Virtualization has received widespread adoption in enterprises when it comes to running applications. However, there is still one hold out: network security and, in particular, firewalls for North-South traffic flows. Why are we struggling with this area of network security virtualization when we have seen it happen everywhere else in IT infrastructure?
The reason is simple. Network security virtualization is difficult, especially if deployed at your Internet gateway, which has some unique requirements. The mere thought of virtualization is enough to send shivers down the spine of a network or security architect; too many forced virtualization projects gone wrong that led to costly backtracking and sub-optimal results. Adding the complexity of network security is something most just want to avoid.
What it takes to achieve network security virtualization
For network security virtualization to succeed, it needs to guarantee scale while remaining simple to use. You must be able to leverage those virtual NGFW instances and create higher capacity inspection so you can augment, or outright replace, any size firewall. In other words, it needs to easily let you spin up whatever inspection capacity you require and it needs a dashboard so you can orchestrate and manage all those VMs, within the context of your network.
That’s a lot to achieve. To begin to build it, you need to determine the right commodity server for the NGFW VMs to run on. Then you need to install hypervisor software on the server. Next is to bootstrap, upgrade the software, and configure the NGFW VM. Finally, you want to be able to scale one NGFW virtual instance to many instances to create virtual NGFW arrays of any inspection capacity running on a single server. Sound intimidating? That’s because it is. In fact, if you broke it down, there’d be over 10 steps to check off:
- Specification and purchase of server hardware optimized for network security
- Configuration and optimization of hypervisor software for network security
- Orchestration and automation to bootstrap and initially configure the NGFW VMs
- Integration of licensing from the security vendors into the orchestration and automation
- Provisioning of configuration and policy settings to the VMs in a zero-touch way
- Single-pane-of-glass VM orchestration and monitoring
- Stateful connection tracking for intelligent traffic steering to and from VMs
- Scale out of unlimited inspection capacity with built‑in load-balancing capability
- Health check mechanisms to monitor VM and system performance
- Automated software upgrades.
- Maintenance of the infrastructure so upgrades are taken care of
So you can see, integration is far from trivial and rapidly gains more complexity as you scale your platform.
Turnkey virtualization is the answer
However, there’s a solution. For virtualization to be truly useful you ideally want all the benefits we’ve come to appreciate from the cloud. Can you imagine using Google Cloud if you had to specify which server you were going to use and what kind of SR-IOV optimization you wanted? Or if you had to upgrade the hardware at some point? No way, it defeats the purpose.
There are a number of crucial elements to a turnkey solution to ensure virtualization of your firewalls is simple, freeing up your time to focus on security policy instead of infrastructure. It needs to be:
- Push-button easy so it can be used in minutes and you never have to deal with the infrastructure.
- Really straightforward to add and remove inspection capacity so it clearly brings you operational and economic efficiencies.
- Tightly integrated with your existing firewall vendor and policy manager to scale your traffic inspection without requiring any big firewall and network changes from your end.
We’ve learned from witnessing the journey to virtualization in the IT world, that the way to make virtualization consumable is to deliver it as a turnkey platform. Just like with other cloud approaches that have been so successful – think Nutanix and HCI – turnkey network security virtualization dissociates you from hardware ownership and offers a quick and easy path to the outcome you want.
A turnkey approach to virtualizing your firewalls takes care of everything so you don’t have to. It’s a way of scaling traffic inspection so you get 100% SSL/TLS visibility, and the best part is it feels like you’re using Google, Azure or AWS clouds. You move from a resource intensive method of managing your firewall to an ‘easy button’. A monthly subscription fee covers your compute capacity for traffic inspection and when you need additional inspection it’s just a matter of ordering it with a single click.
Moving to a turnkey platform dramatically reduces project risk and speeds time to deployment. Enterprises reap the benefits of the cloud model for network security, just like they have with all other applications. It’s possible with HCI and it’s possible with network security too.
You can learn more about how to stop your firewall from burning by solving the virtualization puzzle here.