In Part A, I discussed the functional requirements for a virtual firewall. Now let's take a look at the technologies required to make this work.
Firewalls segment traffic. That's obvious, but think about this in the cloud. For this to work, there must be a method to assure that all traffic to/from a tenant is available for inspection and the application of access controls by the firewall. This means the virtualization host must support at least one of the following:
- Routing traffic to/from a tenant system through the virtual firewall at the network layer, this is how "bump-in-the-wire" devices work. This is a poor solution in virtual environments.
- Routing traffic to/from a tenant system through the virtual firewall at the hypervisor layer. This is a more efficient technique because it reduces latency and the number of CPU cycles needed to inspect packets.
- Other novel techniques enabled by virtualization -- Magic. I call this "Magic" because it is now possible to create intelligence around which packets need to be inspected or filtered by the firewall.
Virtual firewalls must include configuration management capabilities. Why? Because it is much easier to reconfigure ports and networks in the virtual environment, or even configure a virtual machine to bridge networks. This is a tricky situation in the cloud because this capability requires visibility and integration into the cloud provider’s management framework.
Dynamic policy enforcement
Virtual machines migrate. This requires policy enforcement capabilities that are independent of location and layer 2 and 3 connectivity. Segmentation and access controls must transparently follow virtual machines as they migrate or are copied between virtualization hosts, data centers, or cloud providers.
Unless cloud providers wish to assume all of the responsibility for correct configuration of their customer's virtual firewalls, the provider must give their customers control of the firewall policies while at the same time preventing one customer from inappropriately blocking traffic to another customer.
Can anyone name a cloud provider who makes this all possible?