Defense in Depth: Firewalls within the Virtual Environment

The 6/14 Virtualization Security Podcast we spoke about firewall placement within the virtual environment as well as storage based defense in depth. While we covered Encryption on the 5/31 podcast, in the 6/14 podcast we  covered other measures when dealing with storage (which will be part of a followup post). This conversation was slightly different than all other firewall discussions, as it was about migrating from a physical environment to a virtual environment, and keeping the same firewall placements. Spurred by a customer, we sought to come to a set of guidelines to follow for defense in depth within the virtual as well as physical and hybrid cloud environments.The customer question was

“where,how, or should we can we migrate firewalls from the physical to virtual environment?“

The easy answer would be, place a virtualized firewall at the same points in your virtual environment as you would in your physical environment. However, we can do better than this. In a physical environment firewalls are generally placed at two locations:

1. The Edge of Security or Trust Zones
2. Within the physical machines operating systems

Within the virtual environment there are three places to put firewalls:

1. The Edge of Security or Trust Zones
2. Before each virtual NIC using introspective firewalls
3. Within the virtual machines operating systems

The only major difference is the ability to use an introspective firewall which exists on all hypervisors, but is only utilized by the VMware ecosystem of firewall vendors. However, you cannot always extend a physical firewall into the virtual network as an edge between security zones UNLESS you use a virtual firewall and the choice of which virtual firewall to use depends on the comfort levels of the security team managing these devices. If for example they use Cisco ASA firewalls within the physical environment then they may wish to use Cisco virtualized ASAs. Not all vendors however have virtualized forms of their firewall, so choosing the proper one could take a bit of time.
In a virtual environment, Edge firewalls either sit between two virtual switch (or even portgroup if on vSphere) constructs, beside the virtual switch constructs such as Catbird vSecurity. Introspective firewalls on the other hand exist within the hypervisor after or just before each virtual NIC (depending on direction of traffic). Major firewall vendors also have introspective firewalls available to them. For example if you are using Juniper firewalls, then the Juniper vGW is an introspective firewall that could be used. As another example, Checkpoint  has both edge and introspective firewalls available.
In general, however virtualized Edge and introspective firewalls do not extend many firewall vendor capabilities but are new endeavors extending existing security functionality. Trend Micro Deep Security for example, extends their Anti-Virus/Anti-Malware solutions to the virtual environment by making use of introspective capabilities and also provides an introspective firewall, integrity monitoring, and quite a few other security tools for the virtualized workloads with these tools extending into the physical environment as of Deep Security 8.
There are as many firewall choices, as there are architectural choices when designing secure virtual environments. The first choice is how you will separate your trust zones, by virtual host cluster, or by defense in depth and preventative tagging solutions such as HyTrust, Catbird, Juniper vGW, or Reflex Systems vTrust. This choice has far reaching impact on the virtual environment and resources requirements. In many cases, this choice is made without thinking about the fact that there are by default 4 trust zones within any virtualized host.

1. Management Constructs
2. Storage Constructs
3. vMotion/Live Migration Networks
4. Workload Networks

Given these four default trust zones in every virtual environment, it will take extra resources to protect them, manage them, and control them when they are separate clusters. Not to mention the requirement to have even more hardware to run the virtual machines. It is possible to have say a DMZ safely running within the same cluster as an internal database workload if the proper defense in depth is employed, which includes proper firewall placement.
If the firewall in the physical environment was placed between two security zones, then it should be placed between those security zones once more and whether to use separate clusters as part of this architecture is based on comfort levels more than technological concerns when dealing with VMware Products. When dealing with the other hypervisor vendor products, the best we can achieve at this time are Edge firewalls between or beside virtual switch constructs and per guest OS firewalls, there are currently no known introspective firewalls for Xen, KVM, or Hyper-V, yet the hooks to create them do exist in each non-vSphere hypervisor.