What is a Virtual Firewall?

A virtual firewall is a cloud-based security appliance that sits at the perimeter of a network and examines the traffic coming into and out of it. While traditional firewall appliances would be deployed physically alongside their server stacks, modern virtualization has allowed the firewall to be deployed and managed as a cloud-based appliance. This allows the security team to define their SD-WAN network traffic from a visual dashboard, and more easily apply the firewall protection to cloud and virtual servers.

Cloud Security Report Request a Demo

What is a Virtual Firewall?

How a Virtual Firewall Works

Virtual firewalls are commonly deployed as either a virtual machine within a cloud-based environment or via a FWaaS offering. This enables an organization to take advantage of the flexibility and scalability of the cloud in their security as well.

Like any firewall, a virtual or cloud firewall needs to be able to inspect the traffic entering and leaving its protected network. A virtual firewall has a couple of options for doing so:

  • Bridge Mode: A virtual firewall can be deployed like a physical firewall, sitting directly in the path of traffic. This enables it to inspect and allow or block any traffic that is attempting to enter or leave the virtual environment over the bridge.
  • Cloud-Native APIs: Many cloud services offer an API, such as AWS VPC Traffic Mirroring, that provides visibility into traffic flows into an organization’s cloud deployment. Virtual firewalls can also take advantage of this virtual network tap to perform inspection of traffic entering and leaving the protected virtual environment.

This visibility enables a cloud firewall to apply its integrated security policies and any built-in security capabilities, such as sandboxed analysis of suspicious content. Depending on the deployment and configuration settings, the firewall can also be configured to block attempted attacks or generate alerts.

Different types of virtual firewalls may have additional features that make them ideally suited to protecting cloud-based environments. For example, Check Point’s use of dynamic objects enables security policies to be defined in a way that allows certain values to be resolved differently by each gateway using the policy. This makes it possible to define general security policies that are enforced consistently across the organization’s entire IT infrastructure and that have specific values, like IP addresses, that are set based upon the firewall’s integration with cloud application tags.

How is a Firewall Made Virtual?

Traditional networking appliances require dedicated hardware for each network function: the firewall is one of the most well-established pieces of hardware within the security stack. In this setup, incoming traffic is routed to the firewall that is plugged into the router, where it’s analyzed, before being forwarded to the internal network’s own switches. Sometimes, hardware firewall apps can be built into the router itself. The onboard memory then executes the security policies and routes traffic on to the internal networks. Usage trends are stored temporarily onboard; these can be extracted and analyzed by other security tools like security information and event management (SIEM).

 

The firewall analyzes every packet of data that is sent to the protected network, filtering traffic according to its criteria. This includes protocol type, source and destination IP addresses, port numbers, and previous behavior. If a packet does not comply with these rules, the firewall prevents it from passing through. In physical networks, these rules are uploaded to the physical appliance. However, continuing to rely on a hardware firewall can lock admin teams into expensive upgrade cycles as a business – and its network traffic – grows.

Separating  compute power from a physical machine has been the defining process of the last decade’s worth of cloud transformation. Network Function Virtualization (NFV) allows firewalls to be virtualized through a type of software called a hypervisor. This segments a physical machine into multiple virtual machines – each of which can run independently. This then allows a firewall to be purchased and deployed as software: traffic on-route to the network is routed via this cloud-based, virtual firewall. An organization then maintains the  virtual firewall, changing rules and viewing ongoing activity through a visual dashboard.

Why a Virtual Firewall is Needed

A virtual firewall is designed to provide many of the same protections as traditional, physical firewall appliances – but as a cloud-native solution. This enables them to address several security needs:

  • North-South Traffic Inspection: Cloud-based resources are deployed outside of the traditional corporate network perimeter and are directly accessible from the public Internet. Deploying a virtual firewall appliance to inspect and filter incoming and outgoing traffic for these cloud-based resources is essential to protecting them against compromise and potential data leakages.
  • East-West Traffic Inspection: Even if an organization controls access to its cloud-based resources, inspection of east-west data flows within an organization’s environment is also a vital aspect of cybersecurity. Cybercriminals with access to an organization’s network commonly move laterally through it to reach sensitive resources and achieve their final objectives. With a growing amount of sensitive data and functionality deployed in the cloud, performing content inspection and security policy enforcement of these east-west traffic flows is important to protecting cloud-based resources, making a virtual firewall essential.
  • Deployment Location: A growing percentage of an organization’s infrastructure is deployed in virtualized environments, such as the cloud. Securing these environments with a physical firewall appliance is often not a viable option as these appliances cannot be deployed on-site and routing traffic through the headquarters network for security inspection is not a viable option. A cloud or virtual firewall enables an organization to deploy the same level of security in a form factor that is designed for and well-suited to its deployment environment.
  • Flexibility and Scalability: Virtual firewalls are commonly deployed as a security solution in cloud environments. Organizations commonly use the cloud for its built-in flexibility and scalability, so cloud security needs to be able to adapt to changing requirements as well. For this reason, the use of virtual firewalls – potentially via a Firewall as a Service (FWaaS) service offering on-demand access to protection – are an ideal solution to securing these cloud-based environments, especially with the ability to automate common deployment, provisioning, and configuration steps.

Virtual vs Physical Firewall Use Cases

Since virtual firewalls are so different from their hardware-based counterparts, their ideal use cases differ accordingly. Virtual firewall solutions are best suited for cloud-native applications and rapidly changing network infrastructure. In contrast, physical firewalls excel in high-performance scenarios, centralized on-premises security, and protecting legacy systems.

Centralized, On-Premises Networks

Hardware firewalls are architecturally well-suited to centralized, hub-and-spoke model networks. This is because they are implemented as a single security device alongside a single serverstack. Should an enterprise rely on a simple, central network model similar to this, a hardware-based approach can prove effective.

Sprawling, Hybrid Networks

Virtual firewall benefits are best realized when an organization wants to secure sprawling, or cloud-based networks. Virtual firewalls provide a central management hub, even across swathes of an organization’s containerized applications, microservices, and private clouds. This means they are far better suited to hybrid or very distributed network environments, as one single management plane can allow a team to alter rules in different areas of the business. This helps build consistent firewall protection across different zones.

VPN Compatibility

When provisioning access for remote employees, many companies choose Virtual Private Network (VPN) tools. However, because these VPNs encrypt remote workers’ individual connections to internal resources, traditional firewalls can struggle to analyze the encrypted traffic. Both virtual and physical firewalls can effectively analyze VPN traffic, but they have different strengths depending on the network environment and use case.

Virtualized firewalls are a better fit for cloud-based VPN servers – they are also well-suited to new or temporary VPN accounts, such as those set up for temporary work staff and contractors.

Low Budget, or Time

In terms of initial cost and time, a software-based firewall is relatively cheap and rapid to implement. Some come with a free trial, and after that, a relatively low monthly fee. Most virtual firewalls charge based on usage, or throughput, allowing for costs to remain consistent with real usage.

Software-based firewalls are also faster to set up: virtual firewall configuration often requires installation and a few setting tweaks to begin securing traffic. Hardware firewalls, on the other hand, demand physical installation, suitable wiring and space dedication, and proper network positioning and design – changing these down the line then requires the same intensive process.  Plus adding new appliances or devices means electrical and cooling considerations must be taken for each firewall that is installed. On the other hand, public cloud providers are responsible for the physical infrastructure for virtual firewalls.

Data Center Protection

Physical firewall appliances are generally better suited to intensely high-throughput applications, like data centers. This is due to the proximity of their compute power, which can be provided instantaneously from the onboard memory. This also allows for drastic fluctuations in network traffic to be suitably analyzed and processed, with no perceivable impact on latency.

This robust processing capability makes hardware firewalls an ideal choice for organizations experiencing rapid growth or those operating in high-demand sectors where uninterrupted network availability is mission-critical. Some virtual firewall challenges in this use case can include volatile pricing structures and the added latency of traffic being re-routed to a cloud-based analysis engine. Hardware firewalls can be a better fit for data centers since they operate independently from other network components: this frees up server and device resources that can then be fully optimized for their primary network task.

Gain Cloud Security with Check Point CloudGuard

Choosing a virtual firewall can be a critical move toward securing your cloud infrastructure. Check Point CloudGuard Network Security offers a cloud-native firewall that delivers  unified, industry-leading threat prevention across hybrid and cloud-based networks.

Boasting a malware identification rate of 99.9%, operational efficiency is championed through automation and native integration with tools like Ansible and Terraforms, , CloudGuard Network Security supports automated playbooks and API-based responses. With a security blueprint that promotes architectural best practices and auto scaling up and down based on network traffic, CloudGuard Network Security customers are able to design highly available and secure deployments with tight network segmentation. Explore the wealth of CloudGuard Network Security firewall features with a demo today, or request pricing and start realizing cloud-first security.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK