Beth Pariseau at Tech Target echoes some excellent risk concerns regarding virtual firewalls by VMware. She paraphrases much of what was already said by “Scott Drummonds, an EMC Corp. vSpecialist and former VMware technical marketing director”.

1. vShield Manager can introduce a single point of failure
2. A failure can disable the network
3. Network access is required fix the problem
4. Solutions are non-trivial

She then concludes that non-trivial solutions violate the “cost and consolidation objectives for virtualization projects”. I disagree. She also uses a sensationalist start to her report, which I question:

raised eyebrows among potential users, who appear to be putting deployments on hold

I looked for evidence of deployments on hold but found none. Who has the raised eyebrows? The closest thing was this anonymous quote:

“While vShield Zones sounds good in theory, it introduces a VM through which all the protected traffic is funneled,” said a data center supervisor working in the higher education field. “I worry about congestion and [vShield Manager] becoming a single point of failure.”

That is a business-as-usual quote, in my book, not a “wait a minute”. Data center supervisors know that a firewall funnels traffic, which can introduce congestion and failure risks. Their job is to plan around them to make sure deployments do not get put on hold.

I could give numerous examples of deployments that have charged ahead despite single-failure risks. They used to happen all the time in the traditional nuts, bolts and wire environments. Here are three examples of what has changed and what hasn’t.

Congestion

Performance of firewalls was something of an art when buying hardware. A depreciation schedule of at least three years meant you had to keep a crystal ball handy in negotiations with vendors. Compare it to the resource pool concept of virtual devices. Additional memory, for example, is just an easy configuration change. The worst-case is you power off a virtual firewall, reconfigure, and restart. Most importantly, perhaps, is that virtual systems actually enable users to start with the smallest possible configuration. Even a company that expects phenomenal growth can initially spend only on low-throughput devices because virtual systems can be easily and inexpensively expanded in a cloud configuration.

Advantage: VMware

Failure

Like congestion, failure (often due to congestion) has budget implications. A failure usually ends up with security managers trying to find money in a hurry to perform a production swap of hardware and hire talent to manage delicate rule migrations in multiple physical locations. Not for the faint of heart — some liked to describe it as changing the tires on a moving car. Recovering from failure thus can be much harder to do in the physical world than virtual, as you can imagine.

Take VMware’s vShield Manager as a specific example, since that seems to have become the subject of controversy. A vShield App is installed on a virtual interface. Firewalls used to give console access, serial, etc. after a failure. Management (service console) communication separated from vmkernel, as it should be, would still allow an administrator to power down the virtual machine, do cold migration and then power up the same host with a new vShield App. The failed firewall would be replaced, but replacement is far easier than in the physical world of keeping expensive spare/redundant parts and traveling at a moment’s notice to remote locations.

Advantage: VMware

Cost and consolidation

This can be argued several different ways, but take the usual cloud objective of elasticity. A firewall failure due to congestion (denial of service attack, for example) in the physical world raises cost and consolidation problems that are difficult to solve in the short and long term. Sufficient changes to the infrastructure to withstand a serious attack was not only substantially expensive and complex but raised all kinds of long-term financial obligations and implications. A virtual environment hosted in the cloud, on the other hand, lowers the barrier to resilience — it offers lower cost and better consolidation options for firewall and network security.

Advantage: VMware

Ultimately VMware brings a new set of options to the table for availability at less cost. That is why you always find disaster recovery projects and managers talking about how they want to leverage virtual systems to reduce downtime.

I am curious to know what potential customer would put a project on hold when they work through the above issues. A company might decide that the cost of downtime is not high enough to justify the expense of removing single points of failure; but removing single points of failure can be far less expensive in a virtual environment.