One of VMware’s big announcements at VMworld was about the next big step in virtualization – NSX (network and security virtualization). NSX takes the virtual machine model up to the network level. I recently had a chance to catch up with Brad Hedlund, engineering architect in the VMware Networking and Security Business Unit (NSBU), who gave an introduction into virtual networks  – and distributed firewalls in particular.


“Once you create the virtual machine, you’ve fundamentally changed the operating model of computing in the data center, so we think that with NSX and the virtual network that we will be able to do the same for networking,” says Hedlund. “We would be able to treat an entire virtual network as a holistic abstraction that can be deployed on top of any hardware. It’s really a software-driven system with APIs. So part of that virtual network, of course, is security, right? So applications can come in any shapes, sizes, and topologies.”

Distributed firewalls work well with securing traffic flows from one network tier to another in multi-tiered applications. Figure A shows an overview of distributed firewalls:

Figure A

From physical firewall to virtual firewall

“Typically, what we’ve done in the past is we use what we know to provide security and that is a firewall,” according to Hedlund. “It’s an appliance with ports on it and you plug it into a switch somewhere and you architect the network to steer traffic through the firewall to get from one tier to the next.”

According to Hedlund, the next iteration of the firewall is the virtual firewall. “You take what was the physical box with physical ports and turn it into a virtual machine. It’s basically the same kind of thing, a firewall that I need to manage but it’s a virtual machine. So, we still have the need to steer traffic through the virtual firewall and that is a network architecture consideration. Challenges that need to be addressed are how you configure and deploy the network to distribute traffic through these firewalls.”

VMware is aiming to change the current status quo with NSX, virtual networks, and security by fundamentally changing the way security is deployed for applications in the data center, specifically when you are trying to secure traffic going from one tier to another in applications.

“We tend to call this east/west traffic when you have got traffic going from server to server to fulfill the backend of the application. That east/west traffic is exactly where we see the distributed firewall playing,” says Hedlund. “You also have north/south traffic in the data center. That’s generally coming from the client to the front end of the application and maybe a web server of some kind. There’s definitely a role for a firewall there as a perimeter firewall at the edge of the application and touching the outside world. We still see the role of a traditional virtual or physical firewall fitting there.”

Basically, with a distributed firewall, you steer traffic through a virtual firewall to get east/west security. Distributed firewalls implement firewall security right at the hypervisor where you attach the virtual machines.

When a virtual machine sends a packet to another virtual machine – before it goes anywhere, or even touches the network – it’s able to implement firewall security across all of the hypervisors. Security polices are managed centrally and pushed to all hypervisors.

“So you don’t have these choke points anymore and you don’t have to worry about the size and performance of a specific virtual or physical firewall because the firewall and its processes are right at the edge of where the virtual machines are at and you don’t have a firewall thing, a device to manage and care for,” says Hedlund.

This model makes the firewall an easy-to-manage service. Hedlund says, “You basically describe the security you want from one tier to the next and you really don’t have a device, be it physical or virtual, that you need to configure and care for in the lifecycle of the environment.”

Simplifying application deployment

“This is going to simplify the way you deploy an application,” Hedlund asserts.

Currently, when you deploy an application, you configure security as part of the application topology from one set of virtual machines to another set of virtual machines by placing a firewall in the middle of those two virtual machines.

Using the sort of cloud management portal that a virtual firewall provides is much more preferable than implementing a virtual or physical firewall for security and then steering traffic through it. It’s almost point and click control when setting protocols between application and web servers. Such simplified management can have cascading benefits across a project and/or operations team.

Distributed firewalls also provide better performance and simplified application architecture, which contribute to cost savings.

Traffic steering

Distributed firewalls greatly simplify traffic steering when compared to how it’s done in traditional network architectures.

“When you implement the security policy programmatically at the edge of the hypervisor, at that point, you don’t have to steer traffic anymore,” according to Hedlund. “Because once the packet leaves the hypervisor and hits the first network switch, it has already been through the firewall and we don’t have to shove the packet around to a firewall somewhere because we have already implemented the security policy.”


Customers can embrace distributed firewall technology when they deploy new applications up front during capacity planning decisions. Distributed firewalls deployed programmatically in SDN architecture mean that there will be less chance for error in deploying a policy. They also simplify moving applications in disaster recovery and other application migration scenarios. When you deploy virtual machines, the configuration is applied implicitly with less room for human errors all around. Hedlund sees fewer physical firewalls in the future but they will be doing what they do best, handling traffic at the perimeter, not  between network tiers.

Also see: