16

We have a debate in our office going on whether it's necessary to get a hardware firewall or set up a virtual one on our VMWare cluster.

Our environment consists of 3 server nodes (16 cores w/ 64 GB RAM each) over 2x 1 GB switches w/ an iSCSI shared storage array.

Assuming that we would be dedicating resources to the VMWare appliances, would we have any benefit of choosing a hardware firewall over a virtual one?

If we choose to use a hardware firewall, how would a dedicated server firewall w/ something like ClearOS compare to a Cisco firewall?

Luke
  • 1,892
  • 4
  • 22
  • 27
  • 1
    Almost a duplicate of [Hardware Firewall Vs. Software Firewall (IP Tables, RHEL)](http://serverfault.com/q/268542). This is also likely to solicit debate, arguments without merit, and group-think. Be extremely careful that you don't fall victim to [Confirmation Bias](http://en.wikipedia.org/wiki/Confirmation_bias), where you find an answer that simple agrees with what you think, but where there is no logical argument, fact, or other basis. – Chris S Sep 16 '12 at 13:59

4 Answers4

11

I've always been reluctant to host a firewall in a virtual machine, for a couple of reasons:

  • Security.

With a hypervisor, the attack surface is wider. Hardware firewalls usually have a hardened OS (read-only fs, no build tools) which will reduce the impact of a potential system compromise. Firewalls should protect the hosts, not the other way around.

  • Network performance and availability.

We've seen in details what bad NICs can do (or can't), and that's something you want to avoid. While the same bugs can affect appliances, hardware has been selected and is known to work with the installed software. It goes without saying that the software vendor support may not help you if you have issues with drivers, or with any hardware configuration that they don't recommend.

Edit:

I wanted to add, like @Luke said, that plenty of hardware firewall vendors have high availability solutions, with stateful connection state passed from active unit to standby. I've been personally satisfied w/ Checkpoint (on old nokia IP710 platforms). Cisco has ASA and PIX failover/redundancy, pfsense has CARP and IPCop has a plugin. Vyatta can do more (pdf), but it's more than a firewall.

petrus
  • 5,287
  • 25
  • 42
  • 1
    +1 to "Firewalls should protect the hosts, not the other way around." – ewwhite Sep 15 '12 at 19:55
  • If you put your hypervisor infront of your firewall, sure you're exposing yourself. But this is a network security problem (admin error), not a flaw of virtualization. Vendor choice is definitely a concern when it comes to security. Keep in mind Cisco also provides virtual appliances. Choosing the right hardware is very important. But hopefully you're already doing this for your servers. Also keep in mind a "host" is just hardware. Virtual servers are still behind the firewall (virtually). It isn't somehow backwards. – Luke Sep 15 '12 at 20:43
  • @Luke your firewall is at the mercy of the hypervisor; that's the difference. – gravyface Sep 15 '12 at 20:47
  • @Luke: I don't get what you are trying to explain. A virtualized firewall has twice the attack surface a hw firewall has. FW OS _and_ hypervisor OS/code. And you have to protect the hypervisor underneath anyway, so what's the point? – petrus Sep 15 '12 at 21:05
  • @petrus For something to be attackable it has to be accessible, doesn't it? If a hypervisor console is behind the firewall on a private subnet, how is that different than a hw firewall? You still have to penetrate the firewall to get to the hypervisor. – Luke Sep 15 '12 at 21:19
  • 1
    @Luke: No. To get to the virtualized fw, the packets have to flow through the host physical nic. Even if the IP address of the hypervisor/host is not reachable from outside the firewall, bad packets will still be processed by drivers and hypervisor code (hence increasing the number of attack vectors). – petrus Sep 15 '12 at 21:30
  • 1
    It's interesting to note that these Cisco machines also use Broadcom nics (http://www.cisco.com/en/US/prod/collateral/ps10265/ps10493/data_sheet_c78-624706.html). I think we all know that 'hardware' firewalls are nothing more than off the shelf chips with customized *nix operating systems. Both have drivers; Both are subject to the same possible vulnerabilities. I would be glad to examine any security flaws that are unique to virtualization. I don't think you can make sweeping judgements about which is better. Rather, your solution has be be analyzed on a case by case basis. – Luke Sep 17 '12 at 18:06
9

Assuming the software is the same (usually isn't), virtual firewalls can be better than a physical firewall because you have better redundancy. A firewall is just a server with CPU, RAM, and uplink adapters. It's the same argument as a physical web server verses a virtual one. If the hardware fails a virtual server can be migrated to another host automatically. The only downtime is the amount of time it takes for the virtual firewall be migrated to another host, and perhaps the time it takes for the OS to boot.

A physical firewall is bound to the resources it has. A virtual firewall is limited to the resources inside a host. Typically x86 hardware is far cheaper than that of an physical enterprise firewall. What you have to consider is the cost the hardware, plus cost of the software (if not using open source), plus the cost of your time (which will depend on the software vendor you go with). After you compare the cost, what features are you getting on either side?

When comparing firewalls, virtual or physical, it really depends on the feature set. Cisco firewalls have a feature called HSRP which allows you to run two firewalls as one (master and slave) for failover. Non-Cisco firewalls have a similar technology called VRRP. There's also CARP.

When comparing a physical firewall to a virtual one make sure you're doing an apples to apples comparison. What features are important to you? What is the configuration like? Is this software used by other enterprises?

If you need powerful routing, Vyatta is a good bet. It has firewall capabilities. It has a very Ciso-like configuration console. They have a free community edition at vyatta.org and a supported version (with some extra featutes) at vyatta.com. The documentation is very clean and straightforward.

If you need a powerful firewall, take a look at pfSense. It can also do routing.

We decided to run two Vyatta instances with VRRP on our ESXi hosts. To get the redundancy we needed with Cisco (two power supplies per firewall, two firewalls) it would have cost $15-30k. For us Vyatta community edition was a good option. It has a command line only interface, but with the documentation it was easy to configure.

Luke
  • 1,892
  • 4
  • 22
  • 27
  • 5
    Good answer. We've used a myriad of hardware and software appliances - and given the fact you can push line-rate 1Gbps @ 64Bytes on a low-end x86 machine on pFSense, its a no-brainer. Dedicated hardware firewall appliances are typically around the £10k mark to do those kinds of numbers. – Ben Lessani Sep 15 '12 at 18:02
  • It depends on if the firewall is as an endpoint device. I've seen many a VMWare cluster die because of storage issues or networking problems. Typically, HA takes care of things, but I could see a particular issue with having the firewalls setup in that environment. Is this a full HA/vMotion/DRS setup? – ewwhite Sep 15 '12 at 20:08
  • @ewwhite Yes, full HA/vMotion/DRS. Two instances of Vyatta with VRRP and hot failover. – Luke Sep 15 '12 at 20:20
  • If possible, my preference is to have one virtualised but one on a dedicated box. – Robin Gill Sep 16 '12 at 01:37
8

I go with dedicated hardware because it's purpose-built. Having an appliance is handy in that respect, especially if it's a VPN endpoint or some other gateway. It frees your VMWare cluster up from that responsibility. In terms of hardware/RAM/CPU resources, running a software solution is definitely fine. But that's not really a concern.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
7

Of course it's not necessary, and for most people, it will get the job done. Just make some considerations that your traffic may trombone across your virtual switch uplinks unless you dedicate NICs to the firewall VM. (You'll have to do this on each box you want to be able to vMotion to).

Personally? I prefer dedicated hardware because it's really not that expensive. You can get performance numbers on the dedicated hardware from the manufacturer, but your VM firewall performance is completely subjective to how busy your hosts are.

I say try out the software one, see how it goes. If down the road you need to install a hardware one, then do so.

SpacemanSpiff
  • 8,733
  • 1
  • 23
  • 35