The word “wall” sounds physical, but if you’re not using, or at least investigating, virtual firewalls, you are in danger of missing this shift in security practices. In addition, virtual firewalls provide more service agility and increased revenue.
“Resellers don’t have to deal with installing, shipping, or replacing hardware boxes,” says Neil MacDonald, vice president, distinguished analyst, and Gartner fellow at Gartner Inc. “You have the ability to rapidly install, provision, and get customers up and running with a virtual firewall, so your service time should decrease.”
This is where the market is heading, but firewall vendors that relied on custom chips in hardware boxes are behind the curve. “Three vendors are on top of this [trend]: Barracuda, CheckPoint, and StoneSoft,” says MacDonald. “Others are a few months to a year and a half away from converting their full product lines.” Using custom chips for hardware acceleration helps performance, but slows vendors as they convert to software-based versions of their products.
“In the past, moving a physical firewall with a physical server was a lot of trouble, but now you can make sure your security policy moves with that virtual server.”John Peterson, vice president of worldwide technical services at Campbell
Securing virtual servers with software smoothes the way to on-premises and cloud flexibility, says MacDonald. “If you have virtual firewalls securing virtual servers, you don’t really care if the physical servers are in your data center, or in a cloud provider like Amazon.”
John Peterson, vice president of worldwide technical services at Campbell, Calif.-based Barracuda Networks Inc., says the majority of the company’s product line has been virtualized, and that helps resellers. “You can get them in the hands of your customers faster with software, and reduce the costs of putting boxes in racks,” he says.
Yet virtual firewalls change your management load. Monitoring a few physical firewalls is one thing; monitoring hundreds of software firewalls is another. “The Barracuda Control Center manages both physical and virtual firewalls,” says Peterson. “In the past, moving a physical firewall with a physical server was a lot of trouble, but now you can make sure your security policy moves with that virtual server.”
In fact, as VMware’s VMotion software or Microsoft’s Hyper-V live migration feature in Windows Server 2008 R2 Hyper-V or Hyper-V Server 2008 R2 moves virtual servers from one physical host to another—whether for redundancy, failover, or to take advantage of higher performance for increased workloads—Barracuda’s virtual firewall moves as well.
Virtual firewalls are often the best way to separate virtual servers from other virtual servers, to avoid, say, PCI compliance issues. “Just insert a virtual firewall into the communication path between machines one and two,” says Peterson. Yet performance considerations exist. “Virtual firewalls do take CPU cycles,” notes Peterson, “and if you look deep into packets, that creates some toll on your traffic.”
Physical firewalls will continue to dominate in high-performance situations, according to MacDonald. “Software versions top out at 8 to 10 gigabits per second throughput, and maybe 800 megabits per second for packet inspection applications” he says. “There will always be a role for hardware acceleration, but the future is a hybrid environment of physical and virtual firewalls.”