Most application stacks built today rely on decades-old security paradigm: individual components of the stack (web servers, app servers, database servers, authentication servers ...) are placed in different security zones implemented with separate physical devices, VLANs or some other virtual networking mechanism of your choice.
The security zones are then connected with one or more firewalls (when I was young we used routers with packet filters), resulting in a crunchy edge with squishy core architecture.
This age-old architecture has a major flaw: once an intruder owns one of the servers in a security zone, the game is usually over (at least for that security zone) ... but it’s the best we’ve been able to build for a long time.
The problem is exacerbated by the usual “best current practice” of placing servers hosting numerous applications in the same security zone to simplify the VLAN and firewall provisioning. Once an intruder breaks into the weakest application, he often has a free lunch trying to break into all other application servers in the same security zone.
Numerous firewalls vendors offer an enticing alternative in the virtualized world: VM NIC firewall. These firewalls are transparent (bump-in-the-wire) constructs implemented as a loadable hypervisor modules, traffic interception VMs, or service insertion solutions.
Regardless of how the VM NIC firewalls are implemented (although the implementation details greatly affect their performance), they offer a totally different security paradigm: each VM is protected with a firewall and everything outside of the VM is the outside world that needs to be tightly controlled (think of them as iptables implemented outside of the VM). Even the traffic between two VMs in the same security zone (using the legacy terminology – there are no security zones in the brave new world) is inspected and filtered.
Obviously the VM NIC firewalls idea needs a central management interface to be viable (you wouldn’t want to configure each one of the VM-level firewalls manually), and there are tons of implementation details and considerations, but even assuming these things work as promised, the fundamental questions remain:
- Would you trust this new architecture?
- Are you willing to jump into the brave new world and get rid of traditional firewalls?
- Would you prefer to combine the old with the new ... and face double complexity?
- What would your auditor say?
Please share your thoughts in the comments!
You’ll find a more detailed overview of virtual firewall solutions (including VM NIC firewalls) and description of individual products for VMware, Hyper-V and Linux environments in the Virtual Firewalls webinar.