Typically, firewall rule definitions include the following five tuples: source, source port, destination, destination port, and service (or application), in addition to an action value. Each tuple specifies a set of identifiers that provide acceptable values for the tuple. This holds true for most of the firewalls in use today, including hardware-based firewalls and software-based firewalls. Hardware firewalls can be used to protect both physical as well as virtual machines (VMs). Hardware firewalls have a number of drawbacks. For instance, hardware firewalls are often choke point solutions, as they each serve as a single choke point for enforcing all firewall rules because all the traffic has to pass through them. Also, they fail to provide security among the machines behind the choke point.
Software firewalls can be implemented as either a service node firewall or VNIC (virtual network interface card) level firewall. The service-node firewalls are similar to their hardware counterpart and enforce firewalling capabilities at the boundaries. Hence, they have the same disadvantages as hardware firewalls, i.e., they are choke points for the network traffic and fail to provide security for the intra network traffic (i.e., for virtual machines behind the choke point). VNIC-level firewalls, on the other hand, enforce security policies as soon as packet comes out of the VM's VNIC. Hence, they can provide security for intra-VM traffic. VNIC level firewalls can also inspect the traffic twice, once at source and once at destination.
In the current models of VNIC-level firewalls, all the rules are applied to all the VMs in the datacenter. In other words, there is a one-to-one mapping between the rule defined at the management plane and the VNIC level rule table. The one-to-one mapping limits the number of rules definition at management level. Also, this approach causes rule bloat at VNIC level firewall table, which, in turn, reduces the processing speed of the firewall engine. This approach also does not have the ability to control whether rule processing is done at source or destination for intra VM traffic. The current VNIC-level approaches are also not truly multi-tenant solution because, in order to achieve multi-tenancy, a user has to create multiple firewall contexts (or multiple firewall tables) at the controller level. Therefore, there is a need in the art for a better firewall solution.