“Dude! Where’s my Server?” – Firewall Edition
Remember when server virtualization was still new and untested and we (endearingly) referred to the skeptics as “server huggers”? You know the type. They’d walk into the server room and say “which server is mine?” You could always answer in confidence and tell them that their server is “somewhere in one of these first 3 rows of server racks”. Maybe they just wanted to know where to put the asset tag? Or perhaps give it one last hug and feel the warmth eminating from the air vents. And when it came to P2V, remember the look on their faces right before they said “you want to do what to my server?!?”
We humans don’t naturally accept change very well, but eventually most server huggers would come to accept server virtualization as being safe. Not only has virtualization become socially normalized, but the economic drivers of CAPEX, OPEX, Agility – and even performance have led many former server huggers to accept server virtualization. After all, it is the abstraction of physical resources which is perhaps the biggest enabler of a new paradigm shift of benefits – and to enable and take advantage of these new benefits we had to think differently when it came to servers.
WHAT ABOUT FIREWALLS?
Firewalls can be abstracted too. When we start going over our Visio diagrams of networks and thinking about VLANS, routes and security often times we think in terms of physical hardware. “I need to have two firewalls here – load balancers there, and another firewall for this remote web farm”. But what if we could abstract firewalls and virtualize them such that perhaps for some elements we didn’t need to purchase and deploy a physical firewall?
VMware vSphere customers who are at the Enterprise Plus level essentially just got a free upgrade to vCloud Suite Standard which includes virtual application firewall capabilities in both vShield App and vShield Edge. And those who upgrade to vCloud Suite Advanced also gain a virtualized load balancer. Cisco also makes a virtual edition of their Adaptive Security Appliance (ASA) – the Cisco ASA 1000V – which can be integrated into VMware vSphere environments as well.
With solutions like these – abstracting firewalls and network security – it is now possible in many cases to build your security policy into your virtualized environment. Need a web server policy to open 443 and 80 for a specific group of servers while only allowing a custom high-level SQL port back inside? We can do that. Firewalls between servers which might even be running from the same physical host? No problem. By abstracting network security to logical boundaries we might be able to provision applications more quickly and more securely — and perhaps also not needing to purchase as much physical network hardware as we are accustomed to thinking. And with VMWare’s acquisition of Nicria this movement to abstract the network layer has only just begun.
Physical network hardware isn’t going away, but as we review our designs we might want to start thinking about virtualizing certain components of our network security and consider it as an option. Over the longer run, I suspect we will see even more abstraction at the networking level over the years.