Subdivide your Physical Firewall into multiple Virtual Firewall instances

virtual firewall architecture diagram - dividing one physical firewall in to multiple=In bigger organizations and service providers, multiple Firewalls are routinely utilized for each department or class of subscribers as some of them require individual Firewall policies. And more importantly, they want to administer, monitor and manage their own Firewall in order to have a full control over the types of traffic traversing over their networks. Fortunately, some of today’s Firewalls (Or UTMs – Unified Threat Management devices) allow subdividing a single high capacity Firewall in to multiple (Virtual) Firewall Instances.

That means, you have one high capacity physical Firewall (Or two if you want them to be in HA – High Availability mode) and multiple virtual Firewalls (Say, one virtual Firewall for one department, for example). The Internet connection is still common to all the virtual Firewall instances, but an administrator in each department can control their own Internet access security policies, among others.

So, what are the settings that can be configured individually for each virtual Firewall instance?

  • Interfaces (Ports) – There are quite a number of network ports in a Firewall (Or UTM) that can be used to connect to the internal LAN network. Certain ports can be dedicated to certain Virtual Firewall instances and controlled by the particular virtual Firewall administrator to whom these ports were allocated.
  • Firewall Policies – Allow Internet/ Block Internet/ Block certain applications/ ports over the Internet and all such polices can be individually configured for each virtual Firewall.
  • VLAN Sub-interfaces – Sometimes, separate ports are allocated for each VLAN (Virtual LAN). So, each virtual Firewall can have their own set of VLAN sub-interfaces, which can be controlled individually by their administrators.
  • Routing Configuration – Some Firewalls come built-in with Layer-3 Routing abilities and their configuration can be controlled for each virtual Firewall.
  • VPN Configuration – Virtual Private Networks (VPN) allow for encrypted network access for some roaming users through the Internet. So, the virtual Firewall administrators can decide whom they want to allow in to their network through their virtual Firewalls.
  • Some vendors even allow other security settings like IPS settings, Anti-virus settings, URL/web filter settings, Spam Filter settings, etc to be controlled for each individual virtual Firewall instance.

Please note that not all the vendors allow all the above settings to be controlled per virtual Firewall instance – only a broad overview is given above and each vendor has their own list of features.

Global Firewall Settings: Irrespective of individual virtual Firewall instances, certain settings can only be controlled for the entire firewall by a super-administrator. Some of them include network authentication settings, DNS/DHCP settings, high availability settings, Administrator access profiles, Updates, etc.

But the Global Firewall and Local virtual Firewall settings depends on individual vendors.

Advantages of Virtual Firewalls:

  • Common global Firewall administration with local virtual Firewall instances are useful to big companies with multiple departments, especially when certain departments want to have exclusive firewall policies and monitoring (Like R&D Department, for example). There is no need to buy additional Firewalls just for that purpose.
  • Lower capital and administrative investments.
  • High Availability is supported with virtual Firewall configuration.
  • Some vendors offer the virtual Firewall feature along with their Firewall/ UTM at no additional cost. But some of them enable certain virtual Firewall instances for free and customers could purchase more at extra cost.
  • There could be as many as 250 (or more) virtual Firewall instances supported in a single physical Firewall. But this depends on the vendor.
  • There could be Inter-virtual Firewall communications between individual virtual Firewall instances with some vendors.
  • Internet/ WAN connectivity are shared between multiple virtual Firewall instances, so that each department need not invest in their own connectivity. Moreover, with some vendors bandwidth shaping/ rate limiting policies could be applied to each virtual Firewall instance so that there is a minimum guaranteed bandwidth for each virtual Firewall.
  • With some vendors, internal Firewall resources like memory, connection rates, etc can be allocated per virtual Firewall instance.

excITingIP.com

In case you have any additional points to add on this topic, or have any clarifications, you could comment below or use the contact form to contact us. You could be updated on the various computer networking technologies by subscribing to this blog using your email address in the box that is mentioned as “Get Email Updates When New Articles are Published”.