VMware firewall takes aim at defending apps in data center, cloud

VMware has taken the wraps off a firewall it says protects enterprise applications and data inside data centers or clouds.

Unlike perimeter firewalls that filter traffic from an unlimited number of unknown hosts, VMware says its new Service-defined Firewall gains deep visibility into the hosts and services that generate network traffic by tapping into into its NSX network management software, vSphere hypervisors and AppDefense threat-detection system.

“VMware’s service defined firewall is significant because it leverages host and network context via AppDefense and NSX, respectively, to apply contextual, adaptive access control policies, hence the positioning of the offering as an internal versus external firewall” said Doug Cahill, Group Director and Senior Analyst with the Enterprise Strategy Group.

The product doesn’t require added software agents to do its job as many security packages do, VMware said. It also lets organizations more easily enforce security policies without forcing traffic to go through a security appliance for scanning, VMware stated.

The firewall works in bare metal, virtual-machine and container-based application environments, and will support hybrid cloud settings such as VMware Cloud on AWS and, down the road, AWS Outposts.

Using network-generated information to determine and verify the expected – or “known good” – behavior of applications, the firewall’s Application Verification Cloud builds an accurate map of the good or normal state of the application. Any transactions outside that behavior are then blocked.

Once a verified understanding of known good application behavior is established, the system can generate security policies for the Service-defined Firewall that are layer 7 capable and can perform full stateful inspection, wrote Alex Berger product marketing manager with the Networking & Security business unit at VMware in a blog about the announcement.

The idea is to consistently allow an application’s known good behavior across heterogenous workloads and private and public clouds, Burger stated. 

“In today’s modern data center, change is constant. A dynamic approach to segmentation allows customers to keep pace with change,” Cahill said.

  “Applications are more distributed, deployed across multiple private and public clouds, using many different types of infrastructure and accessed from many different devices,” said Rajiv Ramaswami, chief operating officer, products and services, VMware in a statement. “Security sprawl – too many products, agents, and interfaces deployed across an organization – creates complexity for security management.”

VMware’s strategy is to remove the complexity inherent with security today and deliver security that is intrinsic from endpoint to cloud, Ramaswami  stated.