African man in glasses gesturing while playing in virtual reality game

Virtual Firewalls

 

 

Virtual Firewalls

In cybersecurity, firewalls protect networks from unauthorized access and potential threats. Traditional firewalls have long been employed to safeguard organizations’ digital assets. However, with the rise of virtualization technology, virtual firewalls have emerged as a powerful solution to meet the evolving security needs of the modern era. This blog post will delve into virtual firewalls, exploring their advantages and why they should be considered an integral part of any comprehensive cybersecurity strategy.

Virtual firewalls, or software firewalls, are software-based security solutions operating within a virtualized environment. Unlike traditional hardware firewalls, which are physical devices, virtual firewalls are implemented and managed at the software level. They are designed to protect virtual machines (VMs) and virtual networks by monitoring and controlling incoming and outgoing network traffic.

Highlights: Virtual Firewalls

  • Network Security Components

This post discusses the network security components of virtual firewalls and the virtual firewall appliance that enable a zero trust network design. In the Secure Access Service Edge (SASE ) world, virtual firewalling or any virtual device brings many advantages by having a stateful inspection firewall closer to the user sessions. The inspection and filtering are closer to the user’s sessions or workloads, depending on the firewalling design. Firstly, Let us start with the basics of IP networks and their operations.

  • Virtual SDN Data Centers

In a virtual data center design, IP networks deliver various services to consumers and businesses. As a result, they heavily rely on network availability for business continuity and productivity. As the reliance on IP networks grows, so does the threat and exposure to network-based attacks. New technologies and mechanisms address new requirements but also come with the risk of new threats. It’s a constant cat-and-mouse game. It’s your job as network admins to ensure the IP network and related services remain available.

 

For additional pre-information, you may find the following post helpful:

  1. Virtual Switch
  2. Cisco Secure Firewall
  3. SD WAN Security
  4. IPS IDS Azure
  5. IPv6 Attacks
  6. Merchant Silicon

 



Virtual Firewall Appliance.

Key Virtual Firewalls Discussion points:


  • Introduction to the virtual firewall and where it can be used.

  • The role of firewall types with the different traffic types.

  • The effects of workload mobility on firewall inspection.

  • Session state discussion.

  • The firewall transitions - packet filters to next-generation firewalling.

 

  • A key point: Video on Cloud Pyramid

In the following video, we will address the cloud pyramid. The cloud comes in many shapes and forms. Thus requiring new types of virtual firewalls along with distributed firewalls that operate at the hypervisor layers. Now we can have a bunch of virtual firewalls on one physical appliance; the hypervisor is used to secure both public and private clouds.

 

Technology Brief : Cloud Security - Cloud Pyramid
Prev 1 of 1 Next
Prev 1 of 1 Next

 

Back to Basics With the Virtual Firewall

The Firewall

The term “firewall” refers to a device or service that allows some traffic but denies other traffic. Positioning a firewall at a network gateway point in the network infrastructure is an aspect of secure design. A firewall so set at strategic points in the network intercepts and verifies all traffic crossing that gateway point. Some other places that firewalls are often deployed include in front of (i.e., on the public Internet side), behind (inside the data center), or in load-balancing systems.

 

Advantages of Virtual Firewalls:

1. Enhanced Flexibility: Virtual firewalls offer greater flexibility than their hardware counterparts. They are software-based and can be easily deployed, scaled, and managed in virtualized environments without additional hardware. This flexibility enables organizations to adapt to changing business requirements more effectively.

2. Cost-Effectiveness: Virtual firewalls eliminate the need for purchasing and maintaining physical hardware devices. Organizations can significantly reduce their capital and operational expenses by leveraging existing virtualization infrastructure. This cost-effectiveness makes virtual firewalls an attractive option for businesses of all sizes.

3. Centralized Management: Virtual firewalls can be centrally managed through a unified interface, providing administrators with a consolidated view of the entire virtualized network. This centralized management simplifies the configuration, monitoring, and enforcement of security policies across multiple virtual machines and networks, saving time and effort.

4. Segmentation and Isolation: Virtual firewalls enable organizations to segment their virtual networks into different security zones, isolating sensitive data and applications from potential threats. This segmentation ensures that the rest of the network remains protected even if one segment is compromised. By enforcing granular access control policies, virtual firewalls add a layer of security to prevent lateral movement within the virtualized environment.

5. Scalability: Virtual firewalls are software-based and can be easily scaled up or down to accommodate changing network demands. This scalability allows organizations to expand their virtual infrastructure without investing in additional physical hardware. With virtual firewalls, businesses can ensure that their security solutions grow with their evolving needs.

 

Traffic Types and Virtual Firewalls

Firstly, a thorough understanding of the traffic types that enter and leave the network is critical. Network devices process some packets differently from others, resulting in different security implications. Transit IP packets, receive-adjacency IP packets, exception, and non-IP packets are all handled differently.

You also need to keep track of the plethora of security attacks, such as resource exhaustion attacks (direct attacks, transit attacks, reflection attacks), spoofing attacks, transport protocol attacks (UDP & TCP), and routing protocol/control plane attacks.

There are a variety of attacks against Layer 2, including MAC spoofing attacks, STP attacks, and CAM table overflow attacks. Overlay virtual networking introduces two control planes, both requiring protection.

The cloud and workload mobility introduction is changing the network landscape and security paradigm. Workload fluidity and the movement of network states are putting pressure on traditional physical security devices. It isn’t easy to move physical appliances around the network. Physical devices cannot follow workloads, which drives the world of virtual firewalls with distributed firewalls, NIC-based Firewalls, Microsegmentation, and Firewall VM-based appliances. 

 

Session state

Simple packet filters match on Layer 2 to 4 headers – MAC, IP, TCP, and UDP port numbers. If they don’t match the TCP SYN flags, it’s impossible to identify established sessions. Tracking the state of the TCP SYN tells you if this is the first packet of a session or a subsequent packet of an existing session. Matching on TCP flags allows you to differentiate between TCP SYN, SYN-ACK, and ACK.

Matching established TCP sessions would match on packets with the ACK/RST/FIN bit set. All packets without an SYN flag will not start a new session, and all packets with ACK/RST/FIN can appear anywhere in the established session.

Checking these three flags indicates if the session is established or not. In any adequately implemented TCP stack, the packet filtering engine will not open a new session unless it receives a TCP packet with the SYN flag. In the past, we used a trick. If a packet arrives with a destination port over 1024, it must be a packet from an established session, as no services were running on a high number of ports.

The term firewall originally referred to a wall to confine a potential fire. Regarding networking, a firewalling device is a barrier between a trusted and untrusted network. It can be classed into several generations. First-generation firewalls are simple packet filters, the second-generation refers to stateful devices, and the third-generation refers to application-based firewalls. A stateful firewall doesn’t mean it can examine the application layer and determine users’ actions.

 

The starting points of packet filters

Firewalls initially started with packet filters at each end and an application proxy in the middle. The application proxy would inspect the application level, and the packet filters would perform essential scrubbing. All sessions terminate on the application proxy where new sessions are initiated. Second-generation devices came into play, and we started tracking the sessions’ state.

Now, we have a single device that can do the same job as the packet filter combined with the application proxy. But it didn’t inspect at an application level. The devices were stateful and could track the session’s state but could not go deeper into the application. For example, examine the HTTP content and inspect what users are doing. Generation 2 was a step back in terms of security.

We then moved into generation 3, which marketing people call next-generation firewalls. They offer Layer 7 inspection with packet filtering. Finally, niche devices called Application-Level Firewalls are usually only concerned with HTTP traffic, also known as Web Application Firewalls (WAF). They have similar functionality to reverse web proxy, terminating the HTTP session.

 

The rise of virtual firewalls and virtual firewall appliances

Almost all physical firewalls offer virtual contexts. Virtual contexts divide the firewall and solve many multi-tenancy issues. They provide separate management plans, but all the contexts share the same code. They also run over the same interfaces competing for the same bandwidth, so if one tenant gets DoS attacked, the others might be affected. However, virtual contexts constitute a significant drawback because they are tied to the physical device, so you lose all the benefits of virtualization, unlike VM-based firewalls. 

A firewall in a VM can run on any transport provided by the hypervisor. The VM thinks it has an ethernet interface. This enables you to put a VM-based firewall on top of any virtualization technology. The physical firewall must be integrated with the network virtualization solution, and many vendors have limited support for overlay networking solutions.

The physical interface supports VXLAN doesn’t mean it can support the control plane that the overlay network solution is running. For example, the network overlay solution might use IP multicast, OVSDB, or EVPN over VXLAN. Deploying Virtual firewalling offers underlay transport independence. They are flexible and easy to deploy and manage.

 

Virtual firewall appliance: VM and NIC-based firewalls

Traditionally, we used VLANs and IP subnets as security zones. This introduced problems with stretched VLANs, so they came with VXLAN and NVGRE. But we are still using IP as the isolation mechanism. Generally, firewalls are implemented between subnets so all the traffic goes through the firewall, which can result in traffic trombones and network chokepoints.

The new world is all about VM and NIC-based firewalls. NIC-based firewalls are mostly packet filters or, at the very most, reflective ACLs. Vmware NSX distributed firewall does slightly more with some application-level functionality for SIP and FTP traffic.

 

virtual firewalls

 

NIC-based firewalls force you to redesign your security policy. Now, all the firewall rules are directly in front of the virtual NIC, offering optimal any to any traffic between VMs, as traffic does not need to go through a central firewall device. The session state is kept local, only specific to that VM. This makes them very scalable. It allows you to eliminate IP subnets as security zones and provides isolation between VMs in the same subnet.

This protects individual VMs by design, so even if an attacker breaks into one VM, all others are protected. VMware calls this micro-segmentation in NSX. You can never fully replace physical firewalls with virtual firewalls. Performance and security audits come to mind. However, they can be used to augment each other. NIC is based on the east-to-west traffic and physical firewalls at the perimeter to filter north-to-south traffic.

Conclusion:

Virtual firewalls have revolutionized the way organizations approach network security in virtualized environments. Their flexibility, cost-effectiveness, centralized management, segmentation capabilities, and scalability make them a compelling choice for safeguarding virtual machines and networks. As technology advances, virtual firewalls will be increasingly important in protecting organizations against emerging cyber threats. By adopting virtual firewalls, businesses can proactively protect their digital assets and ensure a robust security posture in today’s interconnected world.

 

Matt Conran
Latest posts by Matt Conran (see all)

Comments are closed.