Physical vs. Virtual

As Jon Oltsik, Enterprise Strategy Group (www.esg-global.com) senior principal analyst, aptly puts it, the biggest difference between a virtual firewall and a physical firewall is fairly obvious: A physical firewall is essentially a piece of standalone hardware, while a virtual firewall is a virtual appliance installed on top of virtualization management soft­ware. “This difference should not impact functionality, but it may impact performance,” Oltsik says. “Virtual firewalls also require some security oversight to lock down the physical server and hypervisor.”

Mike Fratto, senior analyst with Current Analysis (wwwxurrentanajysjs.com), says aside from certain perfor­mance characteristics, in many cases a virtual and physical firewall from the same vendor are functionally equiv­alent. “Virtual appliances typically support less performance than hard­ware because virtual appliances are software-based, are on shared hard­ware, etc.,” he says. A physical firewall, meanwhile, sits at a fixed position in the network and creates a hard exte­rior at the perimeter “but does nothing for traffic running over the virtual net­work,” he says.

Overall, Fratto says physical fire­walls make sense when trying to estab­lish a hardened perimeter, including one that protects the virtual infrastruc­ture, services, etc., from unauthorized use. Here, he says, “an existing data center firewall may suffice.” Virtual firewalls, meanwhile, are often tar­geted at a subset of services running within the virtual environment rather than the entire environment. Thus, he says, “you end up with a bunch of little perimeters based on applications or departments,” for example, rather than one large perimeter. That means ap­plications can be better protected from attack than if using VLANs and other isolation techniques, he says.

Another distinction between physical and virtual firewalls is that a virtual firewall and the servers it protects can reside anywhere in the virtual environment, something that allows the movement of virtual ma­chines while maintaining the virtual perimeter, Fratto says.