安全分割评估是安全服务平台（SSP）5.0中的一项新功能，旨在通过提供组织当前安全态势的全面、数据驱动的视图来增强安全情报。它不仅能突出分割差距，还能提供可操作的建议，以抵御现代威胁。该功能适用于VMware vDefend防火墙和VMware vDefend高级威胁防护许可。传统边界防火墙已不足以应对勒索软件等威胁，攻击者常利用内部开放端口进行横向移动。安全分割评估通过识别分割缺失和风险区域，加速vDefend分布式防火墙（DFW）的部署，提供分割分数、高风险工作负载报告以及实施DFW的定制化指导，帮助组织快速实现有效的微分割和零信任安全模型。

🛡️ **增强安全态势与情报：** 安全分割评估作为SSP 5.0的新功能，为组织提供了一个全面的、基于数据的安全态势视图。它通过识别网络中的分割差距，并提供具体的、可操作的建议，来增强整体安全情报能力，帮助组织更有效地抵御勒索软件等日益复杂的威胁。

🚀 **加速微分割与零信任架构：** 面对现代分布式、动态的应用架构，传统的安全方法已显不足。安全分割评估通过加速vDefend分布式防火墙（DFW）的部署，识别出关键的分割缺失和风险点，从而帮助组织快速实现有效的微分割，并朝着零信任安全模型迈进。

📊 **量化评估与风险洞察：** 该评估通过“分割分数”和“分割报告”提供量化指标。分割分数基于流量和防火墙配置，直观展示了基础设施和应用的保护程度。分割报告则深入揭示高风险工作负载、通信链和潜在的攻击范围，并针对性地指出因风险协议、过时操作系统或公网暴露等造成的漏洞。

⚙️ **灵活的评估模式与多维度指标：** 为了适应不同成熟度的环境，安全分割评估提供“严格模式”和“宽松模式”。评估分数由多个维度构成，包括DFW运行状态、基础设施保护、环境保护以及应用保护，尤其重视对未识别流量的阻断，并考虑了工作负载的操作系统及协议的安全性。

🤝 **与现有安全策略协同：** 该功能与现有的安全情报建议以及自动发布功能无缝集成，能够快速迭代和持续改进安全态势。它不仅提供了洞察，还提供了实际的指导，帮助组织优化防火墙规则，实施最小权限原则，最终实现更强的 lateral security（横向安全）。

Security Segmentation Assessment is a new feature in Security Services Platform (SSP) 5.0 that enhances Security Intelligence by delivering a comprehensive, data-driven view of the organization’s current security posture. It not only highlights segmentation gaps but also provides actionable recommendations to harden your environment against modern threats.

This capability is available with both VMware vDefend Firewall and VMware vDefend Advanced Threat Prevention license SKUs.

USE CASE

Traditional perimeter firewalls are no longer sufficient to defend against sophisticated threats, such as ransomware. Once inside the network, attackers often exploit open ports and insecure protocols to move laterally—unchecked by perimeter controls that lack visibility into East-West traffic, which now constitutes over 90% of datacenter communication.

Modern applications are distributed, dynamic, and multi-tiered—making them difficult to protect using legacy approaches. Security Segmentation Assessment accelerates the deployment of the vDefend Distributed Firewall (DFW) by identifying where segmentation is missing and where risks remain.

It delivers:

A Segmentation Score based on observed flows and firewall configurations, offering a clear snapshot of how well your infrastructure and applications are protected.A Segmentation Report that surfaces high-risk workloads, communication chains, and potential blast radii.Tailored guidance for implementing DFW to close gaps, enforce least privilege, and move toward a zero-trust security model.

When used in conjunction with Security Intelligence recommendations and auto-publishing, organizations can fast-track their journey to effective micro-segmentation.

SOLUTION

Micro-segmentation is a phased journey—culminating in a security model where all unidentified traffic is dropped by default. Reaching this goal typically involves:

Identifying and grouping workloads by applicationDefining inter-application isolationMapping the required ports and protocols

Security Segmentation Assessment adapts to your current stage in this journey by offering two scoring modes:

Strict Mode – For environments where segmentation is complete and all essential firewall rules are in place.Relaxed Mode – For environments still in transition, where applications and rules are being actively defined.

The Segmentation Score is determined by various factors:

Distributed Firewall In Operation – Reflects the operational state of DFW and Malicious IP blocking in the environment under consideration.Infrastructure Protection – Quantifies the percentage of Infrastructure Traffic (DHCP, DNS, LDAP/Secure LDAP, NTP) that is protected by a non-default DFW rule. (A default rule is defined as a rule with Src=Any, Dst=Any, Service=Any and Action=Allow).Environment Protection – Quantifies the percentage of workloads in the environment that are covered by at least one rule configured under the Environment Category in DFW.
Zone segmentation rules are typically configured under this category. This section of the score is to ensure that all workloads are assigned to an appropriate zone, and zone protection rules are in place to isolate or allow communication between them.Application Protection – Quantifies the percentage of application workloads that are covered by at least one rule configured under the Application Category in DFW and percentage of Application Traffic that is protected by a non-default DFW rule. More importantly, it rewards the DFW consumer for dropping all unidentified traffic both at the application level and datacenter level. The distribution of weightage within the Application Protection section is determined by the mode selected during score computation.
Workloads without Obsolete OS & Risky Protocols – Quantifies the percentage of workloads in the environment that are neither running Obsolete OS nor Risky Protocols. 

The Segmentation Report delivers:

A detailed breakdown of the Segmentation Score, analyzing up to 30 days of flow data and firewall policies to assess protection levels across all workloads. It is recommended to at least run the report over an interval of 7 days to derive accurate analysis and recommendations. Visibility into vulnerabilities caused by risky protocols, outdated operating systems, or exposure to public IP addresses.

Actionable insights that complement existing Security Intelligence recommendations, allowing for rapid iteration and continuous posture improvement.