Data Center Firewall - Monolithic vs Virtualized

Reply
Highlighted
L0 Member

Data Center Firewall - Monolithic vs Virtualized

This is purely theoretical and does not represent a real network.

You can think of this as on prem or public cloud:-

 

Monolithic

This design utilizes 3 physical firewalls that are embedded in a data center fabric
• Perimeter
• B2B
• DC
The main focus of my question is on the DC firewall, as you can see segmentation is derived by using traditional zones. There are some people that like this design as its very simple and it has been used for years.

DC Firewall - monolithic.jpg

 

Virtualization
This design utilizes 3 physical firewalls that are embedded in a data center fabric
• Perimeter
• B2B
• Virtualized (vfw’s)
The main focus of my question is on the Virtualized firewall, as you can see segmentation is derived by creating virtualized firewalls that represent the Environment that we are trying to segment. There are some people that like this design as it provides greater audit capabilities on environments like PCI x and y -

DC Firewall - virtualization.jpg

 

Can you provide a short paragraph on what your thoughts are – what do you see as the pro’s and con’s to each design.

Which one is better for on prem?

Which one is better for public cloud?

Which one would provide better audit capabilities?

Which one would provide better automation / orchestration capabilities?

Which one is more agile ?

 

 

DC Firewall - virtualization.jpg

L7 Applicator

Re: Data Center Firewall - Monolithic vs Virtualized

@mcronin 

Which one is better for on prem?

Which one is better for public cloud?

Stop thinking of the "cloud" and on-prem networks differently, because they aren't. The "cloud" is generally when we can get away with making the most amount of changes without major disruption because the environments are just getting built out, so most people will have more isolation in the "cloud" environment. This isn't because it's needed, it's because more people actually get to redesign their environments with a proper segmented design. 

Which one would provide better audit capabilities?

Anytime you gain more insight into the traffic, you'll have better audit abilities. In your diagram it doesn't appear like the virtualized design as seperating the different groups into different zones, so your Monolithic design actually allows more insight into the traffic and therefore allows you to better audit connections. 

Which one would provide better automation / orchestration capabilities?

They are both the same. You would have a more complex environment with multiple virtualized firewalls over a single firewall with additional zones, but your automation abilities are the same if you have one firewall or multiple. 

Which one is more agile ?

Define agile. The virtualized diagram that you have would be better suited for a move into micro-segmentation in the furture, which should really be what you are aiming for. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!