As a leading network security product provider in China, NetEye of NetEye has been focusing on user needs in the security field for the past 11 years and has made many gratifying achievements in the network security field. The virtual firewall function is one of them. So what is the virtual firewall function? A virtual firewall can logically divide a firewall into multiple virtual firewalls. Each virtual firewall system can be regarded as a completely independent firewall device, it can have independent system resources, administrators, security policies, user authentication databases, etc.
Because the virtual firewall function can independently allocate resources to different virtual systems and do not interfere with each other, when a virtual system consumes a lot of resources to defend against hacker attacks, the resources of another virtual system are not affected, so as to effectively ensure the normal operation of other network applications. Next we will take the NetEye firewall's application in the telecom IDC (Internet Data Center) as an example to learn more about the advantages of the virtual firewall.
As we all know, IDC is evolving along with the evolving needs of the Internet. IDC provides large-scale, high-quality, secure, and reliable professional server hosting, space leasing, network wholesale bandwidth, ASP, EC, and other services for ICP, enterprises, media, and various websites. Usually divided into Core Layer, Distribution Layer and Access Layer according to the layered network model ).
The core layer is mainly used to provide sufficient bandwidth resources between two remote nodes. This layer is the foundation of the Internet and the convergence point of end user traffic. As an IDC, the core layer is usually located at the entrance of the telecom backbone network and is the hub where the IDC connects to the backbone network. The distribution layer is mainly used to divide the layers of network areas. It is responsible for routing and network traffic processing within the region, including routing protocols and route updates. The access layer is used to connect end network users. Generally, the IDC lease users directly access the access layer routing and switching devices. The typical structure of an IDC network is as follows:
Figure 1 Typical IDC Network Topology
In telecom IDCs, due to cost considerations, security protection cannot be improved for each managed server. Therefore, in most cases, all managed servers are protected by a firewall, share its resources. 2:
Figure 2 General firewall protection
For telecom IDCs, business stability is crucial, especially for server hosting services, because this business is not only related to the reputation of IDCs, it will also affect China Telecom's operating income. So how can we get the highest security return with the lowest security investment? The NetEye5200 firewall with the virtual firewall function is the best choice.
Not all servers in the IDC are simultaneously attacked by hackers. Generally, only one of the servers is under attack, such as WEB servers and email servers. Once a user-hosted server is under attack, the firewall will consume a large amount of system resources to combat hacker attack traffic. Because the firewall is located at the egress node of the network, a large amount of system resources will seriously affect the normal application of other servers, the so-called fire in the city and the fish pool will inevitably lead to a significant reduction in the service quality of the Telecom IDC.
How to improve the service level of IDC? NetEye 5200 provides many good answers to the firewall's virtual firewall function. 3:
Figure 3 Functions of the NetEye virtual Firewall
First, from the definition, a firewall can be logically divided into multiple firewalls. All system resources are allocated to each independent virtual firewall in proportion. When an attack occurs, each virtual firewall will defend against its own attacks, so that the system resources of a virtual firewall are exhausted by network attacks and other virtual firewall systems will not be affected. That is to say, other servers can still run normally, this greatly improves the service quality of telecom IDCs.
Second, the hardware cost has greatly reduced the investment in telecommunications, and a firewall can be used to protect multiple firewalls. Third, from the perspective of hosted users, the server is protected by an independent firewall, and its satisfaction will be greatly improved, attracting more hosted users, this indirectly increases the turnover of IDCs. Fourth, from the perspective of management and maintenance, the network administrator manages multiple devices in a unified manner through the management of a firewall, greatly reducing the management difficulty and the maintenance complexity.
In addition, in the face of limited security capital investment, enterprises can only purchase one firewall, but they have the need to separately protect their internal financial networks. NetEye firewall's virtual firewall function can be used to remove the financial network from the Intranet and separately divide it into the virtual Firewall System of NetEye firewall for separate protection. This not only effectively avoids the harm to the financial system caused by the outbreak of internal network worms, but also ensures the normal operation of the financial system. Deployment 4:
Figure 4 NetEye virtual firewall deployment
From the above example, it is not difficult to see that the virtual firewall function is a security function designed to meet user needs and bring a high input-output ratio to users. The most direct benefit is to help users improve IDC security protection capabilities, simplify firewall management, reduce investment costs, and win higher income returns.
