The Tragic End of the Hardware Firewall Myth
Several years ago, Tom wrote a blog post (and maybe a newsletter article) about what he called the "hardware firewall scam". In those posts, he made the point that all hardware runs software, and that the distinction between a hardware and software firewall was indeed an artificial one - one that was created by "hardware firewall" vendors to give the impression that their equipment was inherently better and more secure because it ran on "hardware".
At the time a lot of people "poo-poo'd" Tom's assertion. They went on to say that hardware and firmware were inherently more secure and that everyone knew that and that Tom had gone off the deep end or swallowed some kind of Microsoft Kool Aid that prevented him from understanding that "software" could never be as secure as "hardware", in spite of the fact that the statistics on security issues related to ISA and the subsequent TMG firewall were far superior to those found with common so-called "hardware" firewalls.
Now let's fast forward to the year 2011. Virtual datacenters based on VMware vSphere or Microsoft Hyper-V are taking over, as organizations realize the cost savings and administrative benefits. In today's enterprise networks, when an old piece of hardware needs to be decommissioned, the workload hosted by that server will almost invariably be assigned to a virtual machine. What's important within the context of this discussion is that this is happening for firewall workloads too.
That's right - the old "hardware" firewalls are being decommissioned and their workloads moved to virtual machines within the virtual datacenter. VMware already has integrated firewall-like functionality that you can use to create network security and segmentation within the vSphere cloud environment, and you can certainly do similar things using the TMG firewall within your virtual datacenter, regardless of whether you're using vSphere or Hyper-V. The private cloud not only supports your applications and application security, it's now the nexus of your networking and network security, and that includes network firewalls.
What's particularly remarkable is how easily the changeover is taking place. In the past, you got the impression that "hardware firewalls" were handed down from on high by the Gods of Networking, and that because they were hardware, their security reputation and behavior was inviolate. But now that we're moving our firewall and network security infrastructure to a virtual datacenter and a private cloud, all of a sudden the magic and the mystery and the might of hardware has melted away - because the myth of hardware firewall security couldn't stand up to the advantages of virtualizing the network firewall role, with higher availability, increased security, better performance, and dynamic network security resource allocation that you can get when instantiating your firewall infrastructure in a virtual datacenter or private cloud.
A major side effect of this realization that the "hardware" firewall can be virtualized is that deploying so-called "software" firewalls like the ISA or TMG firewall can no longer be argued to be less secure than "hardware" firewalls. Since the virtualized firewalls are by definition "software only" and are considered as secure as or more secure than their "hardware" counterparts, perhaps the ISA and TMG "software" firewall will now be recognized as being as secure as or more secure than their "hardware" firewall counterparts.
Over time, I expect all the TMG firewall implementations to be virtualized. Performance is excellent, and if you pay attention to basic security considerations for deploying virtual firewalls, you lose nothing in the area of network security and can end up with a more secure configuration.
Let's fast forward again, to the year 2014. I can imagine that the TMG firewall will no longer need to be installed in a Hyper-V environment. Instead, in my vision all of the TMG firewall functionality will be baked into the Hyper-V networking configuration - so that you can apply the strong network and application layer security controls as you currently do in the TMG firewall, but as part of the network configuration right there in the Hyper-V console. VMware currently has something similar to this, and there's no reason that Microsoft can't leverage the power of the ISA/TMG line of products and bake them into a powerful and secure private cloud option for Hyper-V.
What do you think? Has virtualization of network firewalls proven that that the emperor of "hardware" firewalls indeed had no clothes? Or do you think that virtualization of network firewalls has no influence over the relative security of hardware versus software firewalls, and that the Gods of Hardware Firewalls are alive and well and continue to imbue "hardware" with some immutable level of security that mere mortals (and software firewalls) will never understand. Send me your thoughts at [email protected].
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)