VMware Launches Service-Defined Firewall for Intrinsic Security

There are a number of different ways to think about security and how it should be implemented. For Tom Gillis, senior vice president and general manager for Networking and Security at VMware, security should be an intrinsic capability.

An intrinsic security capability is not one that is bolted on, but rather is deeply integrated into the operational workflow of a given deployment. As part of VMware's intrinsic security approach, the company recently announced its Service-Defined Firewall, which is an intent-based system to help automatically determine firewall policies for workloads. In a video interview with eWEEK, Gillis outlines what the intrinsic security model is all about.

"The approach that most infrastructure companies take is, 'Hey, let's take security and integrate it.' That makes it more convenient to deploy and consume, but you're not changing the way the firewall behaves," Gillis said. "When I talk about intrinsic security, I'm talking about the things that we can do uniquely, the things that are intrinsic to the virtualization platform."

Gillis added that the virtualization platform provides the ability to inspect every packet, since it's already part of the data path. Virtualization also provides insight into the topology and components of an application, which makes it easier for a security control to fully understand what is going on.

Gillis joined VMware in May 2018 by way of the acquisition of his company Bracket Computing, which was developing cloud workload protection and isolation technology. The former Bracket Computing technology has now largely been integrated with VMware's networking and security stack, providing additional capabilities for organizations to protect workloads. Both VMware and Bracket Computing have been pursuing an approach of tag-based policy enforcement. He explained that with a tag-based approach, simple human understandable policies for security can be easily defined. For example, a policy can be set up that states a web server can talk to an application server and a database server, but nothing else.

"By understanding what the application is and then apply tags that allow you to apply policy at the software layer, it dramatically simplifies the network infrastructure and allows the network to focus on what it needs to do, which is move electrons from point A to B," Gillis explained. 

The Service-Defined Firewall

VMware's new Service-Defined Firewall is a productization of the effort to use tags to automatically generate firewall rules. The Service-Defined Firewall complements VMware's AppDefense technology that was announced in August 2017.

AppDefense is a technology that VMware uses in the virtualization hypervisor to understand application topology, Gillis said. With AppDefense, known good behavior can be identified and classified with a machine learning model. The application behavior classification can now be extended with the Service-Defined Firewall, running in VMware's NSX network virtualization software, to automatically define firewall rules. The Service-Defined Firewall provides auditing as well as templates for different compliance requirements.

There is a fundamental difference between what a traditional firewall is able to see and block, as opposed to VMware's Service-Defined Firewall. Gillis said that a traditional firewall needs to filter traffic from an unlimited number of unknown hosts, with little or no context. With the Service-Defined Firewall, which runs on a virtualized network, Gillis said the use case is somewhat different, where the organization is dealing with well-known hosts on an internal network.

Watch the full video interview with Tom Gillis above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.