Building Network Automation Solutions
6 week online course starting in September 2017

Virtual Firewalls Webinar – Longer Than Expected

When I started developing the virtual firewalls webinar, it looked like a simple project: define what a virtual firewall is and explain the architectural options (see the diagram).

Then I got a crazy idea: it would be nice to add a few sample products ... and the webinar material started to swell.

The virtual appliances section was easy: it describes a sample VM appliance (vShield Edge) and interesting scale-out architecture (Embrane Helios). There are numerous other VM-based firewall appliances out there, but I didn’t want to turn the webinar into a Virtual Appliance Marketplace buyer’s guide.

VM NIC firewalls section was the hardest one: it started as a description of vShield App and Juniper’s Virtual Gateway, and then I decided to include products offering packet filters and added Nexus 1000V.

However, VMware is not the only hypervisor worth considering any more – virtual switch in Hyper-V 3.0 is fully extensible and Cisco, NEC and 5nine already have security-related extensions-

Finally, there’s Linux and Open vSwitch – XenServer includes a simple OpenFlow controller, and VMware/Nicira NVP and Midokura MidoNet have numerous security features including statefulish firewalls.

The service insertion section is still slim: there’s Cisco’s VSG and HP’s Tipping Point, and Cisco is the only company I’m aware of that does service chaining in a shipping product.

Interested? Register for the webinar; it’s also included in the yearly subscription.

Have I missed something? Please write a comment.

11 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I did not know that Nicira got some stateful features.
    Gonna check this out !

    ReplyDelete
  3. What about LSYS on the Juniper SRX ? or Contexts on the ASA ? or were you thinking more about things that live in or around the hypervisor ?

    ReplyDelete
    Replies
    1. Thank you! I'm definitely mentioning the virtual contexts (not individual products) and how they differ from truly virtualized firewalls.

      Delete
  4. Hi,

    Perhaps not the best fit for this webinar, but maybe something about load balancers as well? Load balancers are often the public facing endpoint of an application these days instead of firewalls.. Moving from expensive inflexible appliances to scalable virtual machines is an interesting subject.

    ReplyDelete
    Replies
    1. Load balancers are mostly implemented as either physical boxes or virtual appliances (VMs running on a hypervisor), so they are (from the networking perspective) not much different from VM-format firewalls.

      OTOH, I am planning to refresh the DC webinar and will definitely include more on load balancers.

      Thank you!
      Ivan

      Delete
  5. Definitely not a simple project. I've been gradually working on this too.

    A point worth mentioning is how each solution is managed and orchestrated. Does the vendor use their own GUI? Are there programmatic interfaces? How would it integrate into higher level orchestration tools? :)

    -Jason

    ReplyDelete
    Replies
    1. Amazingly, most of these products have some API-ish interface. OK, maybe it's just XML-wrapped CLI (aka NETCONF), but I rarely find something that could be configured solely through the vendor-specific GUI.

      Delete
    2. Yes, API-ish. I'm trying to go through that. Hard deciphering some of all that ish.

      Delete
  6. Thanks Ivan! Definitely want to cover the virtual context systems on the physical firewalls as those offer a lot of flexibility when dealing with hybrid cloud models that you might not be able to get with VM based FWs. VPN support directly into the tenant context is key for SP public cloud services and Fortigate does the best job there. Last I heard, Cisco still did not have VPN support within the virtual contexts. Juniper has solutions but I would stay away from the SRX line...too many issues. Look at the Juniper ISGs if you go Juniper and even then, there are issues around VPN support. They were also trying to EOL the ISG line at one point so they may have done that by now.

    ReplyDelete
    Replies
    1. Good one ... maybe not for this webinar, but definitely something worth considering.

      Thank you! Ivan

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.