Jan 22, 2015 By Jean-Paul Bergeaux In Blog

Why Virtualize NGFWs?

After the blog I wrote about the dirty little secret of virtual appliances, a few people asked why it’s such a big deal to virtualize a Next-Generation Firewall (NGFW) anyway.  “Why not just use appliances?  You don’t need that many of them,” they said. I knew right away where the disconnect was.

Traditional security environments only use firewalls at the perimeter.  That’s always been the standard.  But today’s war against the bad guy has changed that paradigm.  As I’ve written before, it’s no longer about preventing intrusion.  Ultimately, a bad actor will get in, and so you’ve also got to monitor user activity and traffic inside the firewall. You can read some of my thoughts about how the game has changed here and here.

When an agency starts looking inward at the data and activity on the internal network, “checkpoints” can serve as a great asset, even inside the network.  Those checkpoints can be both collection points of activity and barriers of activity.  An NGFW is perfect for this.  It serves as an intrusion prevention system (IPS) and a firewall.  Sometimes this can be referred to as compartmentalization of data and applications.  Users that need and deserve access are given permission in the identity management infrastructure.  Then firewalls (NGFWs) are placed at the barrier to the rest of the intranet to prevent unauthorized access if someone compromises the data and network in another application.  Essentially, it becomes like ship compartments that stop a boat from sinking if there is a leak in one of the compartments. Just as the water is contained within the compartment where the leak occurs, the unauthorized user is contained within the compromised application.

I’m sure everyone is doing the math on how many disparate applications and compartments that might spawn in their environment.  It can add up quickly!  This type of effort can create a myriad of problems for many of the NGFW options on the market today. Keep counting.

The first problem is cost.  If you attempt to roll out NGFW hardware appliances for every compartment you want to secure, you will need redundant pairs at the very least, and possibly even more if the application has high peaks and low dips in traffic and usage.  Keep counting.

Secondly, most firewalls, even NGFWs, are assumed to be limited in count due to the perimeter nature in traditional architectures.  When you scale out to these types of numbers of firewalls, the management and configuration design matters.  Many do not have a propagating policy-based configuration.  Each NGFW needs to be configured separately.  In addition, many do not have TRUE centralized console management in the core design of the product. Yep, keep counting!

Finally, applications today are virtualized on VMs and SDN, which allows them to be moved or changed significantly with a few simple clicks.  This does not work if you have hardware appliances in front of them as a firewall!  The only solution is virtualized NGFWs that can be created and managed as a part of the entire application stack.  This allows for the flexibility and the cost savings of dedicating the appropriate CPU, memory and network resources to the firewall as needed.

So we’re back to the proposition that virtual firewalls, specifically NGFWs, are important.  If the vendor for an NGFW relies on ASICs to perform the complex functions that normal x86 code would, you get a crippled NGFW.  Astonishingly, this happens OFTEN.  SwishData has run into this scenario often enough to have investigated solutions and found one we like, as I noted in my last blog.

There’s one more thing I like about McAfee’s NGFW that you don’t find in most solutions.  It can act as a load balancer too.  Most NGFWs run active-passive or have a limit to how many active-active appliances you can run.  If you roll out three or more McAfee NGFWs, each is active and can be used at the same time.  If any one of them fails, the others just assume that traffic.  So instead of rolling out three load balancing virtual appliances and three NGFWs, you can just roll out three McAfee NGFWs.  It’s actually a good consolidation for cost savings.  You can read more about this solution here and here.