Will the firewall and IPS fall short in the future?
The firewall and IPS have proven versatile, available not only as hardware appliances but as software too, sometimes specifically designed to push security into virtualized desktop and server environments based on VMware, Microsoft HyperV, Red Hat's Kernel Virtual Machine(KVM) or the open-source Xen hypervisor (which Citrix recentlydonated to the Linux Foundation). VMware -- to the dismay of some firewall vendors -- has itself jumped in over the past few years with software-based virtualized firewalling controls of its own.
Check Point's Kost acknowledges, "Virtualization is creating a new challenge. What we're seeing is they need a lot more firewalls," noting the Check Point 21000 and 61000 represent Check Point's push to support VMware-based networks. VMware itself has "VCloud Networking and Security" that can be used to establish VM-based firewalls.
All of this raises the question who's in charge of firewalls and IPS these days anyway, points out Sourecfire's Jason Brvenik, vice president of security strategy in the technical research group at Sourcefire.
Virtual machine-based approaches to firewalling and IPS are growing
WatchGuard Technologies just last month introduced Hyper-V support to its XTMv unified threat management platform, for example. Karim Toubba, Juniper Networks vice president of products and strategy, is adamant in declaring "the firewall now has to be a virtual form factor, it can no longer be that box," noting Juniper's approach supports KVM and VMware. "The perimeter has become elastic, and in private cloud environments, we expect the firewall to be elastic."
Nielsen says Cisco has the ASA 1000-V Cloud Firewall.
Sourcefire, which shipped its first Next-Generation Firewall this spring called FirePower, has also developed a way to filter hypervisor traffic from Xen, KPM and VMware workload environments, says Brvenik. But he acknowledges there can be performance challenges in comparison with more traditional IPS.
Chris King, of Palo Alto Networks, says it's increasingly common to see customers simultaneously using both its physical and virtualized next-generation firewalls.
But NSS Labs analyst John Pirc cautions that hypervisor-based firewalls and IPS are considered to still be fairly new overall and one issue is that firewall/IPS vendors don't always support multiple virtualization platforms. NSS Labs will likely test virtual-machine-based security this year in its labs.
However, it appears that virtualized firewalls constitute less than 5% of the overall firewall market today, according to Gartner. Young says virtualized firewalls tend to complicate situations if only because of "boundary" quarrels over whether they will be managed by the network operations group or the server operations group. "There's complexity of who owns what in this virtualized version," he pointed out.
Sign up for Computerworld eNewsletters.