A virtual firewall is a firewall device or service that provides network traffic filtering and monitoring for virtual machines (VMs) in a virtualized environment. Like a traditional network firewall, a virtual firewall inspects packets and uses security policy rules to block unapproved communication between VMs. A virtual firewall is often deployed as a software appliance.
Virtual firewalls are commonly used to protect virtualized environments because they are the least expensive and the most portable due to the ease of moving a virtual firewall from cloud to cloud. A virtual firewall may be a good fit for smaller organizations that work outside a corporate network due to the mobility of the system. A virtual firewall is also simple to upgrade and maintain.
How a virtual firewall works
A virtual firewall is an application or a network firewall service that provides packet filtering within a virtualized environment. A virtual firewall manages and controls incoming and outgoing traffic. It works in conjunction with switches and servers similar to a physical firewall.
A virtual firewall prevents an unauthorized user from accessing and transmitting data and files and also prevents an organization's employees from transferring any sensitive data or documents.
A virtual firewall works in two modes: bridge mode and hypervisor mode. Like a traditional firewall system, bridge mode works by diagnosing and monitoring all of a VM's incoming and outgoing traffic. In hypervisor mode, the virtual firewall operates in isolation from the physical network, residing in the core hypervisor kernel and managing the incoming and outgoing traffic of the virtual machine.
Virtual firewalls vs. physical firewalls
A physical firewall -- sometimes known as a hardware firewall -- is a network firewall implemented in a real-world security appliance or as part of a routing device that is situated at the edge of the network or between environments.
A physical firewall connects to the protected internal network and the public internet -- or some other unprotected or external network -- over dedicated network interfaces. It consists of servers and switches and works on the outside of an operating system as opposed to being built-in. The servers are connected to designated switches and then routed to the firewall.
One of the benefits of using a hardware or physical firewall is that it is situated between the server and the internet, and it is the only way for network traffic to pass to and from the protected network. Without passing traffic through the network interfaces, the hosts, servers and any other devices on the internal protected network won't be able to communicate or exchange data with any hosts, servers or other devices on the public internet. Because all the data exchanges are mediated through the firewall before they can be completed, threats are reduced.
Another advantage of using physical firewalls is that hardware security appliances are designed to handle heavier traffic loads and have faster response times. Network perimeters can also be strengthened using a physical firewall, improving network security.
Additionally, a physical firewall is easier to manage because it is an isolated network component and doesn't affect the performance of other applications as it might in a virtualized environment. A hardware firewall can also be shut down, moved or reconfigured with little effect on network connectivity or performance.
In contrast, virtual firewalls are deployed as software appliances running within virtualized environments. A virtual firewall monitors and protects network traffic by transiting virtual switches and other virtual machines. Virtual switches link systems and applications across logical partitions, all of which is administered using a hypervisor that manages the virtualized environment. When virtual firewalls are installed on their own individual servers, they can be easier to configure and set up.
Virtual firewalls may also be less expensive than physical firewalls, but the cost of purchasing and deploying a large number of virtual firewalls may still be significant, and managing a large number of firewalls -- whether virtual or physical -- can pose other challenges.
Another disadvantage of using virtual firewalls is that they deliver a fraction of the network throughput that dedicated physical firewalls can provide, which can create bottlenecks throughout the network and reduce business agility and performance.
One advantage of virtual firewalls over hardware-based firewalls is that they can be centrally administered, while hardware firewalls often need IT and network support staff to install, administer and support them on site.
Uses of virtual firewalls
Using a virtual firewall in the cloud can help protect an organization's cloud infrastructure and services by running in a virtual data center on a company's own servers in an infrastructure as a service or platform as a service model. This type of firewall application runs on a virtual server and protects traffic going to, from and between applications in the cloud.
A cloud-based virtual firewall can meet a number of network security requirements in the cloud, including:
- Securing the virtual data center by filtering and managing traffic flowing to or from the internet, between virtual networks, or between tenants to secure the virtual data center.
- Securing the physical data center by extending a physical data center to the cloud. This is especially applicable to organizations that are migrating applications to the cloud and need secure connectivity between the cloud and their local infrastructures.
- Securing remote access by offering the advanced access policy, filtering and connection management needed to provide clients with access to the cloud.
- Ensuring that all data is subject to the same protective measures one would use with an on-premises, hardware-based firewall.
- Maintaining the integrity and confidentiality of applications and data by integrating with access control providers and offering a wide variety of granular, policy-based filtering tools.
- Protecting applications and assets in their virtualized environments, as well as responding rapidly when network security requirements change in remote offices or branches or to accommodate temporary staff deployments.