By Debasish Mukherjee; Vice President, Regional Sales APAC at SonicWall Inc.
In today’s digital world, information technology and business processes are becoming tightly interdependent. For organizational growth, businesses expect IT to keep pace with technology innovations and modernize data center operations and services.
Application-centric virtualized worlds must dematerialize their infrastructure operations and application workloads so that computing, networking, storage and security get operationalized in a systematic way. These components should be tightly integrated to deliver application services safely, efficiently and in a scalable manner.
What should be the approach?
To address the security challenges facing public/private cloud environments, a sound approach would be to design, implement and deploy a virtual firewall that enables four fundamental capabilities:
- Gain complete visibility into intrahost communication between virtual machines for threat prevention
- Ensure the appropriate placement of security policies for the application throughout the virtual environment
- Deliver safe application enablement policies by application, user and content, regardless of VM location
- Implement proper security zoning (i.e., VLANs) and isolation/segmentation.
When applying a software-defined data center model (SDDC), best practices suggest deployment of a next-generation virtual firewall. The virtual firewall should leverage advanced security tools and services that protect the entire virtual and cloud environment.
Recommendations for a robust Next Gen Virtual Firewall:
A next-generation virtual firewall must offer all the security advantages of a physical firewall, along with the operational and economic benefits of virtualization. These include:
- System Scalability and Agility
- Speed of System Provisioning
- Simple Management and
- Cost Reduction
Optimally, a Next Gen Virtual Firewall consists of a full-featured firewall service capable of performing deep packet inspection, security controls and networking services equivalent to a physical firewall. It should be strategically placed on the virtual network (VN), typically between VNs in multi-tenant ecosystem. The virtual firewall must capture virtual traffic between VNs for automated breach prevention and establish access control measures for data confidentiality and VMs’ safety and integrity.
Next Gen Virtual Firewalls effectively shield all critical components of the private/public cloud environments from resource misuse attacks, cross-virtualmachine attacks, side-channel attacks, common network-based intrusions, and application and protocol vulnerabilities. Infrastructure support for virtual firewall high availability (HA) implementation is also recommended. This fulfills SDDC scalability and availability requirements, by ensuring system resiliency, operational uptime, service delivery and uptime, and conformance to regulatory requirements.
One ought to look for virtual firewall solutions that are optimized for broad range of public/ private cloud/virtualized deployment use cases. A modern virtual firewall can adapt to service-level increases and ensure VNs safety and application workloads.
Ideally, virtual firewall deployments could be centrally managed using both on-prem or via an open, scalable cloud-based security management platform, that is delivered as a cost-effective software-asa-service (SaaS). This would provide the ultimate in visibility, agility and capacity to govern the entire virtual and physical firewall ecosystem with greater clarity, precision, and speed – optimally from a single pane of glass.
Best-practice capabilities to consider
When selecting your next-generation virtual firewall solution, look for the following feature-set capabilities:
- Automated breach prevention – Deliver complete advanced threat protection, including highperformance intrusion and malware prevention, and cloud-based sandboxing
- Secure communications – Ensure data exchange between groups of virtual machines are done securely including isolation, confidentiality, integrity, and information flow control within these networks via the use of segmentation
- Access control – Validate that only VMs that satisfy a given set of conditions can access data that belongs to another VM, using VLANs
- User authentication – Create policies to control or restrict VM and workload access by unauthorized users
- Data confidentiality – Block information theft and illegitimate access to protected data and services
- Virtual application resilience and availability – Prevent disruption or degradation of application services and communications
- System safety and integrity – Stop unauthorized takeover of VM systems and services
Traffic validation, - Inspection and monitoring mechanisms- Detect irregularities and malicious behaviors, and stop attacks targeting VM workloads
- Deployment options – Deploy on a wide variety of virtualized and cloud platforms for various private/public cloud security use cases.
