Physical Firewall

This is the firewall we’ve grown up with; the trusty old physical firewall appliance. It has some very specialized hardware that does network security really well – within certain performance specifications of packets/sessions per second and raw throughput. 10Gbps would be considered high end (and costly). There aren’t enough ports on the firewall to connect every server directly to it, so instead we hang it off the Core switch and tell the network team to figure out how to steer the traffic through it.

For east-west traffic between servers it’s a choke point. It can only go so fast – but don’t tell the network team that or they might start blaming the firewall for every little performance problem. Meanwhile, we’ll just throw more firewalls at the problem, hang them off more ports on the Core network switch, and tell the network team to figure out the traffic steering part all over again.

The physical firewall is hanging off the network somewhere catching packets – it’s not directly connected to the servers. Consequently, security policy is only as good as the information available in the packets; such as IP addresses and TCP/UDP port numbers. So we build our firewall security rules around that basic context. E.g. “This IP address can talk to that IP address on TCP port X”, and so on.

Deploying a new App? No problem! Just submit a change ticket to the InfoSec team describing the App you want to bring online, along with its list of server IP addresses and TCP/UDP port numbers. A few weeks later (after it’s been decided which physical firewall your App will be physically anchored to) the security rules for your App will be added to the existing 5000 lines of rules collecting dust. A few weeks after that, the network team will (hopefully) engineer the traffic steering to the right interfaces on the right firewall. And if the App is decommissioned later on? Don’t ask. The rules are never cleaned up because that’s too much work, and that would require another change ticket anyway.

Deploying a virtualized multi-tenant agile cloud with automated provisioning? OK, that might be a problem. The physical firewall doesn’t do a very good job at automation and multi-tenancy.

Maybe virtualized Apps need a virtual firewall?