How to evaluate virtual firewalls

Dave Shackleford

As their virtualized infrastructure grows, many organizations feel the need to adapt and extend existing physical network security tools to provide greater visibility and functionality in these environments. Virtual firewalls are one of the leading virtual security products available today, and there are quite a few to choose from; Check Point has a Virtual Edition (VE) of its VPN-1 firewall, and Cisco is about to offer a virtual gateway product that emulates its ASA line of firewalls fairly closely. Juniper has a more purpose-built Virtual Gateway (the vGW line) that is derived from its Altor Networks acquisition, and Catbird and Reflex Systems also have virtual firewall products and capabilities. So what do you look for when evaluating virtual firewall technology?

Virtual firewalls: management and scalability

Before digging into the specifics of virtual firewalls, it's important to determine whether you really need one or not. Very small virtualization deployments won't likely need one. However, with a large number of virtual machines of varying sensitivity levels, and highly complex virtual networks, there's a fair chance that virtual firewall technology could play a role in your layered defense strategy.. Note that it's highly unlikely that virtual firewalls will replace all your physical firewalls in most cases (although some consolidation is expected for those with a large number of physical firewalls). Assuming you need one -- now what?

There are several key considerations any security or network team should include when reviewing virtual firewalls. The first two aspects you'll need to evaluate are similar to what you'd evaluate for physical firewalls: scale and management. In terms of management,  you'll first want to determine whether the firewall is largely managed through a standalone console (usually Web-based), or integrates into the virtualization management platform (such as VMware's vCenter). For those with a standalone console, the standard management considerations apply, such as ease of use, role-based access controls, granularity of configuration options, etc. Another consideration is the command-line management capabilities of the virtual device, and how they're accessed. For example, most Cisco engineers prefer command-line IOS operation, and most virtual firewalls can be accessed via SSH.

Scale is critical in virtual firewalls, especially for very large and complex environments. Virtual firewall scalability comes down to two aspects. First, you'll need to determine how many virtual machines and/or virtual switches a single virtual firewall can accommodate. For large environments with numerous virtual switches and VMs on a single hypervisor, this can be a big issue. The second major scalability concern is the number of virtual firewalls that can be managed from the vendor's console, and how well policies and configuration details can be shared between the various virtual firewall devices.

Virtual firewalls: integration

A crucial evaluation point for virtual firewall devices is how the firewall actually integrates into the virtualization platform or environment. There are two common implementation methods. The first is the simplest: a firewall that is a virtual appliance or specialized virtual machine (VM). This can be loaded on a hypervisor just like any other VM, and then configured to work with new or existing virtual switches. The advantage to this model is its simplicity and ease of implementation, while the disadvantages include higher performance impact on the hypervisor, less integration with the virtualization infrastructure, and possibly fewer configuration options.

The second implementation method is to integrate fully with the hypervisor kernel, also known as the Virtual Machine Monitor (VMM). This affords access to the native hypervisor and management platform APIs, as well as streamlined performance and  lower-level recognition of VM traffic, but may also necessitate additional time and effort to properly install and configure the platform, and some highly customized virtualization environments may encounter stability issues or conflicts.

Other factors to consider when evaluating virtual firewalls include physical security integration and VM security policy depth and breadth. Virtual firewalls can "see" what is happening in a virtual environment, but can they relay alerts and security information to their physical counterparts? Look for any native or simple integration capabilities with physical firewalls, IDS/IPS and event management platforms. In addition, virtual firewalls can and should evaluate VM configurations and security posture above and beyond the traffic coming and going into the virtual environment. Some virtual firewalls can perform antimalware, network access control (NAC) and configuration management and control functions, all of which add significant value.

About the author:

Dave Shackleford is the senior vice president of research and the chief technology officer at IANS. Dave is a SANS analyst, instructor and course author, as well as a GIAC technical director.
build-access-manage at