Virtualization is a hot topic and has been that for a while now. While there is only really one big player in this field there are many smaller ones that are making their living out of complementary products. We also see virtualization as a field that is still growing. Only a small percentage of the existing servers in the world run virtualized. Only a tiny fragment of a percentage of the desktops is virtualized. Forecasts by IDC (and others) have predicted that virtualization is Soon™ coming to a system near you.
I’m sure vendors in many fields have noticed this trend and want to join in on the ride. The easiest solution would be to adapt an existing software solution into the virtualization field without too much rewriting, while writing software from the scratch requires more effort (and money).
I’m sure our good friends at CheckPoint had similar thoughts last year before they launched a “Virtual Edition” ( VE ) of their most known firewalling suites (UTM VE, Power VE & UTM Power VE). CheckPoint have provided a virtual appliance for years that has been available through the VMware Virtual Appliance marketplace, but it hasn’t been supported for production usage.
I have used their old appliance myself and it has worked fine for for testing out different firewalling concepts. CheckPoint is providing their own linux distro called SecurePlatform (SPLAT) which is based on RHEL (similar to the Service Console), but modified to be a firewall distro and comes with a custom shell (cpshell). It also ships with a custom built kernel. This kernel has until recently been a 2.4-kernel by default. R70 (shipped in march 2009) is the first version to have a 2.6-kernel by default. The old 2.4-kernel was a bit special since they have backported many newer drivers into it. The firewall also consist of kernel modules so you can’t use whatever kernel you want.
When this new “Virtual Edition” product line was shipped it was advertised as a product that could protect your virtual machines. It was licensed per ESX host and did not support VMotion. It came in two editions: One for up to 5 virtual machines and one unlimited version. This license is per VMware ESX host (yes, I’ve said that already). When this product was shipped it had broad media coverage and many websites/news sites noted that CheckPoint was now shipping products for VMware.
Who run 5 VMs or less on an ESX server? Who with such a smallish system would need an enterprise firewalling suite to protect the VMs? If you have a larger environment you can buy an unlimited edition, but as VMotion is not supported it would be useless too. In ESX 3.x you can have a maximum of 4 virtual nics (10 in v4), so if you want to protect each of your VMs with a separate set of rules you can’t put too many VMs on the system if the VMs are to be completely separated (also from each other). That still doesn’t justify that CheckPoint is trying to charge $7500 for the cheapest 5 VM edition (UTM) and $15000 for the unlimited edition. Per ESX host. Yes, to protect your VMs with a VE they will charge you a lot more than they would charge if you were installing their software on a physical box. An unlimited UTM license has a list price of $13000. And that price is independent on your number of ESX hosts.
So what is special about VE? Nothing. Well, it comes as an ovf file instead of an iso file so you don’t have to do the initial 7 minutes of an install wizard getting the disk partitioned+formatted and files being thrown over from the iso. Other than that, VE is a standard SPLAT (R65) install. Not even VMware Tools is installed, so networking performance is only as good as the emulated vlance (pcnet32) nic (that also puts extra cpu load on the system when in use). Guess they couldn’t get vmxnet working since VE is using a 2.4 kernel and vmxnet on 2.4 hasn’t been supported after ESX3 was released. I’m really sorry CheckPoint, but this is not good enough. The Virtual Edition concept really doesn’t have any benefits compared to the traditional editions. It costs a lot more, doesn’t have optimal performance and requires you to stop using VMotion(!). Can’t think of a single case where that would be a useful solution. Running a virtualized firewall is however something that in the future will be as normal as it is for many today to run a virtual server. The networking layer is already on it’s way into the virtualized datacenter now with Cisco as the first vendor with a native ESX switch. Cisco currently has no plans to port their ASA firewalling software over to a virtualized platform (ref VMTN roundtable a few weeks ago). Hope to see firewall vendors jumping onto the bandwagon in a more serious manner soon too. Who wants to ride the virtualization wave?