Building on the Project Monterey enterprise virtualization strategy it outlined at its VMworld conference last month, VMware Inc. today announced a framework for network, security and physical infrastructure services along with a new subscription service for home-based workers and virtual access control services.

The virtualization giant is particularly focused on eliminating the need for the hardware firewall, a mainstay of information technology security that executives said is wholly inadequate for the needs of today’s services-based applications.

Project Monterey is a new approach to deploying and securing data center resources that uses “SmartNICs.” Those are network interface cards that have the intelligence to run the full VMware virtualization stack and ancillary services, thereby enabling such functions as load-balancing, network optimization and security to be managed within the network itself.

In one of the first tangible outcomes of Project Monterey, VMware said its NSX Services-Defined Firewall will be available on a SmartNIC, enabling IT organizations to run stateful layer 4 firewall services at line speed. A stateful firewall monitors traffic in context rather than filtering individual packets to detect patterns that might betray malicious activity. Layer 4 is the transport layer, which provides flow control, segmentation and error control.

VMware’s services-defined firewall strategy targets inter-server communication and can customize settings to needs of individual applications. “Traditional applications were monolithic, with three tiers that at one point present three physical boxes,” said Tom Gillis, VMware’s general manager of networking and security. “It was relatively easy to think about managing those devices, but now we’re dealing with thousands of microservices. How do we firewall services that may only exist for a moment in time?”

Thousands of firewalls

The top-down approach VMware is taking distributes many mini-firewalls around the network, each tuned to the needs of the application. The company’s vRealize Log Insight log analyzer “can look at the application and feed back into the control plane to push rules down to the firewall that only apply to that application,” Gillis said. “When you tune the firewall and the associated [intrusion detection and prevention rules] to the service you can make a much smaller rule set.” The system can even identify unpatched vulnerabilities and route around them, he said.

By offloading firewall functions to a network of SmartNICs, “we can get 20 terabit-per-second firewall throughput, more than the largest hardware firewall can do, and we can deliver it at one-third the cost,” said Rajiv Ramaswami, chief operating officer for products and cloud services.

VMware also announced a preview of an attribute-based access control policy model that grants security clearances based upon profiles and behavior rather than passwords. “Deciding whether to let individual users in isn’t practical anymore,” Gillis said. “We are replacing that with status-based mode: who, what, where, when, how. If I’m coming in on an unmanaged laptop from Asia in the middle of the night, that may not be the kind access we want to allow.”

Cloudlike network management

VMware’s Modern Network framework is based on its Virtual Cloud Network, a set of services built atop its NSX network virtualization platform that help ensure optimal performance and security similar to that of a public cloud. The company said that rather than being built up from a physical foundation, the Modern Network framework works down from the application layer and programmatically manages infrastructure to meet the needs of each application.

Its three pillars consist of services that enable developers to connect microservices securely with reduced latency, better security and higher availability, the company said. The Modern Application Connectivity Services pillar enables developers to use self-service tools to connect the microservices of an application securely to reduce latency, strengthen security and ensure availability. The Multi-cloud Network Virtualization pillar provides essential network services like security and load-balancing defined in software. The Physical Network Infrastructure pillar manages hardware to maximize capacity and minimize latency.

VMware is building upon what it said is NSX’s unique ability to cover layers 2 through 7 of a virtual networking stack: switching, routing, firewall, security analytics, advanced load balancing and container networking. It’s layering in services from the Tanzu Service Mesh and Project Antrea, an open-source project that covers networking and security services specific to the Kubernetes container orchestrator.

Tanzu, formerly Cloud Foundry, which VMware picked up with its 2019 acquisition of Pivotal Software Inc., continues to be an intense focus of the company’s application modernization strategy. The NSX Advanced Load Balancer will be integrated with Tanzu Service Mesh to enable application developers using Kubernetes to launch an application with all required load balancing capabilities without touching infrastructure, VMware said. The application program interface-driven toolkit is built to deliver both load balancing and web application firewall when it rolls out during the vendor’s second fiscal quarter, which ends in July.

“Developers should focus on developing, not configuring load balancers,” Gillis said. “Now they can call up all the services they need to make their applications secure and scalable.”

In a move to accommodate the millions of office employees who will be working from home for the near future, the company also announced SD-WAN Work from Home Subscriptions. It gives individual business users optimized connectivity, better application performance and improved security at an unspecified starting price that the vendor said is lower than the cost of a mobile phone subscription.

Image: VMware