Stage 1: The Security Segmentation Score

It happens every time I talk to a Security Team. Someone says something like “Zero Trust sounds great, but where do I even start without breaking the whole network?” It’s a valid fear. Most organizations are flying blind, guessing which firewall rules are actually doing work and which ones are just legacy clutter. If you want real results, you need trackable metrics. That’s why the first step of the vDefend Security Journey isn’t about writing rules—it’s about getting your Security Segmentation Score.

Not another score to track!

Stay with me here. The goal here isn’t to give your managers another metric to track how well you’re doing your job as a Security team.

Instead think of this as a “credit score” for your data center’s health. Instead of you manually auditing thousands of rows of spreadsheet data, the vDefend Security Services Platform (SSP) uses Security Intelligence to analyze your actual traffic flows (up to 30 days’ worth) and compares them against your existing Distributed Firewall (DFW) policies.

The result? A single number from 0 to 95 that tells you exactly how much of your environment is actually protected versus how much is sitting in an exposed “blast radius.”

Why not a 100? Because simply put, the only way to really get a 100 score on anything related to Security is either to turn off the VM, or Unplug it from the Network.

Let’s walk through the process together.

1. Calculate Score : In the Security Services Platform on the “Monitor & Plan” tab overview section, click “Calculate Score”

Noted in the UI is the following info about each mode.

Strict
“Customers looking for a score that accurately reflects their data center security posture should use Strict mode. This mode highlights achieved security while applying stricter penalties for any allowed unidentified traffic.”

Relaxed
“Customers creating security policies for their data center workloads may be cautious about denying traffic for fear of disrupting production applications. Relaxed mode emphasizes progress in rule creation rather than strict enforcement.”

I recommend running the Strict mode, at this point there is no actual enforcement happening so there is minimal risk to causing any harm.

Now I’m already starting to see a picture of what I need to do in my environment to reduce my attack surface.

A few details to point out in the Image above.

Infrastructure Protection score is 0 because all infrastructure flows are currently unprotected.

Environment Protection score is 0 because no environment is defined yet.

Application Protection score is 0 because no applications are currently secured, and the datacenter is not locked down.

Security Segmentation Reports

Sample Report

Breaking Down the Report: A Reality Check

When you pull your first Security Segmentation Report, don’t expect a gold star. In my recent assessment—run in Strict Mode over a 30-day period—the environment pulled a score of 6.

Why so low? Because in Strict Mode, the system doesn’t give you credit for “trying”; it only counts explicitly identified and secured traffic. Anything matching a “Default Allow” rule is a direct hit to your score.

The report looks at five core domains to see where you’re vulnerable. Here’s how my lab measured up:

• Infrastructure Protection (2.5/5): We have the Distributed Firewall and Stateful services activated, but we haven’t actually blocked the risky stuff yet.
• Environment Protection (0/2.5): Zero credit here. We haven’t defined “Production” vs. “Development” environments, so cross-contamination risk is at an all-time high.
• Application Workload Protection (0/25): This is the big one. We have 93 application workloads running, and 100% of that traffic is unprotected.
• Malicious IP Protection (0/5): We haven’t turned on the Malicious IP feeds yet, which is basically an “easy win” for the next stage.

Stage 1 Complete

Congratulations, you’ve just completed the first step in the Security Journey. Now that we’ve assessed your environment we can move towards taking real steps to secure it.

This report is your prescriptive plan to locking down your Datacenter and preventing attacks.

-Britton Johnson | @vcixnv | VCIX-NV | VCP-VCF9

Written by me.

For a long time now, I’ve been hearing from customers they want a Secure Clientless Remote access solution they can trust. It might shock you just how many times I’ve run across Enterprise IT orgs still dependent on a now deprecated SSLVPN solution from a Hardware Firewall vendor. The only use case for it , is giving 3rd parties access to maintain systems via RDP.

Here’s what I’ve come up with. I’ve actually built this and will continue testing it. Apache Guacamole is open source and really not that hard to deploy in Docker. I used Claude to generate an Install script, so I spent all of 10 minutes installing it. Given how Guacamole works, it’s not something you just want to have open access. So it needs to be well protected.

The Architecture

1. User: Hits the Avi Virtual Service (HTTPS).
2. Avi (SAML SP): Redirects the user to Entra ID for MFA/SSO.
3. Entra ID (IdP): Validates the user and sends a SAML token back to Avi.
4. Avi: Validates the token and grants access to the Guacamole Web Server (Tomcat).
5. Guacamole: Uses its internal guacd proxy to connect to the backend RDP servers.
6. vDefend: Ensures lateral security by only allowing the AVI SE’s to talk to Guac and Guac can only talk to the Internal VMs that vDefend Allows it to.

Aside from the Security that AVI provides with Full SSL Encryption (including LetsEncrypt Certs) and SAML for MFA. AVI also provides you unmatched End to End Analytics so if there was any performance issues, you can quickly find them.

Lastly, I configure a vDefend Distributed Firewall Policy set to ensure maximum security around the whole setup.

An Allow rule so only the AVI Service Engines can talk to Guac

An Allow rule so Guac is only able to RDP to the hosts it must have access to

Block Anything else and don’t let Guac RDP to Anything else

The end result is Clientless access to Only what I want and where I want to be. I can even have AVI pass off the Authentication Header to Guac, so when the user signs in via SSO, it’s mapped all the way through, otherwise you get the standard Guac Ui login.

The testing I’ve done with this setup so far it works well. I need to do more fine tuning. And if I ever get Openclaw running, maybe I’ll have it write a better looking front end interface for Guacamole.

-Britton

This was written by Me. Not an LLM.

For many years now, I’ve been hearing from customers of all shapes and sizes a similar refrain. “Zero Trust is not achievable” , “Segmenting my Apps for Security takes too long”, “We can’t reconstruct the entire network just to make Apps more secure”, “I don’t have visibility of what my Apps are talking to”, “I already have too many security tools”… If you’ve worked in an Enterprise IT organization for any length of time you’ve heard all these too and more.

Having seen how the Data Center Security problem is viewed from multiple angles. I come back to where I started which is VMware (now by Broadcom), and what we now call the vDefend Security Services Platform. This powerful solution encompasses both Best in class defense with the Distributed Firewall and Advanced Threat Prevention services for complete security in the Data Center.

Over the coming weeks I’m going to take on each one of these critical feedback points, and show how customers are able to overcome them. Change is hard, and at some point everyone has to make a decision to this question. What do you want more? To remain the same or do you want real results with trackable metrics? I believe it goes without saying that remaining the same only leaves you vulnerable. So change is your only option. The attackers adapt their strategies constantly, and so must you. Let’s get started.

Leave Comments on my LinkedIN post for this thread. https://www.linkedin.com/posts/gigabrit_new-blog-series-incoming-lets-build-a-secure-activity-7393754339036758016-K5Xn?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAxjQwQBCCc84y2NN2WWIkIqW1s6EbbbmHQ

-Britton Johnson | @vcixnv

VCIX-NV | VCAP-NV