VMware Launches Service Defined Firewall for Intrinsic Security


There are different ways to think about security and how to implement it. For Tom Gillis, senior vice president and general manager of networks and security at VMware, security should be an intrinsic capability.

An intrinsic security capability is not an integrated feature, but rather deeply integrated with the operational workflow of a given deployment. As part of VMware's intrinsic security approach, the company recently announced its service-defined firewall, an intention-based system that automatically determines firewall strategies for workloads. In a video interview with eWEEKGillis explains what the intrinsic safety model is.

"Most infrastructure companies take the following approach:" Hey, let's take security and integrate it. "It makes deployment and consumption easier, but you do not change the behavior of the firewall," said Gillis. "When I talk about intrinsic security, I'm talking about things we can do only, which are intrinsic to the virtualization platform."

Gillis added that the virtualization platform can inspect each package because it is already part of the data path. Virtualization also provides information about the topology and components of an application, allowing a security check to fully understand what is happening.

Gillis joined VMware in May 2018 following the acquisition of Bracket Computing, a company that developed cloud workload protection and isolation technology. The old Bracket Computing technology is now largely integrated with VMware's network and security stack, providing organizations with additional features for protecting workloads. Both VMware and Bracket Computing have adopted a tag-based policy enforcement approach. He explained that with a tag-based approach, it is easy to define simple, understandable strategies for humans, in terms of security. For example, you can configure a policy stating that a Web server can communicate with an application server and a database server, but nothing else.

"By understanding what the application is, then applying tags that allow you to apply a strategy at the software layer, the network infrastructure is greatly simplified and the network can focus on what it needs to do, namely to move the electrons from point A to B ", explained Gillis.

The firewall defined by the service

The new firewall defined by the VMware service is a production of the effort of using tags to automatically generate firewall rules. The service-defined firewall complements VMware's AppDefense technology announced in August 2017.

AppDefense is a technology used by VMware in the virtualization hypervisor to understand the topology of applications, Gillis said. With AppDefense, good known behaviors can be identified and categorized with the help of an automatic learning model. Application behavior classification can now be extended with the service-defined firewall running in VMware's NSX network virtualization software to automatically set firewall rules. The service-defined firewall provides auditing and templates for different compliance requirements.

There is a fundamental difference between what a traditional firewall can see and block, as opposed to the VMware service defined firewall. Gillis said that a traditional firewall must filter traffic from an unlimited number of unknown hosts, with little or no context. With the service-defined firewall running on a virtualized network, Gillis said the use case was a little different, in which the organization was dealing with hosts known on an internal network.

Watch the full video interview with Tom Gillis above.

Sean Michael Kerner is editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.