The need of an “active-active” firewall cluster in virtualized datacenters

by Marco Rottigni

Virtualization continues to make waves. We have seen it generate hype, projects, positive and negative opinions, information overflow and ink floods with the persistence of a true mass phenomenon, and I believe what we have seen is just the beginning

Virtualization offers some clear and immediate advantages such as the relative ease of implementation and the marketing strength of the major vendors’ propositions and attractive return on investment. These advantages make it, one of the hottest topics in today’s IT world.

The author’s opinion, however, is that the vast majority of organizations are still in a server consolidation phase that has not yet leveraged the full power of virtualization technology.

Considering mainly VMware as an established player and its server platforms (such as VMware Server, VMware ESX and VMware ESXi) as a reference for “business” implementations, the projects we have seen so far can be divided into two main categories, depending on the phase of the project:

  1. Testing Server Consolidation, where the attempt has been to consolidate different applications and servers on different operating systems running on one or more hardware platforms, each with its own network connection.  For this phase, the typical environments are lab and/or test environments, or non-critical production environments, with the goal to reduce implementation and maintenance costs.
  2. Server Consolidation in Production consists of multiple servers and machines consolidated and “ floating” on a platform called Hypervisor, which is comprised of a cluster of VMware servers. This is a mature phase, in which system availability and performance are maximized through the use of technologies such as VMware HA, VMware VMotion and VMware Distributed Resources Scheduler (DRS) and is ideal for production environments. However, at the moment, only a few “virtualization pioneers” are moving into the third phase:
  3. Complete datacenter virtualization, including network virtualization, which yields even greater benefits and advantages.

These steps represent an ideal path for system and application virtualization. However,  the majority of organizations have not yet taken the process into consideration – unfortunately. There are several reasons for this, mostly based on concerns about network segmentation in the virtualized environment.

Virtual_model
Virtual_datacenter 

As the virtualization process begins to involve elements that have previously been physically connected to switches, such as routers, firewalls, and IPS, the attenuated perception of segmentation, despite its crucial importance, can result in oversight. Consequently, this can undermine the implementation of “traditional” defense, which is so important for network and system security.

In this scenario, it is mandatory to take precautions to adopt a proper virtual network security system that regulates the communication flow that has previously been managed by physical security engines.  Moreover, it is important that these systems do not remain “outside” of the virtualized infrastructure; rather, they should be fully integrated, compatible with, and supported by virtualization technologies.

Upon analyzing the VMware environment, we will notice that this is the case with Certified Virtual Appliances (CVA). CVA is a validation requirement scheme defined by VMware and it enforces a certain level of compatibility for the validated applications, not only with the underlying hypervisor but also with important surrounding solutions such as VMotion, which enables the user to move “live” virtual machines across a Virtual Datacenter’s physical servers. The illustration below describes a fully virtualized scenario:

Virtual_HA

Although simplified, the illustration above represents a high availability system created by combining VMware HA solutions with the legendary, rock-solid StoneGate “active-active” clustering that efficiently utilizes dynamic load balancing for physical and virtualized environments. The benefits brought by this solution become apparent on the occasion of threats posed by an error or power outage in one of the firewall cluster nodes: in this case, the other node continues to process traffic, sessions handled by the failed node transparently falling over without any connection disruption.

Perfect integration with the underlying hypervisor allows VMotion to be used for moving firewall cluster nodes across floating virtual datacenter’s physical servers with no impact on traffic and connections processed by a StoneGate firewall cluster. For this option to work properly and to ensure those virtual-physical-virtual network segments are part of the same network broadcast domain, it is sufficient that the naming of the vSwitch pairs remains the same as in the illustration above.

The most important features constituting this powerful solution and allowing a StoneGate Firewall to reach enterprise level performance are the 802.1q VLAN Tagging support. The latter is important given the current limitation of only four network interfaces for each virtual machine in ESX, and the inclusion of the network drivers optimized for VMware. In addition, there are the benefits brought by the StoneGate features like Multi-Link, Server Load Balancing, and bandwidth management.

Should the project involve layer 2 traffic and network segmentation, the StoneGate IPS Virtual Appliance allows complete stealth control of traffic flowing in the same L2 network topology, inspection up to the application layer, flows and events correlation, inline and mirror port implementation, and support for 802.1q VLAN Tagging completing an exhaustive Intrusion Protection solution for virtualized environments.

All this is managed seamlessly by the same StoneGate Management Center that is used for physical security engines.

Stonesoft: Secure Virtual Information Flow.