Virtualization Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our bloggers: Kevin Fogarty is a veteran technology journalist and analyst who has previously worked for Computerworld, Baseline, eWeek, and Illuminata. Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers", Pearson Education (2008) and runs his own firm, AstroArch Consulting. Laurianne McLaughlin serves as technology editor for CIO, focusing on virtualization as a primary area of coverage.

Wed, July 23, 2008

Are Virtual Firewalls a Real Solution for VM Security?

By Edward L. Haletky

Keywords: Virtual server, virtual firewall, virtual environment security, virtual infrastructure

One of the hot topics on the VMware Forums lately has been about the advisability of using virtual firewalls within the VMware Virtual Infrastructure. The main question is whether it's a good idea.

The general answer is yes; they work well enough for most experts to recommend them. However, the more specific answer depends solely on how you have set up your physical and virtual networks and the purpose of the virtual firewall.

Is your purpose to protect all VMs attached to a virtual switch from other VMs on the same virtual switch? You can achieve this with a virtual firewall only if you use portgroups and firewall between different portgroups.

Is your purpose to protect all VMs attached to a virtual switch from other VMs on different virtual switches? You can achieve that by having a virtual firewall between the protected virtual switch and up to three other virtual switches. Why three? There is a limitation on the number of virtual NICs available to a VM.

Is your purpose to firewall a DMZ attached to the outside world from the inside world? This is also achievable with a virtual firewall, however it requires multiple physical NICs attached to different pSwitches or VLANs within your physical network. It also applies the principle of vSwitch to vSwitch protection.

The other big question is which virtual firewall to use? There are several contenders: Smoothwall, m0n0wall, and a host of others. There is also the possibility of using the software from a hardware firewall within a VM, but that depends on the vendor and whether or not the OS they use within the hardware firewall can be virtualized, there is support to do this, and some form of instructions to do this.

The Smoothwall folks for example sell a hardware appliance as well as provide an installable image for a Virtual Machine.

The main concern about using a virtual firewall is to ensure isolation of those items to be protected with proper virtual and physical network layout.

The other concern is that unless you make some low level modifications VMs attached to a vSwitch that is not, itself, attached to a physical NIC cannot participate in VMotion or the ability to move VMs from virtualization server to virtualization server without powering them down.

This last item may dissuade people from using virtual firewalls but it will not stop me. I use them and recommend them as a solution to an often tricky problem that requires them. However, due diligence with your network layout is absolutely required.

Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers," Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.
Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
MarketSpace White Papers
HP and VMware: Virtualization to consolidate server resources for maximum efficiency
 Virtualization enables proven cost savings and efficiencies. Now you can tap that power by consolidating multiple applications and heterogeneous operating systems on a single server... Learn more »
Gartner Paper: U.S. Data Centers
 According to Gartner, the majority of existing US datacenters have not been designed to handle future energy demands. Strategic decisions, including the implementation of virtualization, must be made quickly... Learn more »
Gartner Paper: How IT Management Can "Green" the Data Center
 Datacenters consume large amounts of energy, so it is imperative that IT management establishes energy efficiency goals and an integrated approach to energy-saving initiatives... Learn more »
 
SPONSORED LINKS
 

Consolidation: Just the Starting Point for Virtualization

Protecting Data in a Highly Networked World

Maximizing Site Visitor Trust Using Extended Validation SSL

Standalone Server vs. Open Source Toolkits

Getting Off on the Right Foot: Avoiding Common Master Data Management False Starts

The Challenge of Network Access Control -- Is a Managed Service the Answer?

Renowned Engineering Institution Chooses AMD Processor-Based Servers

New research validates telepresence solutions.

Configuration Assessment: Choosing the Right Solution

They Can't Steal What You Don't Have: Smart Security Choices for Mobile Workers

How to Calculate the ROI of Remote Support

31 Best Practices for the Service Desk

Unified Communications Software: The Death of VoIP?

Unify and Conquer: The Benefits of Unified Communications.

Heinz Uses a Wireless, Automated, Auditing process on BlackBerry® devices

Webcast: Solutions to the Toughest IT Challenges in Remote Offices

Network Immunity Manager Video

Dell Latitude: Battery life up to 19 hours. Learn more

Video: 21st Century Networking for a 12th Century Castle

Speed, agility, flexibility - The HP BladeSystem c-Class

Learn about the software-based VoIP solution from Microsoft

Microsoft System Center - Designed For Big

Accelerating ITIL at the Service Desk

Putting Open source to the test

Webcast: Roundtable discusses industry trends for Enterprise Content Management

File Integrity Monitoring: Secure Your Virtual & Physical IT Environments

How the Mac is Becoming an IT Standard in the Enterprise

Storage Efficiency: The Key to Green Storage Operation

Oracle Database 11g: Real Application Testing & Manageability

Reap the Benefits of Unified Communications

Efficient by design: Watch this flash demo of the Quad-Core AMD Opteron Processor

HP and Oracle deploy unbreakable computing infrastructure at Replacements, Ltd.

Optimizing Infrastructure Control

Effective Security with a Continuous Approach to ISO 27001 Compliance

Best Practices for Providing Secure and Cost-Effective Remote Access

How Does Your IT Help Desk Measure Up?

White Paper: Businesses Thrive by Unifying Business Communications

Getting Network Management Right: A Gartner IT briefing

Sheriff's Office Uses PocketCop to Access Police Databases from BlackBerry® Smartphones

The BlackBerry Solution Adds Significant Benefit to Toshiba

Write an RFP for Master Data Management: 10 Common Mistakes to Avoid

HP Puts Its Disaster-tolerant Capabilities to the Test

SOA Educational Library at the TIBCO SOA Resource Center

TDWI Report shows strong validation for investing in predictive analytics

Cost-Effective Data Center 1U Server Solutions

Secure your virtual and physical environments with the same software

GET YOUR VoIP ONTM! Win 2 Years of Hosted VoIP from Cypress. $100,000 retail value. Enter today!

Virtual Support Technology Delivers Quantifiable Gains in Productivity and Performance

Weigh the trade-offs between outsourcing communications and keeping it on-premise.

Stimulating Innovation: Meeting IT's New Mission

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords