By Monique Lucey
A couple of weeks ago, I touched on the demand for network virtualization in a wrap up of Educause sessions. My colleague, Gary Kinghorn, product marketing manager at 3Com, focused on H3C security solutions recently posted this discussion about the advantages of virtual firewalls in a virtual network:
Real Security from Virtual Firewalls in a Virtual Network
Virtualization has certainly become a driving factor in networking, application deployment and data center design over the last few years. One of our marketing folks recently ran across an interesting deployment scenario where as part of a large network virtualization project, they were also making use of virtual firewalls to virtualize the security layer of their network, further reducing costs. While the first step of virtualization usually happens in the application server, customers should also be thinking about ways to reduce hardware costs and management complexity by taking advantage of the same concepts inherent in all of our H3C security appliances and blades.
The typical deployment scenario goes something like this: A large distributed enterprise has multiple campuses, or a large distributed campus, with divisions or groups spread throughout. You can think of these as potential subsidiaries of a conglomerate, departments in a university, or logically separated clean-room projects. The problem is that the physical location of the groups is not aligned with the physical layout of the campuses or buildings. This is a challenge for network designs that frequently are aligned with campus layouts and not the virtual organizations. Virtual Local Area Networks (VLANs) work well locally, when closely mirroring the network topology, but don’t work well across the enterprise WAN, since layer 2 network virtualization doesn’t scale when extended through the layer 3 routers.
Providing a VLAN for a widely separated group requires a technology called Virtual Routing and Forwarding (VRF), so that VLANs can be efficiently extended through the router core of the organization. This can provide the appropriate policy enforcement and network capacity appropriate for each division or group, no matter what their size. Other efficiencies can be realized through what is essentially a private wide area network broadcast domain. These VRFs are reasonably straightforward to set up and manage since the H3C networking infrastructure and management platform supports this capability for highly scalable deployments.
But things get even better when enterprises take advantage of virtual firewalls. Whereas logically distinct organizations sharing a network would need their own firewall to protect their LAN segment and to define their unique security policies, firewalls no longer need a one-to-one correspondence with the LAN segment they are protecting any more than an enterprise application still needs its own server to provide adequate service. In essence, a single physical firewall can be divided into hundreds of virtual firewalls, each with its own distinct set of rules, aligned with a particular LAN segment or VLAN, and individually managed by a local group administrator (as needed).
The enterprise class SecPath VPN Firewall F5000-A5, for example, supports up to 256 virtual firewalls in a single appliance. Perhaps it’s deployed at the gateways to the router core, and all the traffic that flows through the firewall can be partitioned to the right VLAN, applying the right policies. A widely distributed VLAN doesn’t need another firewall at each physical site. One virtual firewall located on a single physical firewall anywhere on the WAN can serve as the only firewall required for the entire VLAN no matter where it’s located, as part of a larger virtual network. How far are you in virtualizing your IT services? Have you already implement virtual firewalls? If so, what benefits have you seen?
