Home > Blogs > VMTN Blog


The end of the monolithic firewall?

Here’s a new thought on a known aspect of appliances. Appliances, being purpose-built for a single task, are usually simpler to configure and maintain than a generic compute server.  Virtual appliances (1) are easier to deploy but (2) in some cases may have a reduced performance profile because, well, they aren’t on dedicated network hardware.* Making lemonade out of any performance hit may simplify and reduce interdependencies in your network. Instead of one complicated config file on your firewall with all application traffic flowing through it, just fire up one virtual firewall per app and configure your network accordingly. There are both commercial and open source firewalls in the Virtual Appliance Marketplace, most with a very small footprint.

Link: Replicate Technologies » Network appliances go virtual.

None of these will run as fast in a vm as they will in an engineered hardware appliance, where they could conceivably achieve wire speed of 100 mbps or even 1 gbps, instead of a vm’s more typical 25-50 mbps. But then again, it’s rare that most applications ever see that much demand for their services — under 20 mbps is more typical. In fact, there are cases where the traffic from many applications are forced through a single hardware appliance “because it’s there,” when a more logical network topology would separate the traffic and give each application its own appliance. For example, firewalls sometimes have extremely complex configurations because they manage security for many different applications in a single box, when they could be more easily managed with one firewall per application. Disaggregate the traffic and you may reduce complexity and configuration errors, while lowering the traffic rates to levels more suitable for a virtual appliance. As cores become more numerous in servers, it may become more appealing to use them for network functions, replacing hardware and cabling with software.

2 thoughts on “The end of the monolithic firewall?

  1. .:Computer Defense:.

    Virtual Firewalls (and other network devices)?

    Theres a very interesting article over at Replicate Technologies (Which I found via the VMTN Blog)on using Virtual Machines to replace your network devices (Firewalls, VPN Concentrators, Load Balancers, Email Filters, etc) and I think it …

  2. Ernie Oporto

    I love VMWare, but from a network security standpoint, unless you have the hardware running VMWare for edge firewall duty separated from the hardware running VMWare for general application duty, this is just not a good idea. Still, having a VMWare system dedicated at the edge gives you tons of possibilities for edge applications.

Comments are closed.