What is a Virtual Environment?
In computing, a virtual machine is an emulation of a computer system. The software comprising the virtual environment, or hypervisor, that the virtual machine runs on abstracts physical resources such as CPU, memory, disk and network needed to complete the emulation. One type of a virtual machine is a virtual firewall.
A virtual firewall is an ideal solution when working to secure a virtualized network environment. Three potential use cases for a virtual firewall include:
- Public Cloud Deployments: Organizations are increasingly leveraging public cloud deployments, using services like AWS, GCP, and Azure, for critical data storage and processing. A virtual firewall is an essential part of an organization’s ability to protect against cyber threats and meet compliance requirements in these environments.
- Private Cloud Deployments: Virtual firewalls can also be valuable tools in private cloud environments. They often include features such as automated provisioning, scalability, and dynamic object and policy management that simplify security in private clouds.
- Branch Locations and Software-Defined Environments: With the growth of software-defined networking (SDN) and software-defined WAN (SD-WAN), the corporate network is increasingly optimized and virtualized. A virtual firewall can be easily deployed on SD-WAN appliances with built-in hypervisor software to help move security to the network edge.
Why a Virtual Firewall is Needed
A virtual firewall is designed to provide many of the same protections as traditional, physical firewall appliances – but as a cloud-native solution. This enables them to address several security needs:
- North-South Traffic Inspection: Cloud-based resources are deployed outside of the traditional corporate network perimeter and are directly accessible from the public Internet. Deploying a virtual firewall appliance to inspect and filter incoming and outgoing traffic for these cloud-based resources is essential to protecting them against compromise and potential data leakages.
- East-West Traffic Inspection: Even if an organization controls access to its cloud-based resources, inspection of east-west data flows within an organization’s environment is also a vital aspect of cybersecurity. Cybercriminals with access to an organization’s network commonly move laterally through it to reach sensitive resources and achieve their final objectives. With a growing amount of sensitive data and functionality deployed in the cloud, performing content inspection and security policy enforcement of these east-west traffic flows is important to protecting cloud-based resources, making a virtual firewall essential.
- Deployment Location: A growing percentage of an organization’s infrastructure is deployed in virtualized environments, such as the cloud. Securing these environments with a physical firewall appliance is often not a viable option as these appliances cannot be deployed on-site and routing traffic through the headquarters network for security inspection is not a viable option. A cloud or virtual firewall enables an organization to deploy the same level of security in a form factor that is designed for and well-suited to its deployment environment.
- Flexibility and Scalability: Virtual firewalls are commonly deployed as a security solution in cloud environments. Organizations commonly use the cloud for its built-in flexibility and scalability, so cloud security needs to be able to adapt to changing requirements as well. For this reason, the use of virtual firewalls – potentially via a Firewall as a Service (FWaaS) service offering on-demand access to protection – are an ideal solution to securing these cloud-based environments, especially with the ability to automate common deployment, provisioning, and configuration steps.
How a Virtual Firewall Works
Virtual firewalls are commonly deployed as either a virtual machine within a cloud-based environment or via a FWaaS offering. This enables an organization to take advantage of the flexibility and scalability of the cloud in their security as well.
Like any firewall, a virtual or cloud firewall needs to be able to inspect the traffic entering and leaving its protected network. A virtual firewall has a couple of options for doing so:
- Bridge Mode: A virtual firewall can be deployed like a physical firewall, sitting directly in the path of traffic. This enables it to inspect and allow or block any traffic that is attempting to enter or leave the virtual environment over the bridge.
- Cloud-Native APIs: Many cloud services offer an API, such as AWS VPC Traffic Mirroring, that provides visibility into traffic flows into an organization’s cloud deployment. Virtual firewalls can also take advantage of this virtual network tap to perform inspection of traffic entering and leaving the protected virtual environment.
This visibility enables a cloud firewall to apply its integrated security policies and any built-in security capabilities, such as sandboxed analysis of suspicious content. Depending on the deployment and configuration settings, the firewall can also be configured to block attempted attacks or generate alerts.
Different types of virtual firewalls may have additional features that make them ideally suited to protecting cloud-based environments. For example, Check Point’s use of dynamic objects enables security policies to be defined in a way that allows certain values to be resolved differently by each gateway using the policy. This makes it possible to define general security policies that are enforced consistently across the organization’s entire IT infrastructure and that have specific values, like IP addresses, that are set based upon the firewall’s integration with cloud application tags.
Securing the Cloud with Check Point
A virtual firewall acts as the foundation of an organization’s cloud network security strategy. It performs traffic inspection and security policy enforcement for all traffic within virtualized environments.
To learn more about the potential benefits of a virtual firewall for your cloud environment, contact us. You’re also welcome to request a demo to see Check Point CloudGuard in action.