Solved

Virtual Firewall security question

Posted on 2014-02-05
1
426 Views
Last Modified: 2014-02-06
I am currently in the process of switching from a Barracuda load balancer to an F5 load balancer. During my discussion with F5 I found that their load balancing device also has the capability to function as a firewall.

After reviewing the feature set their firewall had to offer I am interested in making the switch. However, the F5 device is virtualized and I am nervous about relying on a virtual firewall instead of a physical.
 
My main concern is the server (ESXi) that would be housing the firewall/load balancer vm would also be housing other virtual machines. I understand that I can utilize VMWare’s vSwitches to logically separate the incoming public traffic from my private traffic, but I don’t fully understand the security consequences that would have. Could traffic hop from one vSwitch to another bypassing the firewall? What are other possibilities I should consider? What type of settings should I make sure are in place before implementing this setup? Or is it just a bad idea and I shouldn’t do it?
0
Comment
Question by:JTD_PS
1 Comment
 
LVL 3

Accepted Solution

by:
ArronG earned 500 total points
ID: 39835747
It depends on your requirements.
In some systems I have set up this type is not allowed as firewalls must be a physically separate entity from the infrastructure as per regulations.
However, if you're not a regulated business then in the VMware scenario you describe this is logical separation.
As long as you get you vSwitches and virtual networks setup correctly and ensure routing between virtual networks isn't in place then you should be ok.
Also, physical NIC's can be assigned to VMware which is secure when done correctly.
F5 have pretty good devices and they are a major VMware partner with a good tech team.
You should be able to lean on F5 for support in installation by making sure it's segregated.

ArronG
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now