Integration of several security functions into one appliance has enormously changed the market for traditional firewalls. What began as a pooling of security functions such as inspection firewalling, antivirus, intrusion prevention and detection (IPS/IDS), antispam, Web content filtering, traffic shaping, and dynamic routing in a single appliance, is now also being completely virtualised. The previous approach was known as Unified Threat Management (UTM). Analysts at IDC predicts that in 2010 this market will have grown to twice the size of today’s market for traditional firewalls and VPN.

This concept has taken a step further with vendors completely virtualising these integrated UTM security functions. There are companies who have partitioned their multi-threat security appliances into several, separately managed and provisioned instances. There are other companies offering consistent virtualisation of all UTM security functions. With Fortinet, these instances are called VDOMs, short for Virtual Domains. On the largest FortiGate multi-threat security appliances, customers can operate up to 4,000 virtual UTM firewalls. But also the smaller models offer virtualisation functionality.

Apart from all the UTM security functions, static and dynamic routing can also be virtualised. To communicate between multiple virtual firewalls, companies allow the activation of what is called inter-VDOM routing. This involves packets being routed internally between the virtual security appliances making communication via physical network interfaces redundant. Physical network interfaces can additionally be virtualised via Virtual LANs (VLANs). Provided VLAN-enabled switches exist, and depending on the deployed FortiGate model, up to 4,000 virtual VLAN interfaces can be used simultaneously.

Virtualisation of firewalls, however, is not an entirely new topic in the field of network security. For some years now, carriers, Internet service providers (ISPs), hosting and managed security providers (MSSPs) have been virtualising traditional network firewalls for their customers. They primarily used larger, redundant cluster firewall systems being shared by several end customers. Each customer could thus use its own, virtual firewall with appropriately separated configuration capabilities. It delivered savings in terms of hardware and software licenses and enabled providers to offer its customers cost-effective and high-available firewall services.

Unlike then, virtualisation today is not restricted to traditional inspection firewalling alone. Today, all the other UTM security functions can be virtualised. At the touch of a button, these features can be set up within a virtual firewall. And even the operating modus can be combined as required. One virtual firewall can, for example, run in the NAT/route modus, while the second operates in the transparent modus (layer2). Firewall, IPS, and antivirus functions can be run on the first instance, and on the second layer a pure web filter.

A growing number of companies are now deploying virtualisation capabilities. In increasingly complex enterprise networks, they find the necessary flexibility, in particular with virtualisation of complete firewall functions or in the virtualisation of network interfaces. Companies with multiple sites or different, clearly separated business units or departments are progressively relying on virtualisation. The administration can be delegated to various administrators who see and manage only their own virtual firewall.

In the future, hardly any firewalls will be purchased without virtualisation and UTM functionality. The growing demand for security functions, increasingly complex networks, and the pressure for companies to be cost-efficient speak for themselves.