Physical or Virtual Firewall: What fits best for your environment?
- 03 August, 2018 06:00
Infrastructure, security and network experts say the rise of virtualisation has most affected the way they design, protect and operate the systems that businesses depend on. Today, both physical and virtualised systems can coexist or be part of a strategy allowing service providers and system integrators to develop solutions that meet customer needs.
However, some security practitioners argue security appliances should only run on their own hardware so that they are isolated from vulnerabilities potentially affecting hypervisors or business programs sharing the same hardware as a security application.
Why go virtual?
When you consider the functionality of a virtualised security appliance such as a firewall or intrusion detection system, it is easier – and often more cost effective – to deploy multiple instances of the security appliance.
If you need to run a disaster recovery or secondary business continuity environment, the software can be installed on a virtual machine that is only activated when needed. Then you only pay licensing costs on the number of active instances of the security software which means while secondary environments are ready for action they aren’t attracting licensing fees for software that is not active.
If you have already invested heavily in building a virtualised environment, you may prefer to leverage that infrastructure rather than adding bespoke equipment to the mix. Many security applications can operate at acceptable performance levels on commodity hardware although it's not always the best solution for production environments.
Virtualised environments also benefit from easier scalability as more appliances can be added quickly without more hardware. And the deployment of new security services can be automated for added efficiency.
Competitive advantage of Physical appliance over Virtual
Despite the attractions of virtualised infrastructure there are cases where bespoke hardware is preferable. For example, many security-related activities work best on optimised hardware. While commodity computers can perform some tasks well, it may not be the case with more complex operations such as content inspection, decryption and virtual private networks. This is because purpose-built security appliances use custom chips and architectures that are optimised for specific workloads.
As security appliances are designed to be hardened (reducing the surface of vulnerability), issues such as privilege escalation are less likely to present a risk. However, some virtualisation software, such as a firewall, presents an attractive target to threat actors. If a hypervisor running security is attacked and breached hackers have an entry point to the business.
However, when security appliances are run on their own hardware, they can be controlled so inbound and outbound traffic is monitored and limited, If there is a breach elsewhere on the network, the likelihood of the security appliance also being compromised is reduced.
Why can't you have both?
There's a strong case for operating a hybrid security infrastructure that includes both physical and virtual systems.
For example, low intensity tasks can be executed on commodity hardware in a virtualised environment while other tasks that are best executed on bespoke hardware can be on specific appliances.
When putting together disaster recovery and business continuity solutions, it may be advisable to run the primary system on optimised security appliances with backup systems installed, configured and ready to run on virtualised environments operating either in the cloud or on premises at secondary sites.
For growing businesses, a virtualised solution can make sense as it provides an easy upgrade path to purpose-made hardware. Assuming the business already has hardware capable of running virtualised services, products such as Fortinet's Virtual Next generation Firewall can be installed on a virtual server.
When the business grows and requires an appliance to keep up with changing needs, there is an easy upgrade path that allows the business to migrate its firewall rules and configuration easily to the new appliance.
It also means skills and expertise built up within the business still be leveraged.
In larger businesses, where there is a main office that supports smaller satellite workplaces, often use dedicated security appliances at the core with virtualised systems in the smaller offices.
Service providers can also offer virtualised services to customers, providing an option to access security services within their hosted virtual environments.
For service providers and technology professionals, the rise of the virtual machine has delivered many benefits. But the security business has been more conservative in its adoption. There are many opportunities where virtualised security appliances can either complement physical appliances or offer a cost effective way to support the security needs of specific clients.
- How to secure your corporate Wi-Fi
- Compliance with new rules needs a comprehensive risk assessment
- Security in the hybrid cloud