Do you need virtual firewalls? What to consider first

John Burke, Contributor

The size of the virtual hole in enterprise security is daunting. Virtual firewalls may be a solution, but there are many factors to consider first.

What are virtual firewalls?

Virtual firewalls are virtual appliances that re-create the functions of a physical firewall. They run inside the same virtual environments as the workloads they protect. Because they sit inside the virtual environment, they apply policy to traffic that is invisible to the physical network, securing it without negating the agility that virtualization brings. They don't necessarily care whether the virtual machines (VMs) are in the data center or floating up to an Infrastructure as a Service (IaaS) environment.

Why the need for virtual firewalls?

Currently more than 97% of companies virtualize servers, and more than 53% of the workloads running in the data center are on virtual servers. During the conversion from physical to virtual, security structures between servers on the physical network are either dropped or they are maintained as physical systems.

When physical firewalls are used to address virtual traffic, this traffic must be routed out of the virtual environment, through the physical security infrastructure, and back into the virtual environment. This kind of hairpinning adds complexity, increases fragility and decreases the ability to move workloads around. What's more, things only get more difficult as enterprises extend their reach into IaaS environments. Currently, 17% of companies use IaaS, and an increasing number of IT shops are using it for customer-facing work.

Given this, it's clear that IT must secure both the internal virtual environment, as well as the external network. Virtual firewalls can be used for both environments.

Read more on virtual firewalls

How to evaluate virtual firewalls

Virtualization security challenges are plentiful; what's the answer?

Planning a virtual firewall strategy

If you're considering virtual firewalls for IaaS or other public cloud use, it is important to be sure the virtual appliance you use internally can be provided on your cloud provider's platform. If the virtual appliance only runs under VMware, but you need it to work in a Xen- or KVM-based IaaS environment, you will be out of luck.

Why a single-policy environment for physical and virtual firewalls?

It's best to integrate virtual and physical firewalls into the same policy environment, and it's better to use a single tool set for both. A single environment means business users can be sure that the same access controls will follow their data wherever it flows. A single environment also means IT doesn't have to:

maintain and synchronize activity across parallel environments;

keep up multiple staff skill sets;

continually maintain cross-platform verifications of policy equivalence;

manage multiple vendor and support relationships.

In an ideal virtual firewall scenario, you would have a single firewall vendor that provides a virtual platform running under the hypervisors you need, and you would have tools that manage both virtual and physical appliances.

Products capable of managing a single vendor's virtual and physical appliances together include Cisco's Secure Policy Manager, McAfee's Firewall Enterprise Control Center and StoneSoft's StoneGate Management Center. 

While multivendor environments are not ideal, there are few tools that manage multivendor firewall solutions. These vendors include FireMon and Tufin.

Virtual firewalls and IaaS: Potential challenges

Before you start jumping those hurdles for IaaS, consider whether a virtual appliance in IaaS will fit into your compliance or security framework. Using a virtual firewall in an IaaS environment, even if it is your own chosen virtual appliance, implies a level of trust in the cloud provider, since VM-to-VM traffic will be visible to whoever controls that environment.

If you can't assert this level of trust for the cloud platforms, you must instead resort to a host-based firewall or VPN solutions that filter traffic in and out of VMs. These consume more resources than virtual appliances because, for example, if a packet gets dropped once at an appliance, it might have to be dropped on every server that would have been sitting behind that appliance. Nevertheless, these host-based firewalls or VPN solutions require no additional level of trust in the cloud provider.

Breaking down IT silos for virtual firewall implementation

Lastly, a very practical point: Systems, security and network folks should not undertake virtual firewall rollout in a vacuum. All three groups must be involved in developing guidelines for when, how and why virtual firewalls will be implemented. All three must have a voice in planning and management, as well as visibility into the virtual firewall infrastructure. Without cooperation, all three teams are bound to step on each other's toes.

About the author: John Burke is a principal research analyst with Nemertes Research, where he advises key enterprise and vendor clients, conducts and analyzes primary research, and writes thought-leadership pieces across a wide variety of topics.
build-access-manage at