What is VMware Service Defined Firewall ?

Introduction to VMware Service Defined Firewall

In a recent announcement at RSA Conference, VMware moved further into the security sector with the announcement of Service – Defined Firewall. Along with evolution of digital transformation where organizations are looking for solutions to increase employees  productivity, organizations are looking for solutions to provide business productivity applications on the employee devices along with security. With the approach, Business applications are changing rapidly from a traditional framework to a distributed architecture. These business applications now might consist of many distinct services running on heterogeneous workloads that are networked might be networked together. This networking between the heterogeneous workloads results in the increase of complexity and size of the application attack surface.

Key issues in Application Security

As new applications architectures are distributed across both private and public clouds, network teams are struggling to find ways to ensure security and automation for an application driven network. The key issues they see are

  • Increased Attack Surface – New Applications are now comprised network between set of distributed services running across private and public clouds as well as in VMs, containers, and on bare-metal hosts. They are no longer a simple monolithic stack on a single server that can be easily secured. This explosion of services on the network has significantly increased the attack surface of an organization.
  • Rapid Application Change – Application developers are continually making changes to applications and deploying new services, which in turn require changes to security policies on a regular basis.

How VMware Solution Defined Firewall works?

The VMware Service-defined Firewall solution takes a new approach and is designed specifically to mitigate threats inside a Data Center or a Cloud Network. Instead of focusing on the ways to scrutinize an unknown organizations, using Service-Defined firewall organizations can now focus on securing ways to secure the assets that organizations know well and the applications they developed. VMware Service – Defined firewall combines the capabilities of VMware  NSX network virtualization platform and VMware Security product App Defense. VMware NSX provides network and application visibility and VMware App Defense protects the workloads by monitoring their intended state.

Perimeter firewall solutions generally filters traffic coming from the unknown host but won’t be able to help much to filter East-West traffic within perimeter where deep contextual understanding of traffic is required. Perimeter firewalls lack deep understanding of application topology, host insights and know good behavior of application. Secondly, perimeter firewalls primarily rely on port block to control the traffic which can cause serious performance challenges while controlling East – West traffic.

The VMware Service-Defined Firewall helps accomplishing this with the following capabilities:

  1. Provides a deep application visibility and control by having a deep visibility into application services and their behavior along with application topology. As VMware Service – Defined Firewall is built directly into the vSphere Hypervisor, it alleviates the need for additional agent to be installed.
  2. Leveraging App Verification Cloud VMware Service Defined Firewall analyses known good application behavior across VMware footprint. It helps customers to quickly profile their own applications behaviors and create the best policies for enforcement. It intelligently configure and adapt security policies in case of any changes in application services.
  3. To deliver ubiquitous protection, you can deploy VMware Service Defined Firewall wherever application may be running. It works with bare metal, virtual machine (VM), and container-based application environments, and will support hybrid cloud environments such as VMware Cloud on AWS (Amazon Web Services) and AWS Outposts in the future.

To validate the effectiveness of the VMware Service-defined Firewall, VMware teamed with Verodin, a leader in enabling organizations to measure, manage, and improve their cybersecurity effectiveness. VMware leveraged Verodin’s Security Instrumentation Platform (SIP) to validate that the VMware Service-Defined Firewall can effectively identify and stop threats whether they are known or unknown. While running the solution in both Detect and Prevent mode, the VMware Service-Defined Firewall detected or prevented 100 percent of the malicious attacks used in the Verodin test sequence.

Learning NSX Step by Step : Configuring SSL VPN-Plus on VMware NSX Edge Gateway

VMware NSX SSL VPN-Plus allows remote users to access private networks behind a NSX Edge Gateway. You can access applications and servers running in the private network. Below is a diagram is taken from the NSX Admin Guide of the clients connect to the private network and also the support operating systems for the SSL VPN client:

Demonstration

To configure network access SSL VPN-Plus. Login to vCenter Web Client and go to “Network and Security”

Click on NSX Edge. Double click on Edge Gateway Services account

Click on SSL VPN-Plus Tab.

Create an IP Pool for the client connecting via VPN.

Add the Private Network you want to allow user connecting over VPN.

Select the Authentication Server Type.

Start the SSL VPN Service

Open the browser and browse external IP address over https. https://<External_IP_Address_of_ESG>

 

Verify the communication from VPN Client to internal network.

Conclusion

This concludes the configuration of SSL VPN-Plus on a VMware NSX Edge Gateway Services router. Hope this will be informative for you. Please share if you find worth sharing it. Thanks for Reading!!!

Learning NSX Step by Step – Configuring Dynamic Routing using OSPF in VMware NSX

Introduction

Dynamic Routing provides the necessary forwarding information between Layer 2 broadcast domains.  There are 3 types of Dynamic Routing supported by VMware NSX OSPF, BGP, and IS-IS. NSX Edge supports OSPF, an interior gateway protocol that routes IP packets only within a single routing domain. It gathers link state information from available routers and constructs a topology map of the network. OSPF routing policies provide a dynamic process of traffic load balancing between routes of equal cost. An OSPF network is divided into routing areas to optimize traffic. An area is a logical collection of OSPF networks, routers, and links that have the same area identification. Areas are identified by an Area ID.

Demonstration