What is a Virtual Firewall?
A virtual firewall is a cloud-based security appliance that sits at the perimeter of a network and examines the traffic coming into and out of it. While traditional firewall appliances would be deployed physically alongside their server stacks, modern virtualization has allowed the firewall to be deployed and managed as a cloud-based appliance. This allows the security team to define their SD-WAN network traffic from a visual dashboard, and more easily apply the firewall protection to cloud and virtual servers.
虛擬防火牆的工作原理
虛擬防火牆通常部署為基於雲端的環境中的虛擬機器或透過 FWaaS 產品部署。這使組織能夠在安全性方面利用雲端的靈活性和可擴展性。
與任何防火牆一樣,虛擬或雲端防火牆需要能夠檢查進入和離開其受保護網路的流量。虛擬防火牆有幾個選項可以實現此目的:
- 橋接模式:虛擬防火牆可以像實體防火牆一樣部署,直接位於流量路徑。這可讓它檢查並允許或阻止任何嘗試進入或離開橋接橋上的虛擬環境的流量。
- 雲端原生應用程式開發界面:許多雲端服務提供應用程式開發界面,例如 AWS VPC 流量鏡像,它提供對組織雲端部署的流量的可見性。虛擬防火牆還可以利用此虛擬網路分路器對進入和離開受保護虛擬環境的流量進行檢查。
這種可見性使雲端防火牆能夠應用其整合安全策略和任何內建安全功能,例如可疑內容的沙盒分析。根據部署和配置設置,防火牆還可以配置為阻止嘗試的攻擊或產生警報。
不同類型的虛擬防火牆可能具有附加功能,使其非常適合保護基於雲端的環境。例如,Check Point 對動態物件的使用使得安全性策略的定義方式允許每個閘道器使用該策略以不同的方式解析某些值。這使得定義一般安全性策略成為可能,這些策略在組織的整個 IT 基礎架構中一致執行,並且具有特定值(例如 IP 位址),這些值是根據防火牆與雲端應用程式標籤的整合而設定的。
How is a Firewall Made Virtual?
Traditional networking appliances require dedicated hardware for each network function: the firewall is one of the most well-established pieces of hardware within the security stack. In this setup, incoming traffic is routed to the firewall that is plugged into the router, where it’s analyzed, before being forwarded to the internal network’s own switches. Sometimes, hardware firewall apps can be built into the router itself. The onboard memory then executes the security policies and routes traffic on to the internal networks. Usage trends are stored temporarily onboard; these can be extracted and analyzed by other security tools like security information and event management (SIEM).
The firewall analyzes every packet of data that is sent to the protected network, filtering traffic according to its criteria. This includes protocol type, source and destination IP addresses, port numbers, and previous behavior. If a packet does not comply with these rules, the firewall prevents it from passing through. In physical networks, these rules are uploaded to the physical appliance. However, continuing to rely on a hardware firewall can lock admin teams into expensive upgrade cycles as a business – and its network traffic – grows.
Separating compute power from a physical machine has been the defining process of the last decade’s worth of cloud transformation. Network Function Virtualization (NFV) allows firewalls to be virtualized through a type of software called a hypervisor. This segments a physical machine into multiple virtual machines – each of which can run independently. This then allows a firewall to be purchased and deployed as software: traffic on-route to the network is routed via this cloud-based, virtual firewall. An organization then maintains the virtual firewall, changing rules and viewing ongoing activity through a visual dashboard.
為什麼需要虛擬防火牆
虛擬防火牆旨在提供許多與傳統實體防火牆設備相同的保護,但作為雲端原生解決方案。這使他們能夠滿足幾種安全需求:
- 南北流量檢查:基於雲端的資源部署在傳統企業網路邊界之外,並且可以直接從公共互聯網存取。部署虛擬防火牆設備來檢查和過濾這些基於雲端的資源的傳入和傳出流量對於保護它們免受損害和潛在的資料外洩至關重要。
- 東西向流量檢查:即使組織控制對其基於雲端的資源的訪問,對組織環境內東西向資料流的檢查也是網路安全的一個重要方面。能夠存取組織網路的網路犯罪分子通常會橫向移動以獲取敏感資源並實現其最終目標。隨著雲端中部署的敏感資料和功能的數量不斷增加,對這些東西向流量執行內容檢查和安全性策略實施對於保護基於雲端的資源非常重要,因此虛擬防火牆至關重要。
- 部署位置:越來越多的組織基礎架構部署在虛擬化環境中,例如雲端。使用實體防火牆設備保護這些環境通常不是一個可行的選擇,因為這些設備無法現場部署,並且透過總部網路路由流量進行安全檢查也不是一個可行的選擇。雲端或虛擬防火牆使組織能夠以專為其部署環境設計並非常適合其部署環境的外形規格部署相同等級的安全性。
- 靈活性和可擴展性:虛擬防火牆通常作為雲端環境中的安全解決方案進行部署。組織通常因其內建的靈活性和可擴展性而使用雲,因此雲端資安也需要能夠適應不斷變化的需求。因此,虛擬防火牆的部署使用(可能透過防火牆即服務(FWaaS) 提供按需存取保護)是保護這些基於雲端的環境的理想解決方案,特別是能夠自動化常見的、供應和配置步驟。
Virtual vs Physical Firewall Use Cases
Since virtual firewalls are so different from their hardware-based counterparts, their ideal use cases differ accordingly. Virtual firewall solutions are best suited for cloud-native applications and rapidly changing network infrastructure. In contrast, physical firewalls excel in high-performance scenarios, centralized on-premises security, and protecting legacy systems.
Centralized, On-Premises Networks
Hardware firewalls are architecturally well-suited to centralized, hub-and-spoke model networks. This is because they are implemented as a single security device alongside a single serverstack. Should an enterprise rely on a simple, central network model similar to this, a hardware-based approach can prove effective.
Sprawling, Hybrid Networks
Virtual firewall benefits are best realized when an organization wants to secure sprawling, or cloud-based networks. Virtual firewalls provide a central management hub, even across swathes of an organization’s containerized applications, microservices, and private clouds. This means they are far better suited to hybrid or very distributed network environments, as one single management plane can allow a team to alter rules in different areas of the business. This helps build consistent firewall protection across different zones.
VPN Compatibility
When provisioning access for remote employees, many companies choose Virtual Private Network (VPN) tools. However, because these VPNs encrypt remote workers’ individual connections to internal resources, traditional firewalls can struggle to analyze the encrypted traffic. Both virtual and physical firewalls can effectively analyze VPN traffic, but they have different strengths depending on the network environment and use case.
Virtualized firewalls are a better fit for cloud-based VPN servers – they are also well-suited to new or temporary VPN accounts, such as those set up for temporary work staff and contractors.
Low Budget, or Time
In terms of initial cost and time, a software-based firewall is relatively cheap and rapid to implement. Some come with a free trial, and after that, a relatively low monthly fee. Most virtual firewalls charge based on usage, or throughput, allowing for costs to remain consistent with real usage.
Software-based firewalls are also faster to set up: virtual firewall configuration often requires installation and a few setting tweaks to begin securing traffic. Hardware firewalls, on the other hand, demand physical installation, suitable wiring and space dedication, and proper network positioning and design – changing these down the line then requires the same intensive process. Plus adding new appliances or devices means electrical and cooling considerations must be taken for each firewall that is installed. On the other hand, public cloud providers are responsible for the physical infrastructure for virtual firewalls.
Data Center Protection
Physical firewall appliances are generally better suited to intensely high-throughput applications, like data centers. This is due to the proximity of their compute power, which can be provided instantaneously from the onboard memory. This also allows for drastic fluctuations in network traffic to be suitably analyzed and processed, with no perceivable impact on latency.
This robust processing capability makes hardware firewalls an ideal choice for organizations experiencing rapid growth or those operating in high-demand sectors where uninterrupted network availability is mission-critical. Some virtual firewall challenges in this use case can include volatile pricing structures and the added latency of traffic being re-routed to a cloud-based analysis engine. Hardware firewalls can be a better fit for data centers since they operate independently from other network components: this frees up server and device resources that can then be fully optimized for their primary network task.
Gain Cloud Security with Check Point CloudGuard
Choosing a virtual firewall can be a critical move toward securing your cloud infrastructure. Check Point CloudGuard Network Security offers a cloud-native firewall that delivers unified, industry-leading threat prevention across hybrid and cloud-based networks.
Boasting a malware identification rate of 99.9%, operational efficiency is championed through automation and native integration with tools like Ansible and Terraforms, , CloudGuard Network Security supports automated playbooks and API-based responses. With a security blueprint that promotes architectural best practices and auto scaling up and down based on network traffic, CloudGuard Network Security customers are able to design highly available and secure deployments with tight network segmentation. Explore the wealth of CloudGuard Network Security firewall features with a demo today, or request pricing and start realizing cloud-first security.
