What Exactly Are Virtual Firewalls?

Kaage added a great comment to my Virtual Firewall Taxonomy post:

And many of physical firewalls can be virtualized. One physical firewall can have multiple virtual firewalls inside. They all have their own routing table, rule base and management interface.

He’s absolutely right, but there’s a huge difference between security contexts (to use the ASA terminology) and firewalls running in VMs.

Transport network independence: firewalls running in VMs rely on the underlying hypervisor to provide network connectivity – you connect firewall’s virtual NICs to VLANs, VXLAN segments or whatever other virtual networking technology you prefer through hypervisor management tools (example: vCenter, vCNS, vCloud Director ...). You can thus use the VM-based firewalls with any virtual networking technology.

Security contexts in a physical firewall can use those virtual networking technologies that are provided by the firewall operating system. Today we’re limited to VLANs; no physical firewall I’m aware of supports VXLAN or NVGRE.

Is there a firewall supporting MPLS/VPN PE-router functionality? Please write a comment.

Configuration management: Configuration of a security context is stored in the physical firewall. If you want to move the firewalling functionality (example: data center migration), you have to copy the configuration to another physical firewall.

Please don’t even mention the incredibly creative idea of running a stretched active/active firewall cluster across two data centers. Been there, moved on.

Configuration of a VM-based firewall is usually stored on its virtual disk. Moving the firewall and its configuration to a different physical location is thus a simple point-and-click exercise (well, maybe not if you want to move a running firewall, but you know what I mean).

Workload mobility: It’s extremely easy to move a VM-based firewall with the workload it’s protecting, significantly simplifying disaster recovery procedures (example: VMware’s SRM). Moving the configuration of a physical firewall during the disaster recovery process is an intriguing task, more so if you have to merge it with an existing configuration of the target firewall.

What next? It’s obvious we need better terminology ... or an agreement that there are security contexts and VM/hypervisor-based virtual firewalls. Comments?

More information

Virtual firewalls are described in the Introduction to Virtual Networking webinar, you’ll find more details in the VMware Networking Deep Dive webinar and some use cases in Cloud Computing Networking webinar. All three webinars are available with the yearly subscription ... and don’t forget to check out the ExpertExpress service if you need a quick design review or second opinion.

20 comments:

  1. Ivan.

    If you are a "BIG" customer FortiNET can provide you with MPLS/PE.

    A certain BIG BIG us provider has this. It was made for this customer.

    All the small Juniper SRX´s support MPLS

    ReplyDelete
    Replies
    1. I knew there was something out there ;) Thank you!

      Delete
    2. Be aware that the Juniper SRX only supports a single VLAN tag on an interface.

      Delete
    3. And using SRX in production is DISASTER anyways!

      Delete
  2. even the smaller Huawei USG firewall can do mpls vpn, you don't need to be a big big customer.....http://enterprise.huawei.com/en/products/security/network-security/firewall-utm/hw-195471.htm

    ReplyDelete
    Replies
    1. Huawei is a whole different story, not (only) because of potential backdoors but because of the really poor software design the're using.
      I don't know how good or bad their firewalls are, at least their routing gear (Quidway NetEngine) had some design issues in terms of convergence (f.e.).
      But hey, the stuff is cheap and if you're willing to swallow that pill (including a contribution in developing their products)...

      Delete
    2. Design, what design at Huawei?

      Delete
  3. Juniper SRX can of course support multiple VLAN Tags on an interface @ Anonymous 09:47

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Although virtualization firewalls are covered in a previous post I thought they should be mentioned here as well. IMHO virtualization firewalls like Cisco's VSG and Juniper's vGW covered in your previous post about firewall taxonomy will play an important role in "cloud security". The SPI function is not much different than on traditional firewalls altough the management model and rule syntax is much richer because of the wareness of the VM context e.g. VM name, port groups, host affinity, etc.

    As for the MPLS-firewall combo. although not a firewall per se an ASA service module in a 650x does support MPLS, VRF, GRE, etc. plus some interesting features like VSS. Also stability is relative good on that platform.

    ReplyDelete
    Replies
    1. @Alexander - I support your thinking in your first para.

      Delete
  6. Juniper's SRX series supports MPLS. But only one VLAN tag per interface? Maybe the small models, but certainly not the bigger ones.

    Also, there's a big difference between different vendors as far as virtualisation on their appliances goes. Some do it fluently, others lose functionality in the process (VPN termination on those virtual contexts, layer 2 functionality, failover). One vendor I've seen recently even had trouble routing overlapping IP ranges in their separate virtual firewalls. It's not a mature technology everywhere yet.

    ReplyDelete
  7. reggle.. I agree with you.

    FortiNET = Vdoms everthing and i mean everything is split and 100% working.
    Palo Alto = Vsys Everything is working its just not 100% seperate like FortiNET.
    Cisco = Context works very well.. and now with 9.0 VPN,dynamic routing , IPS has been added. Its just not a real NGFW.

    SRX = Vsys just broken.

    ReplyDelete
  8. Workload mobility though... it's VM-based. People talk about the tremendous overhead of sync'ing firewall state at distances, but they don't sweat moving an entire VM. How about a socket-compress IF-MAP arbitrarily sharing state between firewalls subscribing to it? Virtualizing would be relatively simple. The relationship between any two security zones can be uniquely ID'd. Any state between these zones will be tagged with that ID. Any firewall interested in this state can subscribe to it.

    ReplyDelete
  9. I allways wonder: What is the performance of an software firewall?

    Every company blasts there performance figures out on Powerpoints: 500MB/s 2.5Gb/s VPN aso.

    I believe that when using dedicated hardware (e.g. chips) you'll receive a way better throughput. Has anyone measured what you can expect from a VM-Firewall?

    ReplyDelete
    Replies
    1. Juniper did a while ago. Link somewhere in this post: http://blog.ioshints.info/2011/11/junipers-virtual-gateway-virtual.html

      Delete
    2. Questions, for an understanding of all the terminology in the above article and comments.
      1. Are Cisco ASA'contexts' which run on 'microengines' in fact, hypervisors or do they run on the cpu not memory?
      2. Do any of the VM based virtual firewalls that run on hypervisors have the capability of running as 'external hypervisors'; ie., run on another physical machine?

      Delete
  10. ASA1000V running as a Default GW can run on a Nexus1110, if you choose to in your topology.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.