SOLUTION OVERVIE W

VMware Network and

Micro-Segmentation
Protect your east-west traffic with
a purpose-built, distributed firewall

AT A GLANCE Traditional perimeter firewall defenses aren’t enough

The VMware Service-defined Firewall As the perimeter becomes more diffused and modern workloads become increasingly
is a distributed, scale-out internal distributed, internal data center traffic (that is, east-west traffic) is left unprotected and
firewall that simplifies and automates vulnerable to lateral movements and data breaches. Traditional, appliance-based
both network segmentation and approaches to protecting the data center limit flexibility and scalability while driving
micro-segmentation with an intrinsic additional complexity and cost.
security approach and an agentless
architecture. To provide effective security, organizations need a distributed, scale-out internal
firewall purpose-built for protecting east-west traffic—one that easily enables network
segmentation and micro-segmentation across all applications. Alone or as part of
a Zero Trust approach, segmentation divides data center infrastructure into small
zones, allowing fine-grain control and inspection of traffic flows between workloads.

Simplified network segmentation and micro-segmentation

With the launch of software-defined networking and security in 2013, VMware
pioneered micro-segmentation. Today, the VMware Service-defined Firewall is the
only solution that provides a Layer 4 through 7 stateful firewall that delivers both
network segmentation and micro-segmentation. With the Service-defined Firewall,
security teams can deploy network segments easily, enable application isolation, and
achieve granular micro-segmentation with a single solution that provides consistent
policy enforcement across virtualized, containerized and bare-metal workloads
spanning private and public cloud environments (see Figure 1).
A distributed, scale-out internal firewall, the Service-defined Firewall is purpose-built
to protect east-west traffic from threats that get past the perimeter. The solution
includes firewalling, IDS/IPS and security analytics through VMware NSX® Intelligence™.

1
VMware Network and Micro-Segmentation

KEY BENEFITS Test Dev Prod

• Simplify architecture – Avoid
network redesign complexity and the
traffic hair-pinning associated with
appliance firewall deployments. With
a software-based, distributed firewall
at every host, you can take advantage
of stranded compute on generic
hardware. vm vm
• Automate policy – Dramatically
simplify operations with automated
policy recommendations driven by
unique visibility into network traffic
and workload context. Provide
developer agility and avoid stale rules vm vm
with automated policy updates linked
to the workload lifecycle.
• Improve security and coverage – Go
beyond basic Layer 4 port-blocking
policies to stateful Layer 7 firewall
controls that include advanced threat
protection with a distributed IDS/ Perimeter
IPS, purpose-built to stop the lateral
movement of attacks across multi- FIGURE 1: Network segmentation using the Service-defined Firewall.
cloud environments.
• Eliminate agents and their Prod
vulnerabilities – Make your firewall
immune to attackers with an agentless
App 1 App 2
architecture that eliminates agent
fatigue and minimizes operational
overhead. Leverage security that’s
built into the hypervisor via stateful vm vm vm
Layer 7 inspection.
• Reduce costs – Compared to
appliance-based firewalls, save up
to 60 percent with a software-only
solution that can run on any x86 vm vm
hardware. Further reduce operational
costs with policy automation.

FIGURE 2: Micro-segmentation using the Service-defined Firewall.

SOLUTION OVERVIE W | 2
VMware Network and Micro-Segmentation

USE CASES Key capabilities

• Rapidly deploy network segments–
Quickly create and reconfigure
network segments, virtual security
zones and partner domains by
Automated application discovery
defining them entirely in software.
Avoid the need to re-architect The Service-defined Firewall collects and analyzes information about applications and
your network or deploy discrete their communication flows to create a comprehensive map that helps administrators
appliances. eliminate the guesswork involved in understanding application topologies.

• Isolate and secure applications –

Protect critical applications and
shared services from compromise
by auto-discovering application
Distributed IDS/IPS
boundaries and applying application- VMware NSX Distributed IDS/IPS™ is an application-aware traffic inspection engine
level segmentation policies. Ensure purpose-built for analyzing internal east-west traffic and detecting lateral threat
policies stay up to date automatically movements. It combines industry-leading signature sets, protocol decoders and
as applications evolve or move. anomaly detection-based mechanisms to hunt for known and unknown attacks
in traffic flows.
• Achieve Zero Trust with micro-
segmentation – Easily create, enforce
and automatically manage granular
micro-segmentation policies between
applications, services and workloads Automated policy recommendations
across multi-cloud environments that The Service-defined Firewall automatically generates recommendations—based on
span virtual machines, containers and observed traffic flows—for micro-segmentation security policies.
bare-metal infrastructures.
• Secure virtual desktop environments–
Block lateral movement between
virtual desktops by enforcing security Automated policy management
policies down to the RDSH session With the Service-defined Firewall, security teams can move at the speed of
level based on user identity and development to deliver a true public cloud experience on premises. An API-driven,
context. Easily enforce desktop object-based policy model ensures new workloads automatically inherit relevant
isolation with a single firewall policy security policies and automates policy mobility to workloads.
for your entire virtual desktop
infrastructure (VDI) environment.

LEARN MORE Agentless architecture

Check out the following resources to Built into the hypervisor, the Service-defined Firewall eliminates the need to install
learn more about micro-segmentation and configure separate software on each virtual machine. With data plane functions
and the VMware Service-defined in kernel space, the firewall is immune to attackers attempting to neutralize it.
Firewall, or reach out to your VMware
Sales Representative for further details:
• Read about the VMware Service-
defined Firewall: vmware.com/ Security intrinsic to the infrastructure
security/internal-firewall
Bolted-on security solutions can’t deliver the scalability, agility and cost-effectiveness
• Visit the NSX Data Center page: needed by today’s security teams. As the only solution that makes security intrinsic
vmware.com/products/nsx to the infrastructure, the Service-defined Firewall is distributed, service-aware and
operationally simple. With an internal firewall from VMware, CISOs and their teams
can mitigate risk, enable compliance and move at the speed of development.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 vmware.com Copyright © 2020 VMware, Inc.
All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents
listed at vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. and its subsidiaries in the United States and other jurisdictions.
All other marks and names mentioned herein may be trademarks of their respective companies. Item No: 601165aq-so-vmw-ntwk-micro-segmntn-uslet 7/20