Traditional Firewall vendors as well as VMware themselves (vShield Zones) are starting to develop solutions for the virtualization space. Vendors like Altor Networks and Check Point have or are in the process of having Firewall technology to enable you to further secure your VMware infrastructure.

I’ve had a look under the hood of early Alpha code from these vendors and whilst very impressive it did start to make me wonder a number of things like:

1. What resources would this firewall need, after all it would be contending for the same resources as other VM’s on the ESX host.
2. Who is going to manage the firewall, as the vendors are both hooking it into the management components of their existing products or offering plugins to vCenter. Do you get your VMware admin people to look after the firewall, cross train them or do you hand this off to the network security team who may not understand virtualization?
3. Do we need the firewall, we don’t necessarily have internal firewall’s today so why do we need them in the virtual world?
4. Performance, can the firewall keep up? Does it require its own dedicated CPU?

The Firewall’s main purpose is as we all know to block and prevent unauthorized access to services and applications that we wish to protect. In the physical world this is bread and butter stuff and we have clearly defined perimeters where we typically deploy these devices. In the virtual world these perimeters become blurred, and the demarcation points that we are all used to are no longer there. If you are thinking of protecting your virtual infrastructure using a virtual firewall you need to ask yourself what it is you are trying to achieve and can the virtual firewall cope with the load that your $100,000 physical firewall was capable of.

The firewall should not be your only line of defence in the virtual world, you need to think about locking down the configuration of all your ESX hosts and VM’s as you would do for physical servers. You then need to look at the design of the network and make sure that this is as secure as possible. This may involve using VLANs and implementing port group security and making sure that non production machines are not sharing the same networks as production machines.

You should also look at entitlement in terms of what roles and permission you have defined within your vCenter and ESX hosts, you should work on the principal of least privilege.

The firewall does have a role to play you just need to step back and take perspective before you jump on the hype of “I must have a firewall for my virtual world.”