VMware NSX Advanced Firewall for VMware Cloud on AWS – VMware Cloud Community

We are pleased to announce a major expansion of VMware Cloud on AWS Network Security portfolio with the introduction of VMware NSX Advanced Firewall add-on.

As you migrate and modernize your applications on the cloud, NSX Advanced Firewall capabilities help you secure your applications against a never-expanding set of threats on the internet. Now you can:

• Detect attempts at exploiting vulnerabilities in your workloads.
• Gain protection against vulnerabilities inside your SDDC with granular application-level security policies.
• Reduce the attack surface of your workloads by allowing only the intended application traffic to run in your SDDC
• Seamlessly provide inspection for all traffic without a single inspection bottleneck
• Achieve your compliance goals

NSX Advanced Firewall in VMware Cloud on AWS includes

1. Distributed IDS/ IPS
2. Distributed Firewall with Layer 7 Application ID
3. Distributed Firewall with Active Directory based User ID – IDFW
4. Distributed Firewall with FQDN Filtering

Networking and Security in VMware Cloud on AWS

 VMware Cloud on AWS provides VMware’s enterprise class SDDC software on AWS cloud. It includes a robust set of networking and security capabilities that enable customers to run production applications in the cloud. Every SDDC is provisioned with the Gateway Firewall to protect the perimeter of the SDDC, and the Distributed Firewall to secure lateral communication across workloads inside the SDDC. Powered by the proven security capabilities of VMware NSX-T, Gateway and Distributed Firewall provide enterprise class Layer 4 security for applications in VMware Cloud on AWS:

• Gateway Firewall enables customers to selectively allow and deny traffic from and to applications deployed in the SDDC. It also controls access to management infrastructure, such as vCenter and NSX manager
• Distributed Firewall is built into the hypervisor and automatically scales across every host in the SDDC. Enabling micro-segmentation at the workload level, Distributed Firewall policies migrate with the VM when they move from host to host in the SDDC.

NSX Advanced Firewall features take the network security capabilities of VMware Cloud on AWS SDDC to the next level, allowing customers to define security policies at Layer 7 and enabling deep packet inspection across all vNICs within the SDDC.

What are the key use cases for NSX Advanced Firewall?

• Detect and prevent threats to your workloads using Distributed IDS/ IPS

Enterprises are constantly reminded of threats to their applications by a never-ending stream of news about exploits on the internet. With NSX Distributed IDS/ IPS, customers gain protection against attempts to exploit vulnerabilities in workloads on VMware Cloud on AWS. Distributed IDS/ IPS is an application-aware deep packet inspection engine that can examine and protect traffic inside the SDDC. Customers can detect and prevent lateral threat movement within the SDDC using the intrinsic security capabilities of Distributed IDS/IPS.

• Get curated threat signatures via the NSX Threat Intelligence Cloud Service

NSX Distributed IDS/IPS utilizes the latest threat signature sets and anomaly detection algorithms to identify attempts at exploiting vulnerabilities in applications. It is integrated with the NSX Threat Intelligence Cloud Service to always remain up to date on the latest threats identified on the Internet.

• Leverage context-aware threat detection

 Traditional IDS/IPS appliances have little contextual understanding of the applications running inside VMs. This lack of context makes it hard for security teams to filter noise from critical events that warrant immediate action which results in a broad application of signatures that has a significant impact on performance. NSX Distributed IDS/IPS, using VM tools, has access to rich context about each Guest VM. This assists the cloud admin to quickly respond to new threats and enable only the signatures that are relevant for each workload.

Traditional IDS/IPS implementation requires steering traffic through an appliance for inspection. This becomes especially challenging when inspection is required between workloads deployed on the same network segment. Like DFW, Distributed IDS/IPS is built into the hypervisor and inspection can be performed for all traffic coming into or leaving the VM. Since the inspection is performed on all the hypervisor hosts in a distributed manner, there is no single inspection bottleneck that chokes the traffic flow.

• Secure your applications with layer 7 Distributed Firewall

Go beyond simple IP/ port level layer 4 security to complete stateful layer 7 controls and filtering. Deep packet inspection (DPI) built into the Distributed Firewall enables you to allow only the intended application / protocols to run, while denying all other traffic at the source. This enables you to isolate sensitive applications by creating virtual zones within the SDDC. Distributed Firewall (DFW) layer 7 policies are enforced at the hypervisor (vNIC) level and can migrate with the VM when they move from host to host in the SDDC, ensuring there are no gaps in enforcement.

• Application profiles pre-built for enterprise applications

The Distributed Firewall is built with application profiles (Application IDs) for common enterprise applications. This makes it easy for customers to define layer 7 firewall rules that apply to specific workloads. The Context Profile for Application IDs can be customized over time as new applications are introduced to the SDDC. Granular micro-segmentation policies enable lateral threat protection on East-West traffic inside the SDDC.

• NSX Distributed Firewall with FQDN Filtering

Applications that communicate outside the SDDC also gain layer 7 protection using Distributed Firewall FQDN filtering capability. Customers can define specific FQDNs that are allowed and apply them to DFW policies. Conversely, customers can define specific FQDNs that are denied access to applications in the SDDC. The DFW maintains the context of VMs when they migrate. Customers increasingly rely on application profiling and FQDN filtering to reduce the attack surface of their applications to designated protocols and destinations.

• Control Access to virtual desktop applications with NSX Identity Firewall

Virtual Desktop Infrastructure (VDI) solutions such as VMware Horizon are popular among enterprises in the cloud. Enterprises with a shift-based or contractor-based workforce require a way to limit access to specific applications for defined periods of time. With Active Directory-based User ID profiles, NSX Distributed Firewall in VMware Cloud on AWS provides customers the capability to create identity-based user rules.

Customers can create groups based on User ID and define DFW rules to control access to virtual desktops and applications in the SDDC. Per user/ user session access control limits the amount of time and exposure users have to desktops or applications. Integration with Active Directory / LDAP enables the DFW to continuously curate user access to applications. User ID based rules are enforced by the DFW at the source, delivering pervasive, intrinsic security throughout the SDDC.

Many enterprises host sensitive applications that are required to meet PCI-DSS. Using the NSX Distributed IDS/ IPS and Layer 7 Distributed Firewall, you can achieve compliance requirements for your workloads on VMware Cloud on AWS.

Pricing information

VMware Cloud on AWS provides simple, flexible and cost-effective options to consume these powerful security capabilities. Offered as an add-on package in VMware Cloud on AWS, the VMware NSX can be purchased on-demand, or via 1-year or 3-year subscriptions, with the option to pay monthly or upfront. Prepaid longer-term subscription of hosts gives you up to 50% cost savings compared to on-demand hosts consumed over the equivalent period. This pricing is MSRP.

Activating the NSX Advanced Firewall add-on

Customers can purchase the NSX Advanced Firewall as an add-on in VMware Cloud on AWS.

To activate the Advanced Firewall capabilities in the SDDC, customers must first navigate to the Add-on tab in the SDDC UI and locate the NSX Advanced Firewall tile. Within the tile, select the appropriate option to activate the NSX Advanced Firewall. Once activation is complete, the SDDC is metered for usage of the NSX Advanced Firewall at the chosen rate.

To operate individual features, customers must proceed to the Networking and Security tab in the SDDC UI. Each of the features can be consumed separately.

De-activating the NSX Advanced Firewall to stop billing action

With on-demand consumption, customers can deactivate the NSX Advanced Firewall at any time. To stop billing for usage of the NSX Advanced Firewall, customers must remove all Distributed Firewall L7/ AppID/ UserID/ FQDN and Distributed IDS/IPS rules and deactivate the add-on. Customers can deactivate the Advanced Firewall in the add-on tab in the SDDC UI under the NSX Advanced Firewall tile. All Distributed Firewall L7/ AppID/ UserID/ FQDN and Distributed IDS/IPS rules must be removed prior to deactivation. Any DFW L7/ AppID/ UserID/ FQDN/ IDS/IPS rules that exist after deactivation will continue to incur charges for all hosts in the SDDC. Returning customers can pick up where they left off when they re-activate the add-on.

Learn More About VMware NSX Advanced Firewall add-on:

https://www.vmware.com/products/nsx-advanced-firewall-for-vmc.html

Additional Resources