50 Replies Latest reply on Oct 31, 2013 3:30 PM by guian_fulgencio

    Are Our Firewalls Packing Up And Moving?

    Brandon Carroll

      Since the VMware NSX announcement I've really been thinking a lot about the state of our Firewalls today and where they might end up in the future.  I know Cisco has a virtual Firewall, but they are still selling a lot of ASA hardware.  Right now we might see an ASA 5585 right in front of the DC no problem.  Sure there have been advances in the functionality and we can cluster them and load-balance over them, but with NSX and the fact that it's has stateful firewall functionality I wonder when the hardware goes away and we just have routing and switching with orchestrated firewalls on the hypervisor. 



      I think about SDN and what Plexxi has announced with the Data Services Engine, and I think that at some point we can get away with a much simple physical architecture, and have the same or better performance in the hypervisor for firewall services.  To that end, Solarwinds could play a key role in that front end management capability with a view to the virtual network. 



      Let's add to that.  If that's the way the cookie crumbles, then where do things stand for the Network Security Engineer?  Is there a need for a NSE or would this just be another role of whoever handles the orchestration of the network?  Maybe I'm way off base here, but this is what's been rattling around in my head these days.  Does anyone else have thoughts on this?

        • Re: Are Our Firewalls Packing Up And Moving?
          Kurt H

          I beleive the NSE would always be around, at the least to provide background information and help with firewall configurations. I do not believe the hardware will ever go away, it will just be as limited use only in some situations but not as extensive as it is now.

          • Re: Are Our Firewalls Packing Up And Moving?

            I see the NSE becoming just another function of the Network Engineers.   We had the roles separated here for years, however the NSE's became cowboys and the Network Team had to wrangle them in.  Now that we have a combined team, I have seen growth in both sides of the network infrastructure team and it removes a layer of finger pointing.

              • Re: Are Our Firewalls Packing Up And Moving?
                Brandon Carroll

                I think I'm in agreement here.  I had a discussion the other day and it was mentioned that for someone new, learning Routing and Switching is not enough.  It's almost like that's an expected category of knowledge, and there should be some other specialization like Wireless or Data Center.  That being said, that could be how Security is being rolled up into an expected skill with a specialization required in addition to it.

                • Re: Are Our Firewalls Packing Up And Moving?

                  I agree with kurtrh, I think that this skillet is an important part of the new "integrated" Network Engineer role.  One who is responsible for not 'just' the entire stack, but the user experience (business deliverable).  This combined team approach will always have those with specialized skillsets, but the discontinuation of knowledge siloing should lead to more responsive and effective information technology teams.

                • Re: Are Our Firewalls Packing Up And Moving?

                  Am I hopelessly atavistic to want firewalls to remain physical appliances?  VMs are awesome, but the thought of putting my firewall into software makes my spidey-senses tingle - I mean, have you seen developers..!   

                  • Re: Are Our Firewalls Packing Up And Moving?

                    NSX is going to be huge!  We had a private showing from vmware showing the tech last week and it's going to be very interesting to say the least.  The vSwitch as we know it today is going to gain a lot of new functionality.  I won't go into detail but suffice it to say some of us already abuse vSwitches for what they were originally designed for... the NSX switches are going to make it even better.


                    Note also there are some very nice open source routers already available directly as a VM in addition to things like the Cisco 1000v.


                    I wouldn't count ur ASA's FWSM, and layer 7 f/w's out just yet though ;^}


                    Another great thing about NSX is it will allow server types to handle ESXi 5.x and network people handle the NSX. (Enhanced separation of duties) This will greatly improve on the fact that right now some server people using vmware are doing networking they really don't understand very well!

                      • Re: Are Our Firewalls Packing Up And Moving?
                        Brandon Carroll

                        See, now that part I like...


                        ecklerwr1 wrote:

                        Another great thing about NSX is it will allow server types to handle ESXi 5.x and network people handle the NSX. (Enhanced separation of duties) This will greatly improve on the fact that right now some server people using vmware are doing networking they really don't understand very well!


                        Being virtualized but still separating duties is a good idea and seems more feasible to me in the long run.

                      • Re: Are Our Firewalls Packing Up And Moving?

                        Am I the only one to wonder why it seems everyone not in IT is over specialised in it's realm, while we IT workers are expected to be able to do everything ?


                        To answer the OP, I think all roles will eventually tend to blend into one another. You can wear the NSE hat, but amongst a few other hats...


                        I don't see NSX becoming popular fast enough to force NSEs out of the enterprise. Not yet anyways.

                          • Re: Are Our Firewalls Packing Up And Moving?
                            Brandon Carroll

                            yeah... not yet.  Maybe a merge of roles at some point.

                              • Re: Are Our Firewalls Packing Up And Moving?

                                Before : I need port x on network y opened for application z.


                                After : I need virtual port x on virtual network y opened for virtual application z.


                                It may just be a matter of perception that changes the rules, as management may see the network/virtual network differently because there are no more boxes connected with cables, but the underlying complexity remains the same, so the skills needed are not so different between "now" and "then".


                                Management : "NSE ? We don't need an NSE, we don't even have a network, we're virtualized !" <- That could bring changes to the roles we know.

                              • Re: Are Our Firewalls Packing Up And Moving?

                                At my current organization we have some with more expertise at routing/switching and some with more expertise with security (firewall/IDS).  But we're all on the same team and have to think of all those technologies when troubleshooting.  This is not a bad thing - it just means that we take different views of an issue and work it from different starting angles.

                                It also means that when we re-point the fingers away from the network that we have plenty of data to back up our claims.

                              • Re: Are Our Firewalls Packing Up And Moving?
                                Aaron Denning

                                i agree with syldra its not going to happen fast enough to push everything out right away but it will. i also agree with the non IT people getting ahold of the stuff and thinking that since we as IT people instantly know how to fix/install/maintain it even when we have never seen it before.

                                • Re: Are Our Firewalls Packing Up And Moving?

                                  I've seen some details on NSX and I really like where it is going.  I think there will be a blend of HW / SW for quite some time but the ability to manage both as one is what is key.  Besides Cisco, HP And Juniper just announces some really interesting hooks into NSX.  And Juniper just delivered Contrail which has us very interested.


                                  To answer the question of what happens to the NSE, well, I think they will still be around for the foreseeable future, as the role still needs to be filled, it will just be done slightly differently.


                                  I will also agree with syldra on the specialization.  I've always found that slightly amusing and annoying as well.

                                  • Re: Are Our Firewalls Packing Up And Moving?

                                    Security choke/checkpoints are always moving.  At one time they were at enterprise perimeters but now they're everywhere between, and on, the outside/not-so-trusted and the internal/trusted hosts.


                                    I thought it would be odd when I put my first FWSM into a Catalyst chassis.  Once I got used to thinking about VLANs instead of cables it was no big deal.  I don't see managing a virtual firewall as being any different.


                                    In the end I never really put eyes on a box anyway and interfaces are just names, so what's really going to be different?

                                    • Re: Are Our Firewalls Packing Up And Moving?

                                      In my company we have 2 network engineers that are in charge of the firewalls and IDS on site. So I feel that the NSE will either migrate to a Network Engineer position with a specialization in security. Also I do not see the dedicated firewall hardware going anyplace anywhere soon. I could be jaded.

                                      • Re: Are Our Firewalls Packing Up And Moving?

                                        There will always be a need for a NSE to configure the hardware or the software. The role may get wrapped up into role where the NSE is doing more than just network as the lines between network/software/vm blur.


                                        I also don't think software is going to replace the hardware any time soon, and most likely more for some smaller implementations.

                                        • Re: Are Our Firewalls Packing Up And Moving?

                                          The NSE role is about focus and not specific technologies in my mind - I think the role will stay in some form. That security SME who is paranoid, controlling, a stickler, and a general PITA can really come in handy sometimes. It's kind of a mindset.

                                            • Re: Are Our Firewalls Packing Up And Moving?
                                              Brandon Carroll

                                              It is a mindset.  My concern is that when the network is programable, and you say flow x to server y should take this path and be allowed you now have to modify firewall rules to allow that.  If the network is driven by a single point of orchestration and the network guy says flow x to server y is allowed then the firewall is modified by the network to allow it.  The NSE is no longer involved in this type of work.  No more waiting for the firewall guys to pop open a hole in the firewall. 

                                            • Re: Are Our Firewalls Packing Up And Moving?

                                              WOW!! What a can of worms this conversation opens! We've all seen a ton of changes in the last several years, everything from our jobs being outsourced to less competent people for the sake of the business "believing" they can save a buck or 2; to our favorite vendors expanding into new product lines that no one ever thought would happen (Cisco into servers and storage, others into networking).


                                              This brings to mind one of my all time favorite quotes from Ghostbusters:


                                              Dr. Peter Venkman: This city is headed for a disaster of biblical proportions.

                                              Mayor: What do you mean, "biblical"?

                                              Dr Ray Stantz: What he means is Old Testament, Mr. Mayor, real wrath of God type stuff.

                                              Dr. Peter Venkman: Exactly.

                                              Dr Ray Stantz: Fire and brimstone coming down from the skies! Rivers and seas boiling!

                                              Dr. Egon Spengler: Forty years of darkness! Earthquakes, volcanoes...

                                              Winston Zeddemore: The dead rising from the grave!

                                              Dr. Peter Venkman: Human sacrifice, dogs and cats living together... mass hysteria!


                                              At the end of the day, its all out war on the IT business front, and we are the engineers and experts that have to decide what we like, what we will use, and what we won't. As with anything new, there are those that will accept it and those that won't. Just keep in mind, NSX is not a new concept, it is just new to those that are unfamiliar with Cisco's OTV and LISP that have been on the market since the Nexus platform hit the streets. It's the same concept with a new candy wrapper, it's just VMWare's way of getting deeper into the world of networking.


                                              And don't get me started on what IPv6 is going to do to networking...in some ways we are going forward and in some, backwards.


                                              So, as we look forward, all of us need to bring everything into the picture. In IT everything impacts everything else.


                                              But to answer the original question around the NSE...I think the real question is much broader. Will the NSE role go away? I think as technologies evolve, so must the admins and engineers. Vendors are building technologies that blur the administrative boundaries, and I think we must evolve as well. I think we are all going to become IT Admins and IT Engineers, and the days of being specialized are limited.


                                              Personally, I'm not a fan of NSX, from what I've seen so far. It looks cool....but it's still VMWare, making it software-based; and it is not even on the market yet, making it brand new and untested. Being software-based comes with resource overhead, and will always require more resources to perform as well as any network device. Last time I checked, hypervisors require about 8 - 10% overhead...and unlike a server, all resources are accounted for on a network device.


                                              I've rambled enough, but have so much more I'd like to say on this, I'll just watch and respond as "necessary"... 


                                              • Re: Are Our Firewalls Packing Up And Moving?
                                                Mark Roberts

                                                Isn't it better and always going to be better to have the best first line of defence possible. In this situation having the security layer back at the end host layer means a number of things:


                                                • More solutions to manage, cross vendor/cross application
                                                • Bigger attack surface area
                                                • Inherent subject complexity spread across users with little or no knowledge and experience of security

                                                Any organisation that currently has a NSE is going to continue needing one.

                                                • Re: Are Our Firewalls Packing Up And Moving?

                                                  Hey Brandon,


                                                  read in your blog that you are Ambassador here this month.

                                                  I dont think that physical firewalls will disappear (at the very least, I dont believe completely virtual firewalls will be used at network edges) but still believe that this will evolve and that this will be a hot topic in the data center.

                                                  I agree that we will probably also see simpler physical architecture and SDN is a topic that we will soon hear more of, it will be interesting to see how this evolves and what Solarwinds will provide for management, insight and monitoring!


                                                  I am not sure I know what exactly what has been rattling around your head but maybe you can elaborate on your thoughts, I'd be interested.

                                                  Maybe I just didn't get what you were saying but I do think there will always be a need for a NSE but that sometimes there isn't a separate person for this, I do not see this changing much about the current evolvement though.


                                                  If you meant putting this in the hand of the VMWare admin...

                                                  Well, some managers make bad choices but in general I dont believe so. I believe a NSE will need to get more into VMWare but duties should be separate(d) (as noted earlier).



                                                    • Re: Are Our Firewalls Packing Up And Moving?
                                                      Brandon Carroll

                                                      I think you're thoughts are kinda where my thoughts are.  Basically my thought was that virtualization may at some time move the physical firewall sitting in front of the DC to the hypervisor, and if that's the case, then the firewall admin either needs to transfer their skills to work in a virtualized environment along with the vmware admin, or the vmware admin is going to do it.  If the firewalls pack up and move then the NSE needs to do the same.

                                                        • Re: Are Our Firewalls Packing Up And Moving?

                                                          kind of.

                                                          as not only servers are being virtualized but also the network components, it is not only the firewall admin but most network admins that will need to acquire additional skills with a virtualized environment.

                                                          So with that part our thoughts are kinda the same.

                                                          However I still have troubles believing that a majority would actually use a VMWare virtualized firewall as their only firewall or the firewall facing the outside world in the near future (takes a while to get used to that in my mind) .

                                                          I am not saying that I am sure this will never happen but I believe it would require some time and a deeper fusion of "server" and network worlds (not only technical but also in the minds of the admins)

                                                          For now and the near future I think there will be a physical part to it, e.g. a service module.


                                                          I cannot yet imagine it pushing away the actual hardware for firewall, especially not for routing/switching (not on the same hardware as server virtualization anyhow or at least not unless it will become specifically designed for these tasks)



                                                          do you have some more insight you can share with us? Why do you believe the physical firewall will be replaced and at which point in time and in which manner (like e.g. do you see a majority of top500 companies to switch within the next 5years?)

                                                          What role do you think Solarwinds could play in this?


                                                          I find it difficult to define the border of physical and virtual nowadays.

                                                          Interesting topic, would appreciate anyone elaborating on their thoughts to gain more insight.

                                                      • Re: Are Our Firewalls Packing Up And Moving?
                                                        Alen Geopfarth

                                                        I always believed that you should have the Security team and internal network team working together as closely as possible. Security should be muscle memory for network teams, and regardless of the business decisions to go virtual or remain physical the security of the network should still be part of the blueprints that govern the architecture.

                                                        • Re: Are Our Firewalls Packing Up And Moving?

                                                          Just like the rest of the communications infrastructure, the NSE will be absorbed into the network and telecom teams.  He/She will still provide the security focus...

                                                          • Re: Are Our Firewalls Packing Up And Moving?

                                                            Honestly, I still think physical firewall devices will be around for a very long time. Virtualizing them may take out some of the security as traffic would essentially go straight to the host device first which may be compromised and that bad traffic never actually reach your firewall.


                                                            Ontop of that, I think NSEs and/or Network guys with security experience will always be needed, firewalls/network security are essentially your first line of defense against malicious traffic.

                                                            • Re: Are Our Firewalls Packing Up And Moving?

                                                              It feels like when we suggest that NSE's will significantly change or go away we are predicating that on the idea that all these folks do is make firewall rule changes.  I am not sure how things work at other companies but our network guys do a lot more than just make firewall rule changes; maybe I am just not clear on what a typical NSE typically does?


                                                              As far as networking moving to the virtual world, one of the things I like about this is that it lets the network solution vendors spend more time focusing on the software (better features, better usability, etc) versus the hardware side of things which would further drive innovation.  However, with that being said I really don't see the network hardware going away for a very long time.

                                                              • Re: Are Our Firewalls Packing Up And Moving?

                                                                I have a Instant hesitation to Virtual Firwalls. I can see moving towards a hybrid type environment cost reasons. And we have even run some of that in the past. But for security purposes, and the scope moving forward we are actually seperating these services, adding in a another layer router/firewall, and seperating our layer 2 and 3 setups to allow more throughput control. Layering services adds to that single point of failure, though what we do may be overkill it is nice to only have to fix a redundant link or service the box that drops off cluster, etc. preventing the ultimate run, trip and fall when that ole bucket of stuff hits the fan.


                                                                the new wave seems to be the hybrid engineer, the overlapping skill set seems inevitable when the environments we create and the troubleshooting we are forced to do in some situations allows us to learn outside our normal performance area. Everyone needs a little security.

                                                                • Re: Are Our Firewalls Packing Up And Moving?

                                                                  I don't think that just because we're taking away a set of physical firewalls and implementing that security within a VM system that the role of NSE just goes away.  There's still a need to research, design, implement and audit the security of whatever firewall system is in place, whether it's tied a virtual infrastructure or not.


                                                                  If a company decided to do away with their standard firewall implementation and incorporate NSX into their VM infrastructure then merge the role of NSE into that of the Network Engineers and maybe the server team, they would end up with grumpy NEs and Server gurus!

                                                                  • Re: Are Our Firewalls Packing Up And Moving?

                                                                    Brandon Carroll


                                                                    I think everyone should just go down to the local wallyworld and pick up one of those fancy Linskys devices for $40. Then go back to their network and replace that $1mil network with that fancy new linskys device.


                                                                    problem solved.


                                                                    But... if I would ever feel wild and crazy and went the virtual path... I would probably only buy and use it if it were made by a quality brand, such as Microsoft... this way I know for sure it will always work!!



                                                                    • Re: Are Our Firewalls Packing Up And Moving?

                                                                      Wow, this is a great topic. Scanning all of the responses shows that we're all trying to read the tea leaves and adjust to what is coming at us both in hardware and in software.


                                                                      IRT the OP; like many of our answers to IT related questions; it depends. I think the NSE role depends on how each shop is managed. Some are large enough that they still hold on to the concept of 'separation of duties'. While many other shops have reduced in size to cause the traditional route/switch person to learn security and compliance or the server admin to learn storage. The situation emphasizes that things are constantly changing and you get to make the choice of either trying to keep up with portions of all of it or aligning yourself with a specific pillar. In the context of resume strength and career opportunity I think it serves us best to have a better than average understanding of everything in the data center and a specialization in a specific area to emphasize your value add.


                                                                      I view all of these changes as a great time to be associated with data center infrastructure. Whether you geek out on virtualization or are turned on by vendor battles...it seems to be providing an entertainment value that we've been missing for years. Personally I'm embracing all of it. I've passed the 40 year mark and have been in networking for 15 years now. Not since I first got in this industry have I been so energized by the opportunities that lie ahead.


                                                                      Great topic Brandon. Thanks for spurring this discussion.


                                                                      • Re: Are Our Firewalls Packing Up And Moving?
                                                                        Kevin Rak

                                                                        It is my opinion that virtualizing things like this works great in theory and even in practice at first. However, in the long run, there are always shortcomings which you'd never have on hardware. It all kind of goes back to the "who's watching the watchmen" idea. We want to most essential services (monitoring and protecting everything else) to keep running even when there is a problem. The last thing any of us want is our firewall going down because of a problem with the system it's running on. The more complex we make that system, the more spots we open which could fail. Of course, if one of these spots happens to fail, we should have some sort of redundancy which will take over, but for smaller companies with only a few hundred employees, we can't always afford that. Therefore, IMHO, I would never endorse a physical firewall completely replacing a good ol' hardware firewall.

                                                                        • Re: Are Our Firewalls Packing Up And Moving?

                                                                          Hi Brandon and everyone,


                                                                          I don't believe the firewalls are moving at all. There may be a need for virtual firewalls to isolate internal networks for security boundaries, but moving from purpose built processors and accelerated asics to general purpose processors means you are taking a big hit in performance.


                                                                          Who wants their firewall performance to fall to half, or even a quarter, of its current throughput?


                                                                          If a slower performing system is acceptable, sure general purpose processors are fine for that business case. But when performance is the requirement, then your hardware and software should be designed for that.





                                                                          • Re: Are Our Firewalls Packing Up And Moving?

                                                                            Big thread! I think the roles will merge. For a long time IT has tried to break down silos of how we work and integrate together. With the ability to service chain and deliver application tiers automatically though solutions like NSX - I feel the NSE will become a more rounded role or merge back with NEs.