What is a virtual firewall?
A virtual firewall is a firewall device or service that provides network traffic filtering and monitoring for virtual machines (VMs) in a virtualized environment. Like a traditional network firewall, a virtual firewall inspects packets and uses security policy rules to block unapproved communication between VMs. A virtual firewall is often deployed as software.
Virtual firewalls are commonly used to protect virtualized environments because they are the least expensive and the most portable, due to the ease of moving a virtual firewall from cloud to cloud. A virtual firewall is also simple to upgrade and maintain.
How a virtual firewall works
A virtual firewall is an application or a network firewall service that provides packet filtering within a virtualized environment. A virtual firewall manages and controls incoming and outgoing traffic. It works in conjunction with switches and servers similar to a physical firewall.
A virtual firewall prevents an unauthorized user from accessing and transmitting data and files, and prevents an organization's employees from transferring any sensitive data or documents.
A virtual firewall works in two modes: bridge mode and hypervisor mode. Like a traditional firewall system, bridge mode works by diagnosing and monitoring all of a VM's incoming and outgoing traffic. In hypervisor mode, the virtual firewall operates in isolation from the physical network, residing in the core hypervisor kernel and managing the incoming and outgoing traffic of the virtual machine.
Virtual firewalls vs. physical firewalls
A physical firewall -- sometimes known as a hardware firewall -- is a network firewall implemented in a real-world security appliance or as part of a routing device that is situated at the edge of the network or between environments.
A physical firewall connects to the protected internal network and the public internet -- or some other unprotected or external network -- over dedicated network interfaces. It consists of servers and switches, and works outside an operating system as opposed to being built-in. The servers are connected to designated switches, then routed to the firewall.
One of the benefits of using a hardware or physical firewall is that it is situated between the server and the internet, and it is the only way for network traffic to pass to and from the protected network. Without passing traffic through the network interfaces, the hosts, servers and any other devices on the internal protected network won't be able to communicate or exchange data with any hosts, servers or other devices on the public internet. Because all data exchanges go through the firewall before they can be completed, threats are reduced.
Another advantage of using physical firewalls is that hardware security appliances are designed to handle heavier traffic loads and have faster response times. Network perimeters can also be strengthened using a physical firewall, improving network security.
Additionally, a physical firewall is easier to manage because it is an isolated network component and doesn't affect the performance of other applications, as it might in a virtualized environment. A hardware firewall can also be shut down, moved or reconfigured with little effect on network connectivity or performance.
In contrast, virtual firewalls are deployed as software appliances running within virtualized environments. A virtual firewall monitors and protects network traffic by transiting virtual switches and other virtual machines. Virtual switches link systems and applications across logical partitions, and a hypervisor manages the virtualized environment. When virtual firewalls are installed on individual servers, they can be configured and set up more easily.
Virtual firewalls also may be less expensive than physical firewalls, but the cost of purchasing and deploying a large number of virtual firewalls may still be significant. Managing a large number of firewalls -- whether virtual or physical -- can pose other challenges.
Virtual firewalls also deliver a fraction of the network throughput dedicated physical firewalls can provide, which can create bottlenecks throughout the network and reduce business agility and performance.
One advantage of virtual firewalls over hardware-based firewalls is that they can be centrally administered, while hardware firewalls often need IT and network support staff to install, administer and support them on site.
Virtual firewall uses
Using a virtual firewall in the cloud can help protect an organization's cloud infrastructure and services by running in a virtual data center on an organization's servers in an infrastructure as a service or platform as a service model. This type of firewall application runs on a virtual server and protects traffic going to, from and between applications in the cloud.
A cloud-based virtual firewall can meet a number of network security requirements in the cloud, including:
- Securing the virtual data center by filtering and managing traffic flowing to or from the internet, between virtual networks, or between tenants to secure the virtual data center.
- Securing the physical data center by extending a physical data center to the cloud. This is especially applicable to organizations migrating applications to the cloud that need secure connectivity between the cloud and their local infrastructures.
- Securing remote access by offering the advanced access policy, filtering and connection management needed to provide clients with access to the cloud.
- Ensuring all data is subject to the same protective measures as an on-premises, hardware-based firewalls.
- Maintaining the integrity and confidentiality of applications and data by integrating with access control providers and offering a wide variety of granular, policy-based filtering tools.
- Protecting applications and assets in their virtualized environments, as well as responding rapidly when network security requirements change in remote or branch offices or to accommodate temporary staff deployments.