With the rapid evolution of Cloud Computing it has become increasingly common to run computer programs on virtual machines operating on servers. A virtual machine (VM) is a software implementation of a machine (i.e. a computer) that executes programs like a physical machine. The physical hardware on which virtual machines run is referred to as the host or host computer(s) and can reside in data center facilities.
Data centers are facilities used to house computer systems and associated components, typically including routers and switches to transport traffic between the computer systems and external networks. Data centers generally include redundant power supplies and redundant data communications connections to provide a reliable infrastructure for operations and to minimize any chance of disruption. Information security is also a concern, and for this reason a data center must offer a secure environment to minimize any chance of a security breach.
Virtualization has several advantages over conventional computing environments. The operating system and applications running on a virtual machine often require only a fraction of the full resources available on the underlying physical hardware on which the virtual machine is running. A host system can employ multiple physical computers, each of which runs multiple virtual machines. Virtual machines can be created and shut down as required, thus only using the resources of the physical computer(s) as needed. A virtualized application can run on one or a number of virtual machines that can be scaled up or down as required by the application.
Another advantage of virtualization is the flexibility provided by the ability to manipulate and move a virtual machine from one physical site to another, or to move a virtual machine between hosts within the same data center. Virtual machines can be moved in order to better utilize the host machines and to provide the elasticity to scale up or down in size.
Many data centers use appliances, employing dedicated hardware and software, to provide various services in the data center. Such services can include firewall services, load balancing services, Unified Threat Management (UTM) services, intrusion detection and prevention systems (IDS/IPS), data loss prevention (DLP) systems, Proxy/Gateway services, and other security services.
FIG. 1 illustrates a data center 100 with a hardware appliance 102 deployed in front of the data center 100 providing firewall and security services. Data center 100 has 7 blades 104, 106, 108, 110, 112, 114, 116. Blades 1-5, 104-112, run virtual machines VM1-VM10 managed by virtualization layer 118. Blades 6 and 7, 114 and 116, run virtual storage components VS1-VS4 managed by virtualization layer 120. The hardware firewall 102 inspects and filters traffic from the network 122 to the data center 100. The capacity of this firewall 102 is determined based on the maximum throughput for the data center 100. In practice, this often leads to the over-dimensioning of the firewall 102.
If in the future, the data center 100 hardware is upgraded and the overall capacity of the data center 100 is increased, the firewall appliance 102 will also need to be upgraded to meet the increasing traffic demand. This type of operation may require service interruption, an investment in hardware/software upgrades, and a high operational cost.
Virtualization of the services provided by hardware appliances is also gaining momentum. For example, a virtual firewall (VF) is a network firewall service running entirely within a virtualized environment which can provide the same packet filtering and monitoring as is conventionally provided by a physical network firewall or firewall service appliance.
FIG. 2 illustrates a data center 200 employing a purely virtual firewall. Data center 200 has 7 blades 204, 206, 208, 210, 212, 214, and 216. Blades 1-5, 204-212, run virtual machines VM1-VM10 managed by virtualization layer 218. Blades 6 and 7, 214 and 216, run virtual storage components VS1-VS4 managed by virtualization layer 220. Blades 4 and 5, 210 and 212, can be provisioned to virtual machines VM7-VM10 running firewalling applications, or more simply called “virtual firewalls”. Blade 4, 210, can be dedicated for virtual firewalls at all times, while blade 5, 212, can be assigned to the firewall when traffic increases. These virtual machines, VM9 and VM10, can be released when the traffic decreases. The virtual firewall can inspect and filter traffic from the network 222 to the data center 200 similar to the hardware firewall 102 of FIG. 1. A virtualized firewall service allows the resources to scale with the traffic requirements.
Therefore, it would be desirable to provide a system and method to integrate hardware and virtual firewall components and to mitigate the associated scalability problems.