Leveraging VMWare for Firewall Consolidation – MSSPs

Virtualization has become a powerful way to reduce IT spend as it relates to servers as we all know.  It allows data centers to conserve rack space, power consumption, server cost and a number of other things.

Everyone that has looked at virtualization has looked at it for user applications and has only thought about security as it relates to securing those user applications within the virtual environment.  So this got me thinking about a year ago.  I began to think about the other benefits and use cases for virtualization and security, and one thing that popped into my mind was that security is an application like a Web Server, Database server, etc.  So why couldn’t one just virtualize a firewall for the purpose of reducing the number of firewalls within their infrastructure?  Wouldn’t this be the same as reducing the number of physical servers within your infrastructure?

Ah, but surely this has been done before??  Cosine had a Virtual Firewall years ago where you could run multiple instances of a Firewall within a single hardware platform.  NetScreen had VSYS (Virtual Systems) that could allow for the delivery of separately managed firewalls within a single platform.  Fortinet has something called VDOM’s (Virtual Domains) that does the same thing.  I remember reviewing the Cosine patents when we acquired them at Fortinet.  So, no need to use VMWare to do this if its already been done right?

Well, I’m not so sure of that…

The other day I was speaking with a Telco that is building out an MSSP offering and they were
interested in virtualizing Firewalls so that each customer could have their own firewall in the cloud service.  They could easily pick up the phone and call Fortinet, NetScreen and others but one concern they had was the sharing of resources and the potential for one shared customers traffic to consume a bunch of CPU cycles and effect the performance of the other customers on the shared platform.

I immediately thought of VMWare.  You see, VMWare’s Hypervisor based scheduling algorithms allow CPU resources to be partitioned, as well as memory and disk.  One could essentially set up a Virtual Machine and set parameters that say the the VM can never exceed more than 1 gHZ of computing power.  Sort of like this.  I have a 3 gHz CPU and I want to reserve a maximum of 1 gHZ for VM 1, 2 and 3.  Each of the 3 VM’s could only peak to 1 gHZ.  Furthermore one can set specific maximums, such that if VM 2 and VM 3 were idle, VM 1 could burst up to 3 gHZ and take advantage of those idle cycles.

The difference between this method and VDOMs or VSYS is that we know have true hardware isolation vs. just a separation in the management  of policies for firewalls.  Its truly a separate firewall just like a physically separated firewall. 

Take a look at the graphic bellow for a better understanding and click comment to give me your opinion of this concept.  I’d love to flush out how useful or not this is.

Thanks!!

JP