IT pros unhappy with the performance of vShield Zones can find plenty of open source alternatives to VMware’s virtual firewall or intrusion protection system – of some of which, I feel, are better than any vShield product.
More on VMware vShield Zones
Installing VMware vShield Zones for a virtual firewall
VMware vShield Zones: What it is and how it works
To be fair, I have limited experience with vShield products, and I have used only VMware vShield Zones (included in a vSphere Enterprise Plus license) and vShield Edge, but my experiences weren’t very positive.
VMware vShield Zones is easy to install and configure, but it is not very efficient, as I later discovered. All of the hosts in a cluster must have Zones installed, and every virtual machine’s traffic passes through the Zones virtual appliances . Passing virtual machine (VM) traffic through Zones’ very basic, rudimentary firewall really slows things down. (That’s why it is called slow-path mode).
VShield Edge did not fare any better, in my experience. It has limitations when used in a cluster configured with a standard vSwitch, instead of a vNetwork Distributed Switch. For example, I wanted to test Edge’s Port Group Isolation, a good security feature that effectively creates a barrier between the VM and the external network. However, this is available only when configured with a vNetwork Distributed Switch and not a standard vSwitch. VShield Edge also always seemed to generate a large amount of network traffic and use CPU resources when practically nothing was going on in the cluster.
Consider open source alternatives
I’m hoping the VMsafe’s fast-path application programming interfaces, now being used by partners, will improve the vShield family’s poor performance. In the meantime, there are some great open source alternatives to the vShield suite in the form of virtual firewalls, intrusion prevention systems and intrusion detection systems.
Open source virtual firewalls and intrusion protection system (IPS) tools are a great choice for smaller environments and labs. Many of the big network vendors offer their products as virtual appliances, but they come with high upfront and ongoing maintenance costs.
You can find many virtual appliances at VMware’s Virtual Appliance Marketplace, although you should also use Google to determine which tools on VMware’s site are truly open source.
Open source alternatives for virtual firewalls
When it comes to firewalls, I am a fan of the old standards: IPCop, SmoothWall Express, m0n0wall and Vyatta. These packages provide solid protection and work tightly alongside Linux and some Windows kernels. They may not have an ultra-rich graphical user interface for administration, but they all provide the basics, which include packet inspection, network address translation and rules. Sometimes that is all you need.
In addition, many of the options I listed above go way beyond the basics, trumping the expensive commercial offerings by adding support for Simple Network Management Protocol, reverse proxy, traffic shaping, virtual private networks and much more. I personally like using the rock-solid open source products from Vyatta, as their command-line interface is similar to proprietary counterparts from Cisco Systems Inc.
Virtual IPS and IDS options
Many of the firewalls that I mentioned can provide a virtual IPS. Similar proprietary products, such as Cisco's ASA series of network security devices, offer IPS as well as hundreds of other features, but you have to consider if those capabilities justify the cost.
If you are planning to implement an IPS, you should also deploy an intrusion detection system (IDS). Many people don’t know the difference between an IPS and IDS and how they work together. Ideally, these security measures are contained within a single appliance with the IPS connected to your outside parameter network, and the IDS connected to a vSwitch inside the virtual firewall.
Vendors such as Catbird Networks Inc., Stonesoft Corp. and Sourcefire Inc. provide a combined IPS/IDS appliance but at a commercial price. Among open source packages, the mature Snort package (with the Snorby front-end) is one of my favorites, along with Bro Network Security Monitor and Suricata. I recently implemented Bro and was impressed at its feature set, ease of installation and configuration. It made me think of how far these products have come.
Since then, Bro has taken over my top spot in this category. Other products to consider include Smooth-Sec and SIEM-live (both based on Suricata), along with some great bootable live CDs that I use frequently, such as the Network Security Toolkit (the definitive de facto standard for anyone in networks and security) and the Security Onion.
If you don’t need or want the overhead costs of implementing and maintaining a commercially available virtual firewall or IPS/IDS appliance for your shop, give these open source alternatives a try. You’ll probably find one that fits your needs.