Posted on Jul 13th, 2011 by Eric Ogren

The shift to virtualization, with most organizations virtualizing more than 30% of their applications, challenges the means by which security teams implement firewall-based foundational controls. Organizations are embracing virtualization for obvious cost savings benefits when applications share server and infrastructure resources. In fact, many enterprises continue to re-architect networks to consolidate data centers, applications and IT services. For instance, the rapid provisioning of applications - running in a matter of minutes on a virtual server for a task that would take weeks with physical architectures - necessitates a rapid evolution in the security lifecycle management of firewall rules.
Virtualization forces firewall rules to change more dynamically than ever before with applications spinning up and being decommissioned upon user demand. The firewall must now manage additional complexities in a virtual environment to quickly accommodate connectivity and access requests at the speed of business without creating security holes. Here are a few ways that firewall rules management is helping to secure virtual data centers:

  • Streamline firewall rules management workflow by automating the checking of compliance rules before a manual review. Security and network teams can be overwhelmed with requests for modifications to the firewall rules sets. Firewall rules management can automatically validate that requested changes do not violate corporate security policy or compliance mandates. In some cases the manual review overhead can be eliminated with a "compliance acid test" saving time and money.
  • Reduce the complexity of managing rules as firewalls are consolidated into virtualized servers. Organizations are placing multiple instances of firewalls on individual virtual servers, adding significant complexity to firewall rules management. For example, organizations deploying Check Point VSX need to deploy rules changes while evolving the virtual architecture, and must manage multiple firewall rule sets existing in a single security device. This is a new challenge for security teams - having the right tool for keeping effective firewall rules within a sophisticated device, tracking and auditing changes, and managing workflows associated with firewall lifecycles is critically important.
  • Although organizations prefer to keep applications within a data center to avoid changing IP address assignments, the use of VMware vMotion across data centers and geographies - perhaps to support a mobile work force using smartphones and tablets - requires consistent firewall rules to avoid disruptions in business. Firewall lifecycle management can help security teams ensure that users can access applications, and that applications do not fall out of compliance, as capabilities such as vMotion shift applications. This capability becomes particularly important in high availability and disaster recovery scenarios.

Security is still catching up to the demands of virtualization. Firewalls are particularly vulnerable in virtual environments because the speed of change is accelerated over traditional physical architectures, leading to increased risk of business disruptions and security incidents. Enterprises embracing virtualization can save themselves a lot of pain by checking out firewall rules management products.