What Exactly Are Virtual Firewalls?
Kaage added a great comment to my Virtual Firewall Taxonomy post:
And many of physical firewalls can be virtualized. One physical firewall can have multiple virtual firewalls inside. They all have their own routing table, rule base and management interface.
He’s absolutely right, but there’s a huge difference between security contexts (to use the ASA terminology) and firewalls running in VMs.
Transport network independence: firewalls running in VMs rely on the underlying hypervisor to provide network connectivity – you connect firewall’s virtual NICs to VLANs, VXLAN segments or whatever other virtual networking technology you prefer through hypervisor management tools (example: vCenter, vCNS, vCloud Director ...). You can thus use the VM-based firewalls with any virtual networking technology.
Security contexts in a physical firewall can use those virtual networking technologies that are provided by the firewall operating system. Today we’re limited to VLANs; no physical firewall I’m aware of supports VXLAN or NVGRE.
Is there a firewall supporting MPLS/VPN PE-router functionality? Please write a comment.
Configuration management: Configuration of a security context is stored in the physical firewall. If you want to move the firewalling functionality (example: data center migration), you have to copy the configuration to another physical firewall.
Please don’t even mention the incredibly creative idea of running a stretched active/active firewall cluster across two data centers. Been there, moved on.
Configuration of a VM-based firewall is usually stored on its virtual disk. Moving the firewall and its configuration to a different physical location is thus a simple point-and-click exercise (well, maybe not if you want to move a running firewall, but you know what I mean).
Workload mobility: It’s extremely easy to move a VM-based firewall with the workload it’s protecting, significantly simplifying disaster recovery procedures (example: VMware’s SRM). Moving the configuration of a physical firewall during the disaster recovery process is an intriguing task, more so if you have to merge it with an existing configuration of the target firewall.
What next? It’s obvious we need better terminology ... or an agreement that there are security contexts and VM/hypervisor-based virtual firewalls. Comments?
More information
Virtual firewalls are described in the Introduction to Virtual Networking webinar, you’ll find more details in the VMware Networking Deep Dive webinar and some use cases in Cloud Computing Networking webinar. All three webinars are available with the yearly subscription ... and don’t forget to check out the ExpertExpress service if you need a quick design review or second opinion.
If you are a "BIG" customer FortiNET can provide you with MPLS/PE.
A certain BIG BIG us provider has this. It was made for this customer.
All the small Juniper SRX´s support MPLS
I don't know how good or bad their firewalls are, at least their routing gear (Quidway NetEngine) had some design issues in terms of convergence (f.e.).
But hey, the stuff is cheap and if you're willing to swallow that pill (including a contribution in developing their products)...
As for the MPLS-firewall combo. although not a firewall per se an ASA service module in a 650x does support MPLS, VRF, GRE, etc. plus some interesting features like VSS. Also stability is relative good on that platform.
Also, there's a big difference between different vendors as far as virtualisation on their appliances goes. Some do it fluently, others lose functionality in the process (VPN termination on those virtual contexts, layer 2 functionality, failover). One vendor I've seen recently even had trouble routing overlapping IP ranges in their separate virtual firewalls. It's not a mature technology everywhere yet.
FortiNET = Vdoms everthing and i mean everything is split and 100% working.
Palo Alto = Vsys Everything is working its just not 100% seperate like FortiNET.
Cisco = Context works very well.. and now with 9.0 VPN,dynamic routing , IPS has been added. Its just not a real NGFW.
SRX = Vsys just broken.
Every company blasts there performance figures out on Powerpoints: 500MB/s 2.5Gb/s VPN aso.
I believe that when using dedicated hardware (e.g. chips) you'll receive a way better throughput. Has anyone measured what you can expect from a VM-Firewall?
1. Are Cisco ASA'contexts' which run on 'microengines' in fact, hypervisors or do they run on the cpu not memory?
2. Do any of the VM based virtual firewalls that run on hypervisors have the capability of running as 'external hypervisors'; ie., run on another physical machine?