With the development of virtualized infrastructures, many organizations feel that in these environments, they need to leverage and extend existing physical network security tools to provide greater visibility and functionality. Virtual Firewall is one of the main virtual security products available today, and there are many selectivity, Check Point has VPN-1 Firewall virtual version (VE), Cisco provides virtual gateway product simulation ASA firewall. Juniper has a more distinctive virtual gateway (the VGW line) from its Altor Networks acquisition project, Catbird and reflex systems all have virtual firewall products and features. So what should we consider when evaluating virtual firewall technology?
Virtual firewalls: Management and scalability
Before delving into the specifics of a virtual firewall, it is important to determine whether it is needed. Many small virtualized deployments are likely to be unwanted. However, with a large number of virtual machines with varying levels of sensitivity, as well as highly complex virtual networks, virtual firewall technology is quite likely to work in a multi-tier defense strategy. Note that in most cases, it is completely impossible for a virtual firewall to replace all physical firewalls (although some mergers are looking at a large number of physical firewalls). Suppose you need a virtual firewall, what do you do?
There are some key considerations for any security or networking team, including the assessment of virtual firewalls. First, the two aspects that need to be evaluated resemble the assessment you make of the physical firewall: scalability and management. From a management perspective, it is important to determine whether the primary management is possible through a single console (typically web-based) or integrated into the Virtualization management platform (like VMware's vcenter). For a separate console, standard management should consider applications such as ease of use, role-based access control, granularity of configuration options, and so on. On the other hand, consider the command-line management capabilities of virtual devices and how they are accessed. For example, most Cisco engineers prefer the command line iOS operation, and most firewalls can be accessed via SSH.
Scalability is the key to virtual firewalls, especially for large, complex environments. The scalability of a virtual firewall is ultimately a two-part content. First, you need to determine how many virtual machines or/and virtual switches can be tuned by a single virtual firewall. For large environments, many virtual switches and VMS are a big problem on a single super manager. The second extensibility focuses on the number of virtual firewalls that can be managed from the vendor's console, and how the policy and configuration details between the various virtual firewall devices are shared better.
Virtual firewalls: Integrating
The critical assessment point for a virtual firewall is how the firewall is actually integrated into the virtualized platform or environment. There are two common implementation methods. The first and simplest one: A firewall is a virtual device or a specific virtual machine (VM). Like any other VM, it can be loaded onto the Super manager and then configured to work with a new or existing virtual router. The benefits of this pattern are simple and easy to implement, and the downside is that it includes a higher performance impact on the Super manager, less integration with virtualized infrastructures, and less configuration choices.
The second implementation approach is fully integrated with the Super Manager kernel, the Virtual machine Monitor (VMM), which we know well. This provides access to the local Super manager and management platform APIs, while automating performance and low-level VM traffic recognition, but may also require additional time and effort to properly install and configure the platform, and some highly customizable virtualized environments may experience stability problems or conflicts.
Other factors to consider when evaluating virtual firewalls include physical security integration and VM security policy depth and breadth. Virtual firewalls can "see" What is happening in a virtual environment, but can they relay warning and security information to a physical copy? Consider any local or physical firewall, ids/ips, or even the simple integration capabilities of the management platform. In addition, virtual firewalls can and should be able to assess VM configuration and security scenarios ahead of upcoming traffic and incoming virtual environments. Some virtual firewalls can be anti-malware, network access Control (NAC), and configuration management and control functions, all of which add to their characteristic value.
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/