When firewalls were first designed, their role was to control traffic between network segments and physical hardware. As we move into greater adoption of cloud and virtualized infrastructure, the physical design of the network becomes less dominant, largely due to the collapsing of physical servers into fewer virtualized servers. This means the main source of security control needs to also be adapted as the threats start to move to the individual VMs residing in servers, especially when multi-tenancy is utilized. This means that the logical barriers segregating virtual machines become the concern for firewalls, not just the network around the physical server. So how do you protect the inter-VM traffic when a traditional firewall cannot see traffic beyond the physical NIC card of the server?
The answer is virtual firewalls. These are a new breed of firewall that uses virtualization APIs to hook into hypervisors and control traffic between virtual machines. Virtual firewalls use a per-host firewall VM for configuration and logging, while taking advantage of the hypervisor kernel to filter the traffic. You can also customize the traffic preferences to select specific VMs or groups to minimize resource impact. The advantage of this operational redesign is the significant reduction in lag compared to CPU-dependent virtual firewalls which are restricted to the speed of a single vCPU. The newest generations of virtual firewalls have adopted connection tables and rulesets to increase performance even further.
Virtual firewalls are currently the only method of ensuring traffic between VMs is controlled from a security and compliance standard. This extends to providing security against the movement of virtual machines between physical servers, as firewall rules can be embedded in the individual VM and is automatically applied upon movement.