Virtual Firewall

The virtual firewall is just like the trusty old physical firewall but only now it’s delivered as a virtual machine instead of a physical appliance. This might appeal to you if it was determined that automation and multi-tenancy are important. The rationale being that each App instance (or tenant) can deploy their own virtual firewalls in their own enclaves, and if the firewall is a virtual machine it can be deployed automatically like any other virtual machine. And performance of a virtual appliance is just as good as a physical.

The virtual firewall is, again, this choke point hanging off the network somewhere catching packets (this time on a vswitch somewhere). We still need to steer traffic through it, and it’s still an object that needs to be managed and cared for instance by instance. And the rule structure still revolves around the basic context of IP addresses – no real improvement there.

Deploying an App in a virtualized multi-tenant cloud? No problem! Just tell the App owner that security is now their problem, and point them to the URL where they can download the firewall virtual machine and user manuals. When one virtual firewall becomes too much of a traffic bottleneck, the App owner can just throw more virtual firewalls at the problem and figure out how to design, manage, and automate around that. If the App is decommissioned later on the virtual firewalls and their rules just go away.

Did you say the auditor is here to validate compliance? OK, that might be a problem. There are hundreds of Apps in this cloud, which means potentially hundreds of virtual firewalls floating around. Let’s hope the App owners deployed them correctly – if at all. And it might take some time to find that one virtual firewall we need to look at and grab its configuration – cross your fingers!

Maybe virtualized apps in a distributed infrastructure need a distributed firewall?