for malware that shouldn’t be allowed to execute in the first place.