Research Hub > Does Your Perimeter Firewall Provide Enough Security?
2 min

Does Your Perimeter Firewall Provide Enough Security?

A traditional appliance-based firewall can secure the network perimeter. But it wasn't made to secure traffic inside the network.

Does Your Perimeter Firewall Provide Enough Security?

It's not unnecessary, but a perimeter firewall is not enough. Picture this: an innocent end user at a mid-size commercial firm clicks on an email link, originating in a phishing email attack. Sigh. The bad actor is now already behind the firewall. Without lateral controls, the exploit can quickly propagate throughout the network.

In fact, according to VMware's recent Threat Landscape Report, email is still the No. 1 vector to deliver malware, and four percent of all emails are malicious. So if you have 701 emails in your inbox right now, 28 of them may be malicious. Yikes.

Most data centre traffic happens within the data centre and behind perimeter firewalls (east-west traffic, internal traffic or lateral traffic), as opposed to north-south traffic, which is inbound/outbound. Likewise, most of the high-profile attacks in recent times have involved malware sitting inside the network, moving laterally from server to server and remaining undetected for months. This is what causes real damage. You simply need more visibility and control of your east-west traffic to prevent attackers' lateral movements.

Perimeter Firewalls Weren't Made to Secure East-West Traffic

It's true that traditional appliance-based firewalls are certainly necessary to secure the network perimeter. But they weren't made to secure traffic inside the network the growing east-west flows that move laterally inside the data centre.

According to a Forrester study, seven out of 10 enterprises reported being handicapped by an overreliance on perimeter firewalls and believed that they were overprovisioning these firewalls, which can be expensive. Fifty-seven percent agreed this meant a trade-off between coverage and operational flexibility and agility.

The two traffic flows have different volumes and characteristics, and most firewalls today weren't built to be used interchangeably. Yet appliance-based perimeter firewalls are still being provisioned for east-west traffic monitoring. Problem is, the workaround involves tactics such as hairpinning traffic, which ultimately creates traffic jams during volume spikes, thus increasing costs and decreasing control and performance. Here's a real-life example of why this matters:

The Problem with Hairpinning Network Traffic

A global telecommunications company with hundreds of millions of users in more than a dozen countries needed to protect business-critical, consumer-facing mobile application infrastructure. To do so, it needed to segment and secure large amounts of network traffic on in-house infrastructure using an internal firewall approach. The telecom decided to deploy a hardware-based firewall as its internal firewall solution.

It didn't take long for the company to begin experiencing performance issues. The appliance-based solution could not scale to protect all the workloads and traffic across the telecom's dev/test, production and DMZ zones. Because the traffic was hairpinned to and from the firewall appliances, the company experienced performance problems during traffic spikes when new versions of the application were released.

The Solution: Internal Firewalling

It's time to rethink data centre firewalling. Securing the internal network is complex. And IT security professionals can no longer shoehorn traditional application-based firewalls for this use case.

Internal firewalls, such as VMware's NSX Service-defined Firewall, are data centre firewalls that protect east-west (internal) traffic across private and public cloud environments at the granularity of workloads. Network security professionals use these firewalls to mitigate risk, prevent lateral movement of attackers and ensure compliance with the stated security policies of their organizations.

Take a deep dive into the concept of internal firewalling in this easy-to-read e-book: Internal Firewalls for Dummies.

VMware Named Market Leader in Firewall

Announced at this year's RSA Conference by CyberDefense Magazine, VMware was named a winner of the Global InfoSec Award as Market Leader in Firewall. One of VMware's core beliefs is that we need structural and architectural changes to how organizations approach security. This means taking a fresh look at how to approach issues such as internal data centre security and it's exactly what prompted them to deliver the VMware NSX Service-defined Firewall.

One of the foundations of VMware security, the NSX Service-defined Firewall is a unique, distributed, scale-out internal firewall that protects all east-west traffic across all workloads without network changes. This radically simplifies the security deployment model. It includes a distributed firewall, advanced threat protection and network traffic analytics. With the VMware NSX Service-defined Firewall, security teams can protect their organizations from cyberattacks that make it past the traditional network perimeter and attempt to move laterally.

What Sets the Service-defined Firewall Apart

  • Distributed, granular enforcement: The NSX Service-defined Firewall provides distributed and granular enforcement of security policies to deliver protection down to the workload level, eliminating the need for network changes.
  • Scalability and throughput: Because it's distributed, the Service-defined Firewall is elastic, with the ability to auto scale as workloads spin up or down.
  • Intra-application visibility: The Service-defined Firewall automatically determines communication patterns across all types of workloads, makes security policy recommendations based on those patterns and checks that traffic flows conform to deployed policies.
  • Declarative API: With the NSX Service-defined Firewall, security teams can move at the speed of development to deliver a true public cloud experience on premises.
  • Advanced Threat Prevention: With the NSX Service-defined Firewall, security teams can easily deploy advanced threat prevention capabilities such as distributed IDS/IPS, network sandboxing and network traffic analysis/network detection and response (NTA/NDR) to protect against known and zero-day threats.

With these capabilities, customers can deploy network segments rapidly to get the speed and flexibility they need to quickly create and reconfigure network segments or virtual security zones by defining them entirely in software. The NSX Service-defined Firewall also allows users to prevent the lateral movement of attacks by extending east-west security with stateful Layer 7 firewalling, including AppID- and UserID-based policies, as well as advanced threat protection.

VMware's solution enables customers to meet regulatory requirements via its inspection of all traffic, which provides complete coverage to eliminate blind spots with a distributed IDS/IPS delivered in software. Finally, customers can easily create, enforce and automatically manage granular microsegmentation policies between applications, services and workloads across multicloud environments to achieve zero trust.

To learn more about VMware solutions, please visit