A year and a half ago, I wrote about the VMware SASE platform, which is built on SD-WAN software-defined networking technology. SD-WAN virtualizes WANs to separate software-based network services from hardware and endpoints for flexibility, ease of management, performance, security, and the ability to quickly scale to clouds.
VMware Explore 2023 featured an interesting talk, “Fortify Your Branches with Enhanced Firewall Service for VMware,” which provided an in-depth look at the security features of VMware SD-WAN Edges. This session, led by experts from VMware and CBTS, covered the evolving network security landscape, VMware SD-WAN and VMware SASE security features, and solutions to today’s security challenges.
VMware also has an excellent overview of the VMware SD-WAN Enhanced Firewall Services features in the VMware SASE Orchestrator console, which I’ll cover below:
To address the security challenges of a modern distributed corporate network, including the growth of network services at the network edge, VMware offers the VMware SD-WAN Enhanced Firewall Services. This service is designed to provide advanced security features directly at the edge of the network, meeting the needs of distributed workforces and branch offices.
VMware SD-WAN Enhanced Firewall Services are an essential element of the VMware SASE layered security solution. Based on VMware’s long-developing NSX security technology, this service is built into both physical and virtual VMware SD-WAN Edge appliances.
The product itself can improve and stabilize network performance and eliminate the need for legacy firewalls in branch offices while providing a comprehensive approach to security. Like all VMware SASE components, Enhanced Firewall Service management is integrated into VMware SASE Orchestrator, simplifying operations for network administrators and eliminating the need to manage security at multiple locations.
Problems to be solved
Let’s look at the list of problems present in modern distributed network infrastructures of large enterprises, which Enhanced Firewall Service solves:
- Traditional office and remote workspaces use inefficient WAN architectures originally designed for applications in corporate data centers. Passing all internet traffic back through these data centers for routing and security checks leads to delays and complexity to manage due to different security policies. It should also be noted that legacy WAN architectures often do not include modern security checks, leaving vulnerabilities for hacker attacks.
- Traditional firewalls require installation and management along with other equipment, costing IT departments resources to monitor and update security.
- Inadequate security in traditional networks cannot effectively detect and protect against sophisticated DDoS attacks, which can result in network service downtime, data loss, or legal issues.
- The growing need to support remote work and the increasing number of IoT devices connected to corporate networks creates new security challenges. Unsecured devices in different geographic locations increase the risk of data leaks and cyber-attacks.
- The presence of heterogeneous network architectures and the lack of a unified management system makes it difficult to provide a comprehensive security assessment and timely response to threats.
VMware SD-WAN Enhanced Firewall Service Features
The main features of the Enhanced Firewall Service are:
1. Intrusion Detection and Prevention System (IDS/IPS)
The intrusion detection and prevention (IDS/IPS) feature of the enhanced firewall service improves the overall security of the branch network. IDS and IPS monitor network traffic, analyze it for malicious or suspicious activity, and take measures to prevent possible attacks. They work together to detect and block potentially dangerous traffic before it reaches the network. Overall, the IDS/IPS feature integrated into Edge is key to protecting enterprise branch networks from cyber threats.
2. Preventing DDoS attacks
Denial-of-service (DoS) is one of the most common attacks on businesses seen on a daily basis. The enhanced firewall takes various measures to protect all VMware SD-WAN components. The firewall’s built-in “network and flood protection” feature on the Edge side can detect and drop connections that exceed the configured level (“flooding”). It can also automatically block TCP-based, ICMP-based and other known attacks.
3. Centralized firewall logging that collects logs from all VMware SASE services
The centralized firewall logging service is a secure and scalable solution designed for organizations of any size. This centralizes logs in one cloud location, making it easier to track and analyze security events across multiple sites and applications. Cloud-based firewall logging provides real-time visibility into network traffic and security events, allowing administrators to quickly detect and respond to threats. Hosted firewall logging can also provide historical audit records required to comply with regulatory standards such as PCI, HIPAA and GDPR.
VMware SD-WAN Edge Firewall is certified by ICSA Labs, and the Edges components themselves meet FIPS 140-2 compliance requirements.
4. Stateful inspection (or so-called dynamic packet filtering) for applications at levels L4-L7
The function of analyzing active connections for layers L4-L7 of the firewall is built into the data plane on the Edge side. It checks incoming and outgoing packets and takes sessions into account. By maintaining a table of connections and states, the firewall accepts only allowed connections and incoming traffic, blocking all other traffic from external sources. This firewall is also aware of running applications, which allows it to detect and block malicious traffic.
5. Traffic segmentation, which separates its different types
VMware SD-WAN technology allows users to partition the network using segments and VRF (Virtual routing and forwarding) features. Users are able not only to separate different types of traffic (enterprise, voice, guest, etc.), but also apply different firewall policies unique to each segment. For example, you can isolate guest traffic in a separate segment and disable corporate VPN features, thereby reducing the risk of Network Lateral Movement across the network.
6. Templateable firewall policy to quickly create security rules based on various criteria and easily apply them
Edge firewall offers ready-made templates for conveniently creating and managing policies. This allows administrators to quickly create security rules based on various criteria and easily apply them to multiple Edges across multiple sites, providing consistency across the entire corporate network and granular control.
7. Unified management and security monitoring in one console with VMware Edge Cloud Orchestrator
Firewall policies, like all components of the SASE infrastructure, are centrally managed from a single console using VMware SASE Orchestrator.
Centralized configuration, monitoring, and management enable administrators to maintain consistent security policies across sites. It also helps them to quickly respond to potential security events, and effectively diagnose and resolve problems, thereby reducing the risk of data leaks and other security incidents.
Additional network security and control options
In addition to the above, the Enhanced VMware SD-WAN Firewall Service includes:
- Advanced protection against viruses and malware, providing an additional layer of security to prevent threats.
- Deep packet analysis to provide more granular control and monitoring of network traffic.
- Automatically updates signatures and detection algorithms to ensure your protection is up-to-date against the latest threats.
- Support for cloud services and integration with cloud providers, making it easy to extend protection to cloud resources.
- Easy-to-use user interface for more intuitive security policy management and network monitoring.
- Possibility of integration with other VMware products and services, creating a comprehensive security system for the entire IT infrastructure of the company.
Conclusion
VMware SD-WAN Enhanced Firewall Service is an innovative network security solution. It is designed for midsize and enterprise customers looking to securely protect their distributed enterprise networks, including regional offices and remote branch offices. This solution is especially relevant for enterprises with distributed branch networks and cloud environments that face challenges associated with legacy WAN architectures and the need to adapt to modern security threats.