Introduction

VMware did a lot of work paving the way to the industry-first Service-Defined Firewall. Previously, they developed AppDefense, vRealize Network Insight, and NSX-T/NSX-V solutions, and the company decided to go beyond. With all these solutions as a groundwork, VMware introduced the first ever Service-defined Firewall in March 2019. In this article, I’m going to take a closer look at this solution.

VMware's road to the service-defined firewall

How everything started

Back in 2013, VMware released VMware NSX-T – the network virtualization solution for aggregating virtual networks in the complex hybrid hypervisor and container environments. I won’t discuss it here since I believe most of you is already familiar with this product.

Later, VMware presented vRealize Network Insight (vRNI, formely Arkin) – a solution that augments a VMware NSX installation. It provides single pane of glass for the VMware NSX environment and implements microsegmentation for application on a network level, also it includes tools for monitoring application traffic flows and troubleshooting, as well as other features for reporting and insight into the SDN traffic flows.

It is designed for building highly available and secure network infrastructures spanned across multiple clouds.

Of course, most of you already know of AppDefense (announced at VMworld 2017). This solution introduces a new model for application protection into virtualized and cloud environments. AppDefense examines the normal behavior of an operating system and applications, track their current state and notify a system administrator and automatically take action if something weird is going on.

Let’s look under the hood

Service-Defined Firewall implements microsegmentation for protecting virtual environments (c.f. service insertion and guest introspection). This mechanism involves monitoring applications’ network activity on the hypervisor level (i.e., data is taken from NSX or directly from ESXi servers). In this way, with microsegmentation in place, it is impossible to manipulate intrusion detection tools from inside of the guest OS.

Vmware-nsx-micro-segmentation

The most interesting thing about VMware Service-Defined Firewall is its ability to create application- and microservice-level policies. And, it is a great alternative to setting up policies on OS, server, or port levels, you know! All you need is just to set up the policies and rules for a new application, and they will be propagated to servers and ports. Being pretty intuitive, this feature makes it far easier to implement new services in terms of their protection and maintenance while moving virtual machines within and between datacenters.

VMware Service-Defined Firewall

VMware Service-Defined Firewall app Defefnse

Generally speaking, VMware Service-Defined Firewall leverages and expands AppDefese features: it determines policies for applications on a network level, than creates the baseline (i.e., datacenter normal behavior) and notifies administrators about any deviations from it. Here is an example of the Uncleared Alarms view in the AppDefense console:

VMware Service-Defined Firewall app Defefnse scope E-commerce

AppDefense also enables to create an app topology that allows users to limit interactions between applications to specific objects and ports. In addition, VMware Service-Defined Firewall can generate the templates for the specific policies to provide better protection for individual applications.

AppDefense Console

Pinpointing suspicious activity is performed by the Application Verification Cloud. It analyzes information from the millions of virtual machines all over the world and defines the “normal behavior” of microservices through machine learning algorithms. That system works great for any detecting deviations from normal performance.

Application Verification Cloud

Why there’s a buzz about Service-Defined Firewall

The traditional means of applications protection within an IT environment are mainly focused on ensuring security just on a network perimeter level so that everything inside could be considered secure.

Interestingly, the most dangerous attacks often come from the inside of infrastructures. Malware studies environment architecture and interactions, then, once it is done with analysis, it is spreading all over the datacenter using its vulnerabilities.

Malware studies environment architecture and interactions

There might also be the case when the attack comes through the open ports (e.g., web servers or application servers). Once intruders gain administrator rights, the malicious code disables antiviruses and “disarms” any other means of protection. Eventually, the malware gets access to any datacenter systems (e.g., databases).

The case when the attack comes through the open ports

VMware Service-Defined Firewall, in its turn, employs a whole other approach to IT environment protection. The Firewall applies the Zero Trust strategy, which means that not a single one network component is deemed trustworthy, implying that any network connection can be dangerous. It runs application analysis inside the network perimeter (internal network firewalling). Service monitoring is done on hypervisor level and on level-7 of OSI model (L7 packet inspection), without involving guest OS agents.

Internal firewalls can take a different approach

The Firewall almost eradicates the probability of attack via the public ports. Any suspicious activity, such as gaining shell access or disabling an antivirus, will be blocked and logged.

The Firewall almost eradicates the probability of attack via the public ports

It is also possible to retrieve security logs where all blocked queries will be listed.

Evidently, such model better on every level than multi-agent systems because in the latter cases malware can get control over these agents. Another score for VMware Service-defined Firewall is its full-software implementation. The thing is that the hardware firewalls are barely scalable. They are also difficult to manage. For instance, applications can move between servers and datacenters, bypassing the security checks while migrating from an infected server to a healthy one.

Some more materials on the Service-Defined Firewall

StarWind Virtual SAN eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows StarWind Virtual SAN to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.

Learn more about ➡ StarWind Virtual SAN

Conclusion

VMware Service-Defined Firewall is a game changer in the world of virtualized environment security. Designed with all VMware developments in that field, the solution provides robust functionality for preventing and fighting off both internal and external attacks.

Views All Time
6
Views Today
12
Appreciate how useful this article was to you?
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5
5 out of 5, based on 1 review
Loading...
Back to blog
The following two tabs change content below.
Alex Samoylenko
Alex Samoylenko
Virtualization technology professional. 10 years ago he built #1 website on virtualization in Russia. Alex runs his own virtualization-focused company VMC. He is a CEO of a mobile game publisher Nova Games and a CEO of an international dating site