This summer at the Blackhat conference in Vegas there was an interesting talk on the merits of deploying virtual firewalls. The speaker although he did not mention any particular vendors was hinting at the fact that Check Point the market leading Firewall vendor now have a Virtual Firewall offering in the form of Secure Platform or SPLAT as it is more affectionately known.
His thoughts were that care should be taken when moving a firewall from a physical to a virtual environment and that things like resource consumption and vmotion should be carefully considered. It would after all be unreasonable to expect what was once a dedicated hardware appliance Firewall to perform in the same way when virtualised. Stating the obvious for sure but something that is often overlooked. The topic of vmotion was interesting as well and something that I hadn’t thought about but again obvious once pointed out. The scenario was if you had one ESX host with a Firewall VM that was protecting other VM’s on the same ESX host and for whatever reason a vmotion occured then it would become highly likely that the VM’s the Firewall VM was protecting would no longer be protected as a result of the vmotion occuring.
The above scenario will be fixed in future releases of VMware but at the moment unless you architect and design your VM environment correctly then you could be giving yourself a false sense of security.