Wednesday, February 22, 2012

When to use virtual firewalls

I wrote about firewall vendor CheckPoint and their first launch of a virtual firewall for VMware environments back in 2009 and I also wrote an update about that posting here.

I had meant to write a followup to those postings some while back because later they did both ship a proper hypervizor integrated firewall and fixed their licensing model. According to their new licensing model it's in many cases cheaper to deploy a virtual firewall than a physical one.

I did also test their new firewall (in 2011) and verified that it did what it should, but I never completed everything I wanted to test and I never got around to writing that followup posting with everything fresh in mind.

The difference between a virtual firewall and a physical one is that the virtual firewall lives inside the hypervisor and is able to protect VMs from each other even if they're living on the same subnet while traditional firewalls are acting as gateways protect different networks from each other. A physical firewall may also have parts of it's functionality in silicon (special hardware) while a virtual one has to rely on doing everything in software.  You can also run the firewall in Network mode and it will then act as a traditional firewall between networks.

Having things done in hardware sounds good, but as technology has evolved the standard hardware has also become faster and is now sometimes faster or have similar performance as doing it in hardware. Hardware vs software iSCSI is a good example of this.

The advantages of virtual firewalls are clear, and even though many are skeptic to their performance I still have not seen any proper performance comparisons with physical ones. I hope to get around to such testing at some point, because I have a feeling that the performance will be good enough for many environments and it's easy to scale out in a virtual environment if needed.

The topic of the discussion on episode 77 of the Virtualization Security Roundtable is "When to use a Virtual Firewall". Several different firewall vendors are mentioned and it has a few good moments. Well worth a listen.