Virtual firewall
Encyclopedia
A virtual firewall is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall. The VF can be realized as a traditional software firewall on a guest virtual machine
already running, or it can be a purpose-built virtual security appliance
designed with virtual network security in mind, or it can be a virtual switch with additional security capabilities, or it can be a managed kernel process running within the host hypervisor
.
Before the term "firewall" was applied to network technology a "fire wall" was used in building design and mechanical engineering to designate a wall or partition composed of flame-resistant materials put in place to protect more flammable structural components from catching fire or spreading flames, either accidentally in the case of an unexpected fire, or where flame is usually present and needs to be isolated. Many building codes require fire-rated materials in human-inhabited areas. Fire walls protect vulnerable assets (such as spaces that might contain people) and prevent destructive events from spreading too quickly.
Network Firewalls
Computer networks
are much like any other kind of inhabited space; networks have assets, they have participants and they have rules. Some computer networks are private and others public, some contain sensitive assets and others less so, and so on. Generally users and traffic residing on one network need to be protected from users and traffic on a different but connected network. Yet all these networks are inter-connected to a degree (this being the origin of the term "internetwork" ) — even if they are only connected via sneakernet
— and this interconnectedness is both a critical feature and an emergent vulnerability.
So it is not too surprising that the idea for "fire wall" functionality as applied to computer networks has been around since the early days of the Internet
, and saw serious development in the 1990s. It was eventually recognized that the very same problems applied in networks as existed in construction; containment and isolation. Network engineers began working with routers and packet filters as early containment technology, and from these efforts eventually emerged the sophisticated purpose-built network firewalls common in computer clouds
, data centers
and home computers.
The intent of fire walls and firewalls are much the same; minimize or eliminate damage to important assets by isolating or blocking destructive influences.
So long as a computer network runs entirely over physical hardware and cabling, it is a physical network. As such it can be protected by physical firewalls and fire walls alike; the first and most important protection for a physical computer network always was and remains a physical, locked, flame-resistant door. Since the inception of the Internet this was the case, and structural fire walls and network firewalls were for a long time both necessary and sufficient.
Since about 1998 there has been an explosive increase in the use of "virtual machine
s" (VM) in addition to — sometimes instead of — physical machines to offer many kinds of computer and communications services on local area networks
and over the broader Internet. The advantages of virtual machines are well explored elsewhere.
Virtual machines can operate in isolation (for example as a guest operating system on a personal computer) or under a unified virtualized environment overseen by a supervisory virtual machine monitor or "hypervisor
" process. In the case where many virtual machines operate under the same virtualized environment they might be connected together via a virtual network
consisting of virtualized network switches between machines and virtualized network interfaces
within machines. The resulting virtual network
could then implement traditional network protocols (for example TCP
) or virtual network provisioning such as VLAN or VPN, though the latter while useful for their own reasons are in no way required.
There is a continued perception that virtual machines are inherently secure because they are seen as "sandboxed"
within the host operating system. And the host in like manner is secured against exploitation from the virtual machine itself and the host is no threat to the virtual machine because it is a physical asset protected by traditional physical and network security. And even when this is not explicitly assumed early testing of virtual infrastructures often proceeds in isolated lab environments where security is not as a rule an immediate concern, and security may only come to the fore when the same solution is moving into production or onto a computer cloud
, where suddenly virtual machines of different trust levels may wind up on the same virtual network running across any number of physical hosts.
Because they are true networks, virtual networks may end up suffering the same kinds of vulnerabilities long associated with a physical network, some of which being:
The problems created by the near invisibility of between-virtual machine (VM-to-VM) traffic on a virtual network are exactly like those found in physical networks, complicated by the fact that the packets may be moving entirely inside the hardware of a single physical host:
And there are security issues known only in virtualized environments that wreak havoc with physical security measures and practices, and some of these are touted as actual advantages of virtual machine technology over physical machines :
In addition to the network traffic visibility issues and uncoordinated VM sprawl, a rogue VM using just the virtual network, switches and interfaces (all of which run in a process on the host physical hardware) can potentially break the network as could any physical machine on a physical network — and in the usual ways — though now by consuming host CPU cycles it can additionally bring down the entire virtualized environment and all the other VMs with it simply by overpowering the host physical resources the rest of the virtualized environment depend upon.
This was likely to become a problem, but it was perceived within the industry as a well understood problem and one potentially open to traditional measures and responses.
The solution
One method to secure, log and monitor VM-to-VM traffic involved routing the virtualized network traffic out of the virtual network and onto the physical network via VLANs, and hence into a physical firewall already present to provide security and compliance services for the physical network. The VLAN traffic could be monitored and filtered by the physical firewall and then passed back into the virtual network (if deemed legitimate for that purpose) and on to the target virtual machine.
Not surprisingly LAN managers, security experts and network security vendors began to wonder if it might be more efficient to keep the traffic entirely within the virtualized environment and secure it from there.
Enter the virtual firewall.
A virtual firewall (VF) then is a firewall service or appliance running entirely within a virtualized environment — even as another virtual machine, but just as readily within the hypervisor itself — providing the usual packet filtering and monitoring that a physical firewall provides. The VF can be installed as a traditional software firewall on a guest VM already running within the virtualized environment; or it can be a purpose-built virtual security appliance
designed with virtual network security in mind; or it can be a virtual switch with additional security capabilities; or it can be a managed kernel process running within the host hypervisor that sits atop all VM activity and so has deep access to the virtual network and its traffic and can even access VM active memory and virtualized storage.
The current direction in virtual firewall technology is a combination of security-capable virtual switches , and virtual security appliances integrating at the kernel level.
and may install a virtual machine for management purposes.
A virtual firewall operating in bridge-mode acts like its physical-world firewall analog; it sits in a strategic part of the network infrastructure — usually at an inter-network virtual switch or bridge — and intercepts network traffic destined for other network segments and needing to travel over the bridge. By examining the source origin, the destination, the type of packet it is and even the payload
the VF can decide if the packet is to be allowed passage, dropped, rejected, or forwarded or mirrored to some other device. Initial entrants into the virtual firewall field were largely bridge-mode, and many offers retain this feature.
By contrast, a virtual firewall operating in hypervisor-mode is not actually part of the virtual network at all, and as such has no physical-world device analog. A hypervisor-mode virtual firewall resides in the virtual machine monitor or hypervisor
where it is well positioned to capture VM activity including packet injections. The entire monitored VM and all its virtual hardware, software, services, memory and storage can be examined, as can changes in these. Further, since a hypervisor-based virtual firewall is not part of the network proper and is not a virtual machine its functionality cannot be monitored in turn or altered by users and software limited to running under a VM or having access only to the virtualized network.
Bridge-mode virtual firewalls can be installed just as any other virtual machine in the virtualized infrastructure. Since it is then a virtual machine itself, the relationship of the VF to all the other VM may become complicated over time due to VMs disappearing and appearing in random ways, migrating between different physical hosts, or other uncoordinated changes allowed by the virtualized infrastructure.
Hypervisor-mode virtual firewalls require a modification to the physical host hypervisor kernel in order to install process hooks or modules allowing the virtual firewall system access to VM information and direct access to the virtual network switches and virtualized network interfaces moving packet traffic between VMs or between VMs and the network gateway. The hypervisor-resident virtual firewall can use the same hooks to then perform all the customary firewall functions like packet inspection, dropping, and forwarding but without actually touching the virtual network at any point. Hypervisor-mode virtual firewalls can be very much faster than the same technology running in bridge-mode because they are not doing packet inspection in a virtual machine, but rather from within the kernel at native hardware speeds.
"40,000 Firewalls! Help Please!?" Texiwill. The Virtualization Practice. Sept 2009
"OPINION / Why do we need virtual security? " Ben-Efraim, Amir. Government Security News. Aug 2009
"Keep Your Virtual Networks Safe" Zillion Magazine. Jul 2009
"The virtual blind spot" Schultz, Beth. NetworkWorld. July 2010
"Cloud security in the real world: 4 examples" Brandel, Mary. CSO: Security & Risk. June 2010
"Securing mixed environments - not everybody will be virtualized" Ogren, Eric. ComputerWorld. June 2010
"New security tools protect virtual machines" Strom, David. Network World March 2011
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
already running, or it can be a purpose-built virtual security appliance
Virtual security appliance
A virtual security appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology...
designed with virtual network security in mind, or it can be a virtual switch with additional security capabilities, or it can be a managed kernel process running within the host hypervisor
Hypervisor
In computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
.
Background
Structural Fire WallsBefore the term "firewall" was applied to network technology a "fire wall" was used in building design and mechanical engineering to designate a wall or partition composed of flame-resistant materials put in place to protect more flammable structural components from catching fire or spreading flames, either accidentally in the case of an unexpected fire, or where flame is usually present and needs to be isolated. Many building codes require fire-rated materials in human-inhabited areas. Fire walls protect vulnerable assets (such as spaces that might contain people) and prevent destructive events from spreading too quickly.
Network Firewalls
Computer networks
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
are much like any other kind of inhabited space; networks have assets, they have participants and they have rules. Some computer networks are private and others public, some contain sensitive assets and others less so, and so on. Generally users and traffic residing on one network need to be protected from users and traffic on a different but connected network. Yet all these networks are inter-connected to a degree (this being the origin of the term "internetwork" ) — even if they are only connected via sneakernet
Sneakernet
Sneakernet is an informal term describing the transfer of electronic information, especially computer files, by physically couriering removable media such as magnetic tape, floppy disks, compact discs, USB flash drives, or external hard drives from one computer to another. This is usually in lieu...
— and this interconnectedness is both a critical feature and an emergent vulnerability.
So it is not too surprising that the idea for "fire wall" functionality as applied to computer networks has been around since the early days of the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
, and saw serious development in the 1990s. It was eventually recognized that the very same problems applied in networks as existed in construction; containment and isolation. Network engineers began working with routers and packet filters as early containment technology, and from these efforts eventually emerged the sophisticated purpose-built network firewalls common in computer clouds
Cloud computing
Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility over a network ....
, data centers
Data center
A data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems...
and home computers.
The intent of fire walls and firewalls are much the same; minimize or eliminate damage to important assets by isolating or blocking destructive influences.
Virtual firewall
The problemSo long as a computer network runs entirely over physical hardware and cabling, it is a physical network. As such it can be protected by physical firewalls and fire walls alike; the first and most important protection for a physical computer network always was and remains a physical, locked, flame-resistant door. Since the inception of the Internet this was the case, and structural fire walls and network firewalls were for a long time both necessary and sufficient.
Since about 1998 there has been an explosive increase in the use of "virtual machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
s" (VM) in addition to — sometimes instead of — physical machines to offer many kinds of computer and communications services on local area networks
Län
Län and lääni refer to the administrative divisions used in Sweden and previously in Finland. The provinces of Finland were abolished on January 1, 2010....
and over the broader Internet. The advantages of virtual machines are well explored elsewhere.
Virtual machines can operate in isolation (for example as a guest operating system on a personal computer) or under a unified virtualized environment overseen by a supervisory virtual machine monitor or "hypervisor
Hypervisor
In computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
" process. In the case where many virtual machines operate under the same virtualized environment they might be connected together via a virtual network
Virtual network
A virtual network is a computer network that consists, at least in part, of virtual network links. A virtual network link is a link that does not consist of a physical connection between two computing devices but is implemented using methods of network virtualization.The two most common forms of...
consisting of virtualized network switches between machines and virtualized network interfaces
Virtual Interface
A Virtual Interface or Virtual Network Interface is an abstract virtualized representation of a computer network interface that may or may not correspond directly to a physical network interface....
within machines. The resulting virtual network
Virtual network
A virtual network is a computer network that consists, at least in part, of virtual network links. A virtual network link is a link that does not consist of a physical connection between two computing devices but is implemented using methods of network virtualization.The two most common forms of...
could then implement traditional network protocols (for example TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
) or virtual network provisioning such as VLAN or VPN, though the latter while useful for their own reasons are in no way required.
There is a continued perception that virtual machines are inherently secure because they are seen as "sandboxed"
Sandbox (computer security)
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
within the host operating system. And the host in like manner is secured against exploitation from the virtual machine itself and the host is no threat to the virtual machine because it is a physical asset protected by traditional physical and network security. And even when this is not explicitly assumed early testing of virtual infrastructures often proceeds in isolated lab environments where security is not as a rule an immediate concern, and security may only come to the fore when the same solution is moving into production or onto a computer cloud
Cloud computing
Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility over a network ....
, where suddenly virtual machines of different trust levels may wind up on the same virtual network running across any number of physical hosts.
Because they are true networks, virtual networks may end up suffering the same kinds of vulnerabilities long associated with a physical network, some of which being:
- Users on machines within the virtual network have access to all other machines on the same virtual network.
- Compromising or misappropriating one virtual machine on a virtual network is sufficient to provide a platform for additional attacks against other machines on the same network segment.
- If a virtual network is internetworked to the physical network or broader Internet then machines on the virtual network might have access to external resources (and external exploits) that could leave them open to exploitation.
- Network traffic that passes directly between machines without passing through security devices is unmonitored.
The problems created by the near invisibility of between-virtual machine (VM-to-VM) traffic on a virtual network are exactly like those found in physical networks, complicated by the fact that the packets may be moving entirely inside the hardware of a single physical host:
- Because the virtual network traffic may never leave the physical host hardware, security administrators cannot observe VM-to-VM traffic, cannot intercept it, and so cannot know what that traffic is for.
- Logging of VM-to-VM network activity within a single host and verification of virtual machine access for regulatory compliance purposes becomes difficult.
- Inappropriate uses of virtual network resources and bandwidth consumption VM-to-VM are difficult to discover or rectify.
- Unusual or inappropriate services running on or within the virtual network could go undetected.
And there are security issues known only in virtualized environments that wreak havoc with physical security measures and practices, and some of these are touted as actual advantages of virtual machine technology over physical machines :
- VMs can be deliberately (or unexpectedly) migrated between trusted and untrusted virtualized environments where migration is enabled.
- VMs and/or virtual storage volumes can be easily cloned and the clone made to run on any part of the virtualized environment, including a DMZ.
- Many companies use their purchasing or IT departments as the IT security lead agency, applying security measures at the time a physical machine is taken from the box and initialized. Since virtual machines can be created in a few minutes by any authorized user and set running without a paper trail, they can in these cases bypass established "first boot" IT security practices.
- VMs have no physical reality leaving not a trace of their creation nor (in larger virtualized installations) of their continued existence. They can be as easily destroyed as well, leaving nearly no digital signature and absolutely no physical evidence whatsoever.
In addition to the network traffic visibility issues and uncoordinated VM sprawl, a rogue VM using just the virtual network, switches and interfaces (all of which run in a process on the host physical hardware) can potentially break the network as could any physical machine on a physical network — and in the usual ways — though now by consuming host CPU cycles it can additionally bring down the entire virtualized environment and all the other VMs with it simply by overpowering the host physical resources the rest of the virtualized environment depend upon.
This was likely to become a problem, but it was perceived within the industry as a well understood problem and one potentially open to traditional measures and responses.
The solution
One method to secure, log and monitor VM-to-VM traffic involved routing the virtualized network traffic out of the virtual network and onto the physical network via VLANs, and hence into a physical firewall already present to provide security and compliance services for the physical network. The VLAN traffic could be monitored and filtered by the physical firewall and then passed back into the virtual network (if deemed legitimate for that purpose) and on to the target virtual machine.
Not surprisingly LAN managers, security experts and network security vendors began to wonder if it might be more efficient to keep the traffic entirely within the virtualized environment and secure it from there.
Enter the virtual firewall.
A virtual firewall (VF) then is a firewall service or appliance running entirely within a virtualized environment — even as another virtual machine, but just as readily within the hypervisor itself — providing the usual packet filtering and monitoring that a physical firewall provides. The VF can be installed as a traditional software firewall on a guest VM already running within the virtualized environment; or it can be a purpose-built virtual security appliance
Virtual security appliance
A virtual security appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology...
designed with virtual network security in mind; or it can be a virtual switch with additional security capabilities; or it can be a managed kernel process running within the host hypervisor that sits atop all VM activity and so has deep access to the virtual network and its traffic and can even access VM active memory and virtualized storage.
The current direction in virtual firewall technology is a combination of security-capable virtual switches , and virtual security appliances integrating at the kernel level.
Operation
Virtual firewalls can operate in different modes to provide security services, depending on the point of deployment. Typically these are either bridge-mode or hypervisor-mode (hypervisor-based, hypervisor-resident). Both may come shrink wrapped as a virtual security applianceVirtual security appliance
A virtual security appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology...
and may install a virtual machine for management purposes.
A virtual firewall operating in bridge-mode acts like its physical-world firewall analog; it sits in a strategic part of the network infrastructure — usually at an inter-network virtual switch or bridge — and intercepts network traffic destined for other network segments and needing to travel over the bridge. By examining the source origin, the destination, the type of packet it is and even the payload
Deep packet inspection
Deep Packet Inspection is a form of computer network packet filtering that examines the data part of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can...
the VF can decide if the packet is to be allowed passage, dropped, rejected, or forwarded or mirrored to some other device. Initial entrants into the virtual firewall field were largely bridge-mode, and many offers retain this feature.
By contrast, a virtual firewall operating in hypervisor-mode is not actually part of the virtual network at all, and as such has no physical-world device analog. A hypervisor-mode virtual firewall resides in the virtual machine monitor or hypervisor
Hypervisor
In computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
where it is well positioned to capture VM activity including packet injections. The entire monitored VM and all its virtual hardware, software, services, memory and storage can be examined, as can changes in these. Further, since a hypervisor-based virtual firewall is not part of the network proper and is not a virtual machine its functionality cannot be monitored in turn or altered by users and software limited to running under a VM or having access only to the virtualized network.
Bridge-mode virtual firewalls can be installed just as any other virtual machine in the virtualized infrastructure. Since it is then a virtual machine itself, the relationship of the VF to all the other VM may become complicated over time due to VMs disappearing and appearing in random ways, migrating between different physical hosts, or other uncoordinated changes allowed by the virtualized infrastructure.
Hypervisor-mode virtual firewalls require a modification to the physical host hypervisor kernel in order to install process hooks or modules allowing the virtual firewall system access to VM information and direct access to the virtual network switches and virtualized network interfaces moving packet traffic between VMs or between VMs and the network gateway. The hypervisor-resident virtual firewall can use the same hooks to then perform all the customary firewall functions like packet inspection, dropping, and forwarding but without actually touching the virtual network at any point. Hypervisor-mode virtual firewalls can be very much faster than the same technology running in bridge-mode because they are not doing packet inspection in a virtual machine, but rather from within the kernel at native hardware speeds.
VF offerings
A sampling of organizations that offer one kind or another of VF technology.| Who | What | How |
|---|---|---|
| Juniper Networks | vGW Virtual Gateway | Virtualization security. |
| Checkpoint | Security Gateway Virtual Edition | Virtual security. |
| Cisco | Nexus 1000v | Virtual switch - Switch ACL, not a FireWall |
| IBM | Security Virtual Server Protection | Virtual security. |
| Reflex Systems | Reflex vTrust | Virtual security - Hypervisor Mode |
| Trend Micro | Server Security | Virtual security |
| Vyatta | Vyatta Network OS | Virtual FW, VPN, IPS + |
Additional reading
"Zeus Bot Appears in EC2 Cloud, Detected, Dismissed" Babcock, Charles. InformationWeek Dec 2009"40,000 Firewalls! Help Please!?" Texiwill. The Virtualization Practice. Sept 2009
"OPINION / Why do we need virtual security? " Ben-Efraim, Amir. Government Security News. Aug 2009
"Keep Your Virtual Networks Safe" Zillion Magazine. Jul 2009
"The virtual blind spot" Schultz, Beth. NetworkWorld. July 2010
"Cloud security in the real world: 4 examples" Brandel, Mary. CSO: Security & Risk. June 2010
"Securing mixed environments - not everybody will be virtualized" Ogren, Eric. ComputerWorld. June 2010
"New security tools protect virtual machines" Strom, David. Network World March 2011