Six years ago, VMware pioneered the concept of micro-segmentation to stop the internal, lateral spread of malware. We then launched the NSX Service-defined Firewall, an internal firewall that’s built into the hypervisor, distributed, and application aware. Shortly thereafter we introduced NSX Intelligence to automate security rule recommendations, streamlining the deployment of micro-segmentation.

Now we are announcing that we will be taking internal security to the next level by introducing optional Intrusion Detection and Prevention (IDS/IPS) for our Service-defined Firewall. Built on the same philosophy, the new NSX Distributed IDS/IPS will allow enterprises to fortify applications across private and public clouds.

VMware’s Security Is Intrinsic. Here’s What That Means.

Intrinsic Security is security that’s built in, not bolted on. And that makes it better.

When security is bolted on, it’s never as good as built-in security. Imagine an apartment building where you add the alarm system, the security cameras, and the fire escape after the fact. It looks awkward and doesn’t work that well, either.

But when you design those things in upfront, the effect is completely different. Everything just works better, as parts of a whole system. The same thing is true for security.

More importantly, when you build in security, you can build it differently. Just to clarify, Intrinsic Security isn’t the same as integrated security. Integrated security would be taking a hardware-based firewall and repackaging it as a blade in a switch. It’s more convenient to deploy that way, but it doesn’t improve how the firewall works. By comparison, at VMware, we’ve used our virtualization capabilities to reimagine how much more effective security could be.

Security Done Differently and Done Better.

Instead of a hardware firewall that requires hair-pinning traffic to do all the filtering, we took the protection that firewall offers and distributed it directly to the servers in the hypervisor. That lets us put the security wherever the server needs to be, and at the same time eliminates blind spots by filtering every connection or hop. It’s dramatically more efficient.

But we didn’t stop there. Our firewall also gives us the advantage of being fine-grained and intelligent about how we apply the rulesets. If you have ever managed a firewall, you know that over time you can easily get to 5,000 rules, 10,000 rules, even 500,000 rules. In the traditional firewall model, you have to run all the firewall rules, against all the traffic, all the time. And to process all those rules, you need dedicated hardware.

We take a different approach. Thanks to our intrinsic understanding of the application and all its services, we know the difference between the web tier, the application tier, and the database tier. So we apply only those rules that are applicable to the workload. The web tier gets the web rules, the app tier gets the app rules, and the database tier gets the database rules. This massively reduces rules and delivers much higher throughput.

Intrusion Detection and Prevention Systems Reimagined.

We’re bringing the same innovative approach to our optional Intrusion Detection and Prevention (IDS/IPS) for our advanced Layer 7–capable internal firewall. Our Service-defined Firewall with IDS/IPS will allow our customers to block internal traffic from stolen credentials and compromised machines—traffic that a port-blocking-only solution would typically fail to detect and block.

Our IDS/IPS takes advantage of VMware’s intrinsic understanding of the services that make up the application to match IDS/IPS signatures to specific parts of the application. IDS/IPS signatures are application specific. Since we intrinsically know the difference between Apache and Tomcat, we apply the appropriate signatures only to their servers. Customers will see fewer false positives and significantly higher throughput.

This type of efficiency and flexibility simply cannot be matched by traditional “bump in the wire” appliances, and is a major difference between legacy and proprietary hardware-defined systems and an open, scale-out software solution such as VMware NSX.

Easy to Deploy, Easy to Consume.

Traditional firewall and IDS/IPS appliances are expensive, hard to manage, capacity constrained, and typically lack the critical functions to address modern data center designs and application patterns. That’s why we are focused on making our unique Intrinsic Security easy to deploy, consume, and build on. We start by treating both VMs and containers as first-class citizens.

Next, our firewall and IDS/IPS deployment model scales linearly as each workload consumes or releases capacity, combining the power of all CPUs across servers in a data center, and eliminating the need for proprietary appliances that hairpin traffic and exacerbate east-west network congestion. Further, network, firewall, and IDS/IPS rules are applied in a single pass.

These rulesets are also attached to workloads so that when enterprises bring up a workload, the correct rules are applied automatically. When a workload is decommissioned, rules are automatically expired, and when a workload moves, the rules go with it and state is maintained. At VMworld Barcelona we also announced new NSX Federation capabilities that will let customers deploy policies across multiple data centers and sites. These capabilities enforce policies consistently, simplifying disaster recovery and avoidance, as well as the sharing of application resources across data centers and cloud providers.

These converged operations make it easier to manage security policies, demonstrate compliance, provide holistic context for security troubleshooting, and vastly simplify the overall security architecture. Clearly, this solution has a huge operational advantage for common 3-tier applications, but just imagine their impact in the context of cloud-native applications that might have 10, 100, or even thousands of components that are constantly moving. It’s not feasible to secure these applications without a fully automated solution.

This type of efficiency and flexibility simply cannot be matched by security that’s bolted on, and this is why our open, scale-out software solution makes so much sense for the way the enterprise needs to run today and tomorrow.

Resources