Virtualized gateways in production environment

[trendless]

Just read on Untangle's website that they don't recommend virtualization due to performance issues -- their wording makes it sound like a gateway/firewall issue, not Untangle-specific. That's the first I've heard of a gateway/firewall vendor say this... I know you've all got opinions, so let's hear 'em.

[angry_geek]

I haven't been willing to run a gateway/firewall virtualized in production yet. I still like having that dedicated piece of hardware there. I have set up vpn managers virtually sitting behind the firewall. That has worked well.

[YeOldeStonecat]

We are an Untangle partner.......my colleague has put Untangle in VMWare at some of his clients.....I've run Untangle in ESXi at my home (was in a dual core Atom with 2 gigs of RAM...it ran fine for home use).

Untangle is a layer 7 firewall. It puts quite a load on the hardware...likes direct connections to very strong NICs...Intel Pro, Broadcom...server grade hardware controller based NICs. It does not do well with "software" NICs.

If you're just doing basic filtering of web traffic, anti malware, reporting, some content filtering..it'll be fine. If you're doing heavier spam filtering, heavier QoS/traffic shaping...it will not do as well virtualized as it would on a bare metal install.

Security wise....like the Angry one above...I'm also a fan of having my firewalls be on dedicated, separate hardware. There is something inside of me that is wary of vulnerabilities in the virtualized environments...that something can come in one door..and spread to other guests. There have been exploits in VMware...I'm sure there will be more. So I prefer one piece of hardware at the edge...for the firewall...2 or more NICs....red NIC on the WAN...green NIC(s) going to the LAN...to a switch...and from there have your servers in whatever setup you want.