And many of physical firewalls can be virtualized. One physical firewall can have multiple virtual firewalls inside. They all have their own routing table, rule base and management interface.
He’s absolutely right, but there’s a huge difference between security contexts (to use the ASA terminology) and firewalls running in VMs.
Transport network independence: firewalls running in VMs rely on the underlying hypervisor to provide network connectivity – you connect firewall’s virtual NICs to VLANs, VXLAN segments or whatever other virtual networking technology you prefer through hypervisor management tools (example: vCenter, vCNS, vCloud Director ...). You can thus use the VM-based firewalls with any virtual networking technology.
Security contexts in a physical firewall can use those virtual networking technologies that are provided by the firewall operating system. Today we’re limited to VLANs; no physical firewall I’m aware of supports VXLAN or NVGRE.
Is there a firewall supporting MPLS/VPN PE-router functionality? Please write a comment.
Configuration management: Configuration of a security context is stored in the physical firewall. If you want to move the firewalling functionality (example: data center migration), you have to copy the configuration to another physical firewall.
Please don’t even mention the incredibly creative idea of running a stretched active/active firewall cluster across two data centers. Been there, moved on.
Configuration of a VM-based firewall is usually stored on its virtual disk. Moving the firewall and its configuration to a different physical location is thus a simple point-and-click exercise (well, maybe not if you want to move a running firewall, but you know what I mean).
Workload mobility: It’s extremely easy to move a VM-based firewall with the workload it’s protecting, significantly simplifying disaster recovery procedures (example: VMware’s SRM). Moving the configuration of a physical firewall during the disaster recovery process is an intriguing task, more so if you have to merge it with an existing configuration of the target firewall.
What next? It’s obvious we need better terminology ... or an agreement that there are security contexts and VM/hypervisor-based virtual firewalls. Comments?
Virtual firewalls are described in the Introduction to Virtual Networking webinar, you’ll find more details in the VMware Networking Deep Dive webinar and some use cases in Cloud Computing Networking webinar. All three webinars are available with the yearly subscription ... and don’t forget to check out the ExpertExpress service if you need a quick design review or second opinion.