I was reminded this week about just how bad complexity is for security people. And the problem is complexity is getting worse in our networks. Virtual systems have a lot to answer for here I reckon. I firmly believe that the first question any person should ask when running up a virtual system should be would I install this on a new physical device if there was no virtual version. If that answer to that question is “no” then for God’s sake do not run it up on a virtual system. There is too much of “because I can” going on in the virtualisation world.
Take virtual firewalls. They were all the rage for a while – and the vendors still tout them left right and centre. I like them in very specific circumstances, but in places where the security peeps have been given free range, they cause uncountable problems. You start having problems working out what traffic is going through what firewall – and which rule should this be on starts being an interesting question.
And don’t even start me on what it does to the network topology.
On the other hand – if you would separate it onto a physical box anyway – then virtual firewalls are fantastic. Interface wise it’s exactly like you installed a new box, but infrastructure wise it’s a significant saving.
Just don’t run it up for the sake of it….