Do You Need A Virtual Firewall?

Weighing Physical vs. Virtual Options

If your company is running a virtualized environment, the question is bound to come up (if it hasn’t already): Does it make sense to implement a virtual firewall? The answer, however, can depend on numerous company specific factors. There are also questions as to where to locate the firewall and what type of implementation is most appropriate for your company.

We will explain how virtual fire walls differ from traditional, on-premises firewalls, and then explore issues related to determining whether your company needs a virtual firewall and how to implement it.

Do You Need A Virtual Firewall?

Physical vs. Virtual

As Jon Oltsik, Enterprise Strategy Group (www.esg-global.com) senior principal analyst, aptly puts it, the biggest difference between a virtual firewall and a physical firewall is fairly obvious: A physical firewall is essentially a piece of standalone hardware, while a virtual firewall is a virtual appliance installed on top of virtualization management soft­ware. "This difference should not impact functionality, but it may impact performance," Oltsik says. "Virtual firewalls also require some security oversight to lock down the physical server and hypervisor."

Mike Fratto, senior analyst with Current Analysis (wwwxurrentanajysjs.com), says aside from certain perfor­mance characteristics, in many cases a virtual and physical firewall from the same vendor are functionally equiv­alent. "Virtual appliances typically support less performance than hard­ware because virtual appliances are software-based, are on shared hard­ware, etc.," he says. A physical firewall, meanwhile, sits at a fixed position in the network and creates a hard exte­rior at the perimeter "but does nothing for traffic running over the virtual net­work," he says.

Overall, Fratto says physical fire­walls make sense when trying to estab­lish a hardened perimeter, including one that protects the virtual infrastruc­ture, services, etc., from unauthorized use. Here, he says, "an existing data center firewall may suffice." Virtual firewalls, meanwhile, are often tar­geted at a subset of services running within the virtual environment rather than the entire environment. Thus, he says, "you end up with a bunch of little perimeters based on applications or departments," for example, rather than one large perimeter. That means ap­plications can be better protected from attack than if using VLANs and other isolation techniques, he says.

Another distinction between physical and virtual firewalls is that a virtual firewall and the servers it protects can reside anywhere in the virtual environment, something that allows the movement of virtual ma­chines while maintaining the virtual perimeter, Fratto says.

Common firewall implementations

Currently, most organizations still use firewall appliances vs. virtual firewalls, Oltsik says. "Sometimes, they use multifunction security de­vices, but it is still a security device," he says. Oltsik anticipates virtual fire­wall implementations will increase as users grow more comfortable with using virtualization technology and as companies seek to increase their support of cloud computing and server virtualization efforts.

Firewalls

Among the types of firewalls avail­able, Fratto says stateful packet filtering is the most commonly used among businesses, as are application proxies that are specialized to a par­ticular protocol, such as HTTP, or a particular application, such as one enabling access to company email via Web access.

In terms of where to locate a vir­tual firewall compared to a physical firewall, Fratto says physical fire­walls are generally positioned at net­work choke points whereas virtual firewalls are positioned closer to ap­plications. "It doesn't make sense to try to deploy a virtual firewall like a physical one because each hypervisor is its own connection to the physical network," he says. This may change in the future, Fratto says, but cur­rently if you have 10 hypervisors you have to have individual connections to the physical network.

Oltsik says that while companies should place primary network fire­walls in the same locations regardless of whether they are physical or vir­tual in nature, "virtual firewalls are handy because you can deploy them anywhere instantly. This gives a lot of new options for network segmen­tation and access control," he says.

Is a virtual firewall practical?

When determining whether a vir­tual firewall makes sense, perfor­mance is a significant factor, Fratto says. In this context, performance means "more than bits per second." Depending on the type of firewall, he says, "factors like connections per second, number of concurrent con­nections, and any Layer 4-7 checking can be significantly reduced on a vir­tual firewall," he says. Performance is one reason why virtual firewalls are best-suited for targeted applications vs. being used as a general physical firewall replacement, he says. "If the virtual firewall can't support the traffic demands, then companies need to look to either load balancing across more than one firewall or using a hardware firewall."

Other factors can include a given company's virtual environment and its future plans, Fratto says. Elsewhere, for companies that al­ready have a physical firewall in place, he says, implementing a vir­tual firewall from the same company will ease deployment and manage­ability, as "the learning curve is much shorter, if there is any at all." He adds, though, that the virtual fire­wall and physical firewall "should be manageable via the same man­agement station so it simply ap­pears to be a firewall regardless." Companies can mix and match fire­walls as needed, such as by using a virtual firewall in the virtualization environment and a physical firewall elsewhere, but "that means more management overhead."

Another issue to keep in mind, Fratto says, is licensing. "Virtual fire­walls can be pretty pricey compared to the capabilities they provide." Usually, he says, virtual firewalls are licensed per unit, "which can add up." Companies should also consider the cloud platforms they're looking to support if planning to move to a private cloud platform or a public cloud provider, he says. "While many of the public cloud providers offer basic firewalls as part of their ser­vices, using a known firewall is often easier operationally."

Where SMBs are specifically con­cerned, Oltsik says a virtual fire­wall is preferable to a physical firewall only if the company is comfortable with using virtualiza­tion technology and the company is able to select a virtual firewall that's designed especially for SMBs. That means it should provide good ease of use, standard configuration templates, simple rule configura­tion, and other benefits. Fratto says the question isn't whether an SMB should or shouldn't buy a virtual firewall. The question is "whether a virtual firewall will be suitable or not. If an SMB is running a vir­tual environment and it needs fire- walling closer to their applications, then it makes sense. Otherwise not."

Other considerations

When deciding whether to use a virtual or physical firewall or a hy­brid approach combining the two, companies need to mull over several primary considerations, including how comfortable it is using virtual­ization technology. If the company is comfortable with provisioning, main­taining, and securing a virtual fire­wall, Oltsik says, "then it shouldn't be a problem." Oltsik notes that he sees virtual firewalls often in remote offices of larger companies, as well as in hosting and cloud data centers to segment resources for multi-tenancy. Though he doesn't see virtual fire­walls as much in SMBs, he says, "that may change."

VLANs

One consideration companies should keep in mind regarding vir­tual firewalls is how regulated the company is. Highly regulated compa­nies, Oltsik says, should check with their auditors to determine whether a virtual configuration constitutes a compliance violation. Location is an­other consideration, he says, as "it may take weeks to get a firewall ap­pliance through customs in some countries, while a virtual machine can be downloaded instantly."

If the company has numerous re­mote offices, Oltsik says, "it may be best to deploy virtual firewalls in standard configurations and then centrally manage them." Further, he says, "I would also think long and hard about whether you want to ded­icate a physical server to the firewall or run multiple virtual machines on a server that hosts virtual firewalls. From a security perspective, run­ning multiple virtual machines could be a bad idea, and I can't imagine it would meet regulatory compliance requirements."

Where hybrid configurations are concerned, Fratto says, locating a physical firewall in front of a virtual environment can make sense "just to restrict access to the underlying vir­tual environment, which is separate from restricting access to servers in the virtual environment." The pri­mary consideration of which firewall setup to use, however, is whether the company's security policies or ex­ternal requirements (such as regula­tions) dictate that a more targeted firewall strategy is necessary, he says. "A related consideration is whether the company has to document and prove out their security architecture," Fratto adds.

A physical firewall sitting at the perimeter of the virtual network can provide adequate protection for applications running in the virtual environment, Fratto says. "IT can create traffic separation within the virtual environment using VLANs, for example. If a server on one VLAN wants to talk to another server on a different VLAN, the traffic has to pass through a router that can reside at the perimeter or at the edge, or the server has to have multiple interfaces on multiple VLANs," Fratto says. "Either way, you probably only want to allow access to a subset of services on the server, so a virtual firewall can limit connections to exactly what is needed to allow the application to work."

The additional burden comes when it's time to prove that an ap­plication was only accessed by au­thorized systems, as there might be issues demonstrating that VLAN sep­aration is good enough, he says. "The best thing to do is work with who­ever manages your company's secu­rity policy and regulatory compliance to determine how your company will meet the requirements," he says.

Key points

Performance is a key factor in determining whether using a virtual firewall makes practical sense.

A virtual firewall can be preferable to a physical firewall for an SMB if the company is comfortable with virtualization technology and the virtual firewall is designed for SMBs.

Beyond some performance traits, a virtual and physical firewall from the same vendor often can be functionally equivalent.

When considering the use of a virtual firewall, keep in mind how highly regulated the company is.