While the benefits of virtualization for our organizations are becoming widely recognized, some network security professionals remain hesitant to deploy virtual firewalls in their private network. Is it because of some virtual firewall myths? Do they not believe it can deliver the functionality they need? Is it because they don’t think they need them? Or, is it because it’s simply too hard to manage on-premise virtual firewalls?
The short answer is that there are multiple reasons why this is not a top priority for many organizations. Some of these are valid but others are based on inaccurate information. Here, we debunk five virtual firewall myths which might be holding you back from enjoying their scale, simplicity and speed.
Myth 1: Virtual firewalls offer a subset of physical firewall functionality
Virtual firewalls are actually a virtualized version of a physical firewall, not a subset. Just as physical firewalls do, they allow or reject access to traffic flows between trusted and untrusted areas on the network. These days, virtual firewalls provide the same functionality, features, and capabilities as their hardware counterparts. They typically use the same software as that running on appliances, making them easy to integrate, configure, and manage.
Thanks to the fact that they’re software-based, virtual firewalls are ideally set to support a wide range of virtualization environments and cloud-native infrastructures. They can be deployed in private, public, and hybrid network environments.
Myth 2: Migrating to virtual firewalls is simple matter of scripts
While using virtual firewalls is incredibly intuitive, migrating to them is another matter. DIY projects are complex, time consuming, and costly. They represent an intensive drain on scarce engineering resources since they require several steps: the identification and purchase of server hardware appropriate to the network topology and bandwidth needs; the configuration and optimization of the hypervisor; sizing of the virtual firewalls with orchestration and automation; integration of licensing; testing and validation; plus maintenance.The process is long, and each step means development from a whole team of experts in network engineering, security, systems integration and DevOps.
With a DIY approach there is a higher chance of human error during deployment and configuration, further complicating the process. This is particularly true of large, complex, distributed networks with multiple vendors and architectures. There is no vendor support if you’re relying on your internal DevOps team to perform the migration; you are the support team at all times of night and day.
Aside from the complexity, it’s important to recognize that these engineering hours contribute to the total financial investment of migration. When debating a DIY approach, you need to factor in the costs of personnel and training, not just tools. And don’t forget the reality of technical debt. Also known as design debt or code debt, technical debt is the implied cost of additional rework caused by choosing an easy (limited) solution now instead of using a better approach in the first place.
Myth 3: Virtual firewalls are only in the datacenter
While virtual firewalls were initially deployed in the datacenter, they’re not limited to it. More and more so, they are being used as on-premise network firewalls. They can help to provide a consistent network security posture across your entire IT environment, including private clouds, public clouds and branch locations.
Just as easily as they segment east-west traffic inside data centers and branches, they can be deployed as virtualized instances of next-generation firewalls to inspect and control north-south traffic, while providing advanced threat prevention measures.
This ability to deploy virtual firewalls in multiple environments and deployment scenarios has the advantage of reducing time, effort, error and expenses.
Myth 4: It can be expensive to convert physical to virtual firewalls
Actually, the Total Cost of Ownership (TCO) is very compelling for virtual firewalls. In our studies, we’ve found that the TCO is four to five times lower with automated firewall virtualization when compared to DIY virtualization. And you don’t just have to take our word for it. Other partner, Palo Alto Networks, has also concluded that automated firewall virtualization save you money. In their studies they reported an ROI of 115% over a six-month payback period.
Here’s how it breaks down. Let’s say a firm needs 50 physical firewalls over three years. This will cost $3,000,000 CAPEX up-front and take over a year from conducting the RFP process to deploying the firewalls. In contrast, a turnkey platform for automated firewall virtualization would have a total cost of $810,000 OPEX over three years and you can be up and running in 30 days or less. That’s five times lower TCO and significantly faster time to deployment (as much as 24x).
There are also the “hidden” cost savings to consider:
- Reduction in engineering time
- Reduced costs from software licenses and hardware management
- Quicker purchasing process
- Right-sized capacity: you only pay for what you need
- Elimination of disruptions for upgrades and maintenance
- Reduced number of security incidents
Myth 5: There is no rush to use virtual firewalls
When you need to modernize your network, then virtualization is a must and it can include your network firewall. Virtual firewalls dramatically improve business agility, allowing your network security to keep step with all the other developments in the organization. Their flexibility, scalability and agility mean they can enhance your threat protection and provide a host of other benefits:
- Rapid time to deployment
- Cloud-like experience
- Simple, centralized management
- Zero-touch network security operations
- Ability to add additional capabilities and future services such as: application awareness and control, intrusion detection and prevention, advanced malware detection, and logging and reporting without impacting performance.
- Ability to cover different scenarios, including perimeter, small and midsize businesses (SMBs), data center, cloud, and distributed offices.
- Ability to offer bidirectional controls (both egress and ingress) for securing networks
Moving past the virtual firewall myths
Simply put there is no need to wait before you deploy virtual firewalls as part of your network security architecture due to these virtual firewall myths. Virtual firewalls are not a subset of physical firewalls which are restricted to the datacenter. In fact, they offer feature-parity with physical architecture and can be deployed in private networks just as well as private, public or hybrid cloud environments.
They don’t have to be complicated or expensive to deploy and manage, especially when you opt for a turnkey virtualization approach which takes care of deployment, on-going scaling and optimization in an automated way. Thanks to their software-defined nature, virtual firewalls are actually well-suited to the constantly changing demands of rapid digitization, enabling security teams to enhance threat protection, even in the face of a growing array of cyberthreats and an expanding attack surface.