We have a debate in our office going on whether it's necessary to get a hardware firewall or set up a virtual one on our VMWare cluster.
Our environment consists of 3 server nodes (16 cores w/ 64 GB RAM each) over 2x 1 GB switches w/ an iSCSI shared storage array.
Assuming that we would be dedicating resources to the VMWare appliances, would we have any benefit of choosing a hardware firewall over a virtual one?
If we choose to use a hardware firewall, how would a dedicated server firewall w/ something like ClearOS compare to a Cisco firewall?
Best Answer
I've always been reluctant to host a firewall in a virtual machine, for a couple of reasons:
With a hypervisor, the attack surface is wider. Hardware firewalls usually have a hardened OS (read-only fs, no build tools) which will reduce the impact of a potential system compromise. Firewalls should protect the hosts, not the other way around.
We've seen in details what bad NICs can do (or can't), and that's something you want to avoid. While the same bugs can affect appliances, hardware has been selected and is known to work with the installed software. It goes without saying that the software vendor support may not help you if you have issues with drivers, or with any hardware configuration that they don't recommend.
Edit:
I wanted to add, like @Luke said, that plenty of hardware firewall vendors have high availability solutions, with stateful connection state passed from active unit to standby. I've been personally satisfied w/ Checkpoint (on old nokia IP710 platforms). Cisco has ASA and PIX failover/redundancy, pfsense has CARP and IPCop has a plugin. Vyatta can do more (pdf), but it's more than a firewall.