VMware’s New Service Defined Firewall
Last weekago at the RSA Conference, Pat Gelsinger, VMware's CEO, announced the arrival of a new and exciting security solution, which strengthens VMware's security presence. VMware has announced a new firewall offering, named the Service-Defined Firewall. This new offering combines capabilities of the existing NSX platform and App Defense. The goal of this is to identify what a normal and known good state of an application looks like and then will either alert on or block anything that may be outside of the norm. This ties back into the least privilege access model, which only grants access to entities who need it, and will block or alert on everything else.
The solution works with VM's, container-based environments, bare-metal deployments and also supports hybrid cloud deployments, such as VMware Cloud on AWS, so you can rest assured your applications will be covered in many different deployment models.
Behind the scenes, we know this is more than just a traditional layer 4 firewall - it has the ability to do true layer 7 inspection. It also has the ability to learn and automatically generate firewall policy based on the understanding of how an application is intended to behave, thus almost eliminating the need for a security engineer to continuously manually update policy.
There are some really awesome features that this offers up. One particular feature is the ability to inspect the guest OS without being installed on the guest OS. The benefit of this is it minimizes the blast radius if an attacker gained root access to the OS. In the case that an attacker did gain root access, they would not have access or the ability to bypass the Service-Defined Firewall.
This solution also builds upon "intrinsic security" which takes advantage of attributes that are built into the virtualization platform itself and is a solution we look forward to working with our customers.
Here is a video from VMware demoing the new Service Defined Firewall.VMware Demo
Keep an eye out for an in-depth technical review of the solution in the near future!