Virtual firewall

A virtual firewall (VF) is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall. The VF can be realized as a traditional software firewall on a guest virtual machine already running, a purpose-built virtual security appliance designed with virtual network security in mind, a virtual switch with additional security capabilities, or a managed kernel process running within the host hypervisor. A virtual firewall (VF) is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall. The VF can be realized as a traditional software firewall on a guest virtual machine already running, a purpose-built virtual security appliance designed with virtual network security in mind, a virtual switch with additional security capabilities, or a managed kernel process running within the host hypervisor. So long as a computer network runs entirely over physical hardware and cabling, it is a physical network. As such it can be protected by physical firewalls and fire walls alike; the first and most important protection for a physical computer network always was and remains a physical, locked, flame-resistant door. Since the inception of the Internet this was the case, and structural fire walls and network firewalls were for a long time both necessary and sufficient. Since about 1998 there has been an explosive increase in the use of virtual machines (VM) in addition to — sometimes instead of — physical machines to offer many kinds of computer and communications services on local area networks and over the broader Internet. The advantages of virtual machines are well explored elsewhere. Virtual machines can operate in isolation (for example as a guest operating system on a personal computer) or under a unified virtualized environment overseen by a supervisory virtual machine monitor or 'hypervisor' process. In the case where many virtual machines operate under the same virtualized environment they might be connected together via a virtual network consisting of virtualized network switches between machines and virtualized network interfaces within machines. The resulting virtual network could then implement traditional network protocols (for example TCP) or virtual network provisioning such as VLAN or VPN, though the latter while useful for their own reasons are in no way required. There is a continued perception that virtual machines are inherently secure because they are seen as 'sandboxed' within the host operating system. It is often believed that the host, in like manner, is secured against exploitation from the virtual machine itself and that the host is no threat to the virtual machine because it is a physical asset protected by traditional physical and network security. Even when this is not explicitly assumed, early testing of virtual infrastructures often proceeds in isolated lab environments where security is not as a rule an immediate concern, or security may only come to the fore when the same solution is moving into production or onto a computer cloud, where suddenly virtual machines of different trust levels may wind up on the same virtual network running across any number of physical hosts.