With its promise of scalable capacity, flexible architecture and simple operations, firewall virtualization is an attractive alternative to physical network firewalls. Historically, if you needed more inspection capacity at the network edge or as part of your managed network firewall service, you had to deploy more physical firewalls. That was very resource and budget intensive. With virtual firewalls, you could have more capacity at the touch of a button.
There’s just one problem. Can you imagine using Google Cloud if you had to specify which server you were going to use and what kind of SR-IOV optimization you wanted? No way, it defeats the purpose. Virtual network firewalls need to be available as a readily consumable service to be successful. All the great cloud platforms that exist today have accomplished this and so can firewall virtualization with a turnkey platform to make this possible.
However, building a virtualization platform which automatically converts physical firewalls to virtual ones and then lets you manage these virtual assets is a lot to develop up front and then maintain going forward. Developing it in-house might sound like the most cost-effective way of doing it – you’re not engaging an outside service provider or buying new technology – but does a DIY approach really save you money?
In this two-part series we’ll break down the true cost of a DIY virtualization project. In today’s post, we’ll discuss the steps and expertise you need to create a truly turnkey platform, which provides fully automated firewall virtualization. In part two, we’ll look at the costs of physical versus virtual firewalls and what you might spend on a DIY virtualization project versus a turnkey platform.
The Key Elements of Automated Firewall Virtualization
There are a number of crucial elements to a turnkey solution that automates the migration to virtual firewalls and their operations going forward. Up front, network firewall virtualization has considerations that are different from virtualizing web applications. Unlike VMWare vRealize and other virtual machine (VM) automation tools, automation of firewall virtualization needs to deal with network configuration and port assignment, for example, to ensure it is mapped from the physical world to the virtual world without any intervention on your part. It also involves these elements:
- Use the right commodity server and architecture to deliver the required performance for the virtual firewalls. With virtualization you will want to run your virtual firewall instances on general-purpose x86 CPUs – great on the budget but typically not optimized for network security. So, to get optimal, predictable and on-par performance from your compute, you need a good understanding of the server architecture to avoid bottlenecks of network I/O between the NICs, the CPUs and the RAM inside the server.
- Install the right hypervisor software on the server that is optimized for network firewalling. Again, most current hypervisors, and related software are not designed for firewall functions that process through-traffic. So, you need one that is suitable while considering all the relevant networking acceleration technologies, such as SR-IOV, DPDK, and others.
- Automate the bootstrapping, upgrading of software, and configuration of the virtual firewall. Booting a firewall VM on top of your hypervisor involves a huge amount of DevOps resources. You have the license, settings and policy configuration to consider. In order to be truly cloud‑like, all this needs to happen automatically. So, it’s not just the integration of the 3rd party firewall vendors’ firewall VMs with hypervisor and server that must be taken care of, but also the integration with the centralized policy manager.
- Scale your service across multiple firewalls and customers. This allows you to create as many virtual firewalls as you need. It supports multi-tenancy as well as multi-vendor on a single platform.
A turnkey virtualization platform covers all of these elements and more. It also incorporates orchestration, so it all works together and is controlled by a single dashboard. This orchestration must provide full management and configuration of the whole platform and be tightly integrated with the firewall vendors licensing application programming interfaces or API’s and policy managers. You also want to make sure it offers full zero-touch auto provisioning and built-in health check mechanisms to monitor VM health, so you can eliminate DevOps resources to manage the virtual firewalls.
The technical investment to automate virtualization of your firewalls is hefty and it probably won’t surprise you that the time and money it takes is substantial.
The Turnkey Virtualization Checklist
On top of these key elements we’ve outlined, we’ve put together a checklist below for you to assess whether a platform is actually delivering the turnkey capability you need. Remember, you’re not just looking at the DevOps required for each element. You also need to consider how each item is integrated into a whole platform. Integration of all the pieces is far from trivial, and rapidly gains more complexity as you scale your needs.
Now that we’ve outlined the steps involved in a DIY virtualization project, you can start to calculate the how much a turnkey platform saves time and money by reducing DevOps – no team of engineers who will have to specify and source the appropriate servers, no experts to code up an integration of the servers with management of the virtual licenses. And, no need to blend those scarce skills with an understanding of networking so that traffic is properly handled and inspected, while being managed by the security policy manager.
Next time we’ll do a sample calculation that outlines the financial investment involved in a DIY virtualization project versus a turnkey platform for automating firewall virtualization. In the meantime, you can read our white paper, Automating Firewall Virtualization is Easy, to learn about a turnkey approach that helps your replace your physical firewalls with virtual ones.