14 Replies Latest reply on May 19, 2013 11:48 PM by wanine39

    Virtual Fires

    pandom_

      Firewalls. Love them or loathe them they are a mainstay of networks. The provide protection for critical applications, offer access control services, secure vital assets, and much much more. Whether it be a hardware appliance or a virtual deployment we are putting more firewalls in places we never thought we would.


      These devices litter the Internet edge, customer DMZ, and connection points from partners. In a multi-tenant environment you may have Firewalls for each customer. Each has their own set of rules, the own policies that need to be defined. The days where a single portion of the network hosts firewalls has long left us.


      As hardware firewalls sound their death croak, hypervisor based virtual firewalls spring up. Guest virtual machines forwarding across intel processors can push packets at rates faster than hardware. Inflexible physical topologies collapse and give way to fast provisioned, agility driven secure segments. Virtualisation hypervisors now support software firewalls from leading vendors with products such as Juniper's Firefly, Cisco's vGW, and VMware's vShield edge. With this sudden explosion of security device deployment, the ability to put them in any conceivable point, the topic of control and management comes to the forefront.


      As we transition from physical to virtual, most of us find growth (and possibly bloat) in the number of firewall devices. I am curious how others see this and how it has affect you thus far?





      Reply to this post to get 50 thwack points and an entry in the March Ambassador Engagement contest. An iPod Nano sits in the balance!

        • Re: Virtual Fires
          byrona

          We are a Cloud Service provider and our tactic has been to use our corporate Fortinet as the "shared" firewall service.  For customers that need a dedicated solution we actually use dedicated Fortient firewall devices.  All of these are tracked and managed in our SolarWinds Orion NMS.  One of the benefits of the dedicated devices is that it isolates those customers from any potential failures on the shared environment and is often one of the reasons that solution is chosen.  Also, many of our customers have compliance requirements for dedicated environments which is a lot of our private cloud business.

            • Re: Virtual Fires
              pandom_

              An interesting thought Byrona. Isolation is a great use case for both virtual and physical. I feel over time the ability to provision a new customer (with end to end isolation) in a virtual environment will win out. That though, will require adjustment to current information acts (HIPAA and the like). I think as time goes on, regulations and guidelines will need to realign to changing trends in the industry.

               

              Great post.

                • Re: Virtual Fires
                  byrona

                  While I completely agree; we are often in a situation where we dealing with perceived reality versus actual reality.  Funny thing, I was just having this conversation with our compliance officer no less than 10 minutes ago.  Often we have customers that have chosen to perceive a requirement as more strict than it actually is (and the unfortunate fact that the different compliance requirements are not well designed with IT in mind as you noted) and theretofore we design and implement based on those perceived realities. I think it will take even longer for these perceptions to come up to speed with current and emerging technologies.

              • Re: Virtual Fires
                matt.matheus

                Working in a large healthcare environment with quite a few remote sites, hardware firewalls are our go to device.  Due to routed links with no servers to host a virtual device, hardware is the only real option.  We currently monitor our firewall clusters as well as standalone firewalls with NPM, and it does an adequate job of keeping us informed of any failures or pending issues. 

                 

                Moving forward, firewall bloat is definitely something we have to contend with.  As compliance requirements become more and more strict, and more devices are needed, virtual devices become more attractive.  I've not used them before, but it seems an interesting way to overcome the problem of having racks and racks of individual firewalls.  Though, if the vendors are anything like Cisco, the price difference is very little. 

                  • Re: Virtual Fires
                    pandom_

                    Firewall bloat is something I see in the interim, but can pose a long term headache for administrators. The headache I see is in "temporary".  For some, temporary is that - a period of time that is short and not long laster. Some enterprises temporary is permanent. I am sure we can all attest to a little bit of that around.

                     

                    The application of virtual firewalls, licences withstanding, is dynamic, flexible, and provides agility. The notion of dropping in 6 firewalls in for half a dozen customers into a hypervisor is extremely attractive. As you quite rightly mention though, licences could pose an issue though looking at some of my vendors list price, my capex budget looks healthier!

                  • Re: Virtual Fires
                    freid.42

                    Maybe I am just being naive, but does anyone else remember (lol) the built in "windows firewall"? This is all I am going to have to say on this topic, I prefer my physical firewall.

                    • Re: Virtual Fires
                      Aforsythe

                      Virtual or physical, bloating even happens in smaller networks. We've only got 4 seperate public facing networks in our organization, and we're at 6 firewalls. And as we look to adding more hosted services, we're speculating at further segregation and a few more firewalls.

                      • Re: Virtual Fires
                        bsciencefiction.tv

                        Firewalls, like most all technology are only as good as the people who input data into them.  We have a great Firewall team who manage the DMZ quite well.  Our firewall empire is quite vast taking up an NPM poller almost all unto itself.

                         

                        What is fun though, is like most companies we have cowboys.  The only problem is when the firewall team starts cowboy-ing, the whole organization feels it.

                        • Re: Virtual Fires
                          Bahlkris

                          I wish I could bloat the use of firewalls.  We have what I would call a...... strange... internal development cycle, probably the most PC term I could use, that makes virtual fire-walling difficult for us.  So most of our fire-walling is on the perimeter.  I am a security minded network engineer so I would build a castle around the critical services if I could.

                          • Re: Virtual Fires
                            chipsch

                            We take the same stance as Byrona mentioned above. We have shared firewall services and dedicated firewalls for customers. While I like to think I am very security minded finding a balance between security and availability from my perspective to the systems engineers perspective can be difficult. I would like to think that since we are 80% virtualized as a hosted services company that we will eventually jump on the bandwagon with virtual firewalls, I don't feel that it will be soon enough. On that note though, if anyone is deploying virtualized firewalls on XenServer I'd love to hear recommendations. I think with the right solution it can be pitched so that we get ahead of the power curve instead of falling behind it.

                             

                            My biggest concern with shared services firewalls in an ASA world is that you have two options. Multiple Contexts or very strict rules to each customer interface on a shared context. Multiple Contexts can be very expensive which drive the cost up even more for clients who are looking to spend the least amount possible typically. Not to mention if you are running active/active with contexts you have to be very careful that the load isn't to much in case of a failure to one of the firewalls.

                             

                            With a physical device per customer rack space and power consumption becomes more of an issue, hey we are all trying to be more green, right?

                             

                            Virtuals just seem to be the way to go.....when we get there.

                            • Re: Virtual Fires
                              planglois

                              I definitely have a preference for a firewall-in-a-box. I have a better view of all the rules and I believe it is easier to manage. I would probably change my mind if everything was virtual. Until then since we have mix of virtual and physical devices, I prefer using hardware, mix with basic rules pushed by GPO on endpoint devices & servers.

                                • Re: Virtual Fires
                                  wanine39

                                  WE use both  pizza boxes and virtual fw

                                  each have their pro and cons. Our security people don't like change and prefer the pizza boxes.  our admins prefer the virtual one due to their flexibility nd speed of deployment