VMware improves internal firewalling
VMware has debuted NSX Distributed intrusion detection and prevention (IDS/IPS) for its Service-defined Firewall.
This, the company says, take its NSX platform’s Layer 7-capable internal firewalling to a new level, allowing enterprises to fortify applications across private and public clouds.
NSX Distributed IDS/IPS will take advantage of VMware’s understanding of the services that make up an application and match IDS/IPS signatures to specific parts of an application.
In this way, an Apache or Tomcat server will only get signatures relevant to it, for example. This will result in customers seeing fewer false positives and significantly higher throughput.
Speraking at VMworld 2019 in Barcelona yesterday (5 November), Sanjay Poonen, COO of VMware, said VMware Service-defined Firewall with NSX Distributed IDS/IPS will allow customers to both micro-segment their networks and block internal traffic from stolen credentials and compromised machines.
In August this year, VMware introduced NSX Intelligence, an advanced system to analyse workload traffic and automatically generate security policies. NSX Federation is an added capability that will enable customers to deploy and consistently enforce security policies generated by NSX Intelligence across multiple data centres.
In addition, NSX Federation will help organisations simplify disaster avoidance and recovery and share application resources across data centres. Converged operations will simplify the overall security architecture and make it easier for customers to manage security policies, demonstrate compliance, and provide holistic context for security troubleshooting, he explained.
“This type of efficiency and flexibility cannot be matched by traditional 'bump in the wire' appliances and is a major difference between legacy and proprietary hardware-defined systems and an open, scale-out software solution such as VMware NSX,” said Poonen.
According to him, traditional firewall and IDS/IPS appliances are costly, difficult to manage, have limited capacity, and usually lack the critical functions to address modern data centre designs and application patterns.
That’s why VMware focused on making its solutions easy to deploy, consume, and build on. “We start by treating both VMs and containers as VIPs,” he adds.
Next, VMware’s firewall and IDS/IPS deployment model scales linearly as each workload consumes or releases capacity, uniting the power of all CPUs across servers in a data centre, and removing any need for proprietary appliances that hairpin traffic and add to east-west network congestion.
With NSX Distributed IDS/IPS, network, firewall, and IDS/IPS rules are applied in a single pass. These rulesets are also attached to workloads so that when enterprises bring up a workload, the correct rules are applied automatically. When a workload is decommissioned, rules are automatically expired, and when a workload moves, the rules go with it and the state is maintained.
These new capabilities and converged operations make it easier for organisations to manage their security policies, demonstrate compliance, provide context for security troubleshooting, and vastly simplify the overall security architecture, he concluded.