What is a software firewall? | Palo Alto Networks

5 min. read

A software firewall is a firewall in a software form factor rather than a physical appliance, which can be deployed on servers or virtual machines to secure cloud environments.

*Note: The term “software firewall” should not be confused with the term “firewall software,” which describes the operating system running a next-generation firewall (NGFW).

Software firewalls are designed to protect data, workloads and applications in environments wherein it is difficult or impossible to deploy physical firewalls, including:

  • Software-defined networks (SDN)
  • Hypervisors
  • Public cloud environments
  • Virtualized data centers
  • Branch offices
  • Container environments
  • Hybrid and multicloud environments

How Software Firewalls Work

Software firewalls embody the same firewall technology as hardware firewalls (also known as next-generation firewalls or NGFWs). Software firewalls offer multiple deployment options to match the needs of hybrid/multi-cloud environments and modern cloud applications. They can be deployed into any virtualized network or cloud environment.

Diagram depicting software firewalls in hybrid/multi-cloud security

Figure 1: Software firewalls in hybrid/multi-cloud security

Software Firewall vs. Hardware Firewall

The most important difference between a hardware and software firewall is the form factor, but there are several others worth noting, summarized in Figure 2.

Both software and hardware firewalls play critical roles in network security. Therefore, software firewalls are not better than hardware firewalls or vice versa. Rather, each are appropriate for different situations.

Figure 2: Differences between software firewalls and hardware firewalls

Parameters Software firewall Hardware firewall
Form factors
  • Software
    • Software firewall is installed on a server or virtual machine
    • Operate on a security operating system generally run on generic hardware with a virtualization layer on top
  • Physical, individual device
    • Installed between network elements and connected devices
Deployment options
  • Cloud
  • Container
  • Virtual
  • NGFW
Complexity
  • Can be deployed quickly and easily using cloud automation tools
  • Can be used by non-network security experts
  • A hardware firewall requires tangible activities, such as rearranging cables and setting configuration parameters through a command line interface (CLI)
  • Skilled staff are necessary for installation and management

Types of Software Firewalls

Software firewalls typically fall into one of three categories:

  1. Virtual firewalls
  2. Container firewalls
  3. Managed service firewalls

Each type offers specific features for different environments and purposes. However, every software firewall monitors and protects east-west, incoming and outgoing network traffic. A software firewall blocks suspicious activity and preventing exfiltration.

Virtual Firewalls (also known as cloud firewalls or virtualized NGFWs)

A virtual firewall protects a range of environments, including:

Virtual firewalls can inspect and control north-south perimeter traffic in public cloud environments and segment east-west traffic inside data centers and branches. Virtual firewalls offer advanced threat prevention measures via microsegmentation.

In public clouds, virtual firewalls add protections to the native safeguards cloud service providers (CSPs) offer. They also safeguard critical network connections to cloud applications. In these situations, cloud-based firewalls typically act as guest virtual machines. Some can provide visibility across multiple CSP deployments.

Higher-end virtual firewalls can offer the following benefits:

  • Support organizations in meeting public cloud user security obligations
  • Ensure compliance with regulatory standards
  • Boost built-in security features unique to each CSP

Container Firewalls

Container firewalls behave similarly to virtual firewalls but are purpose-built for Kubernetes environments. Container firewalls help network security teams safeguard developers with deep security integration into Kubernetes orchestration. This is important because container workloads embedded in Kubernetes environments can be difficult to secure with traditional firewalls.

Managed Service Firewalls

Software firewalls are also available as a managed service, similar to many other software-as-a-service (SaaS) offerings. Some managed service firewall offerings provide a flexible way to deploy application-level (Layer 7) security without the need for management oversight. As managed services, some of these firewalls can also be quickly scaled up and down.

Network Security Challenges that Create the Need for Software Firewalls

In the world of virtualized, decentralized environments, many network security challenges arise that cannot be solved with solutions applied to a traditional data center.

Disappearing Security Perimeter

The concept of a traditional security perimeter separating the inside and outside of the network has been challenged for some time. With the proliferation of hybrid/multi-cloud strategies, today’s modern architectures make it even harder to define a perimeter. Additionally, much of the architecture consists of clouds run by service providers. This results in constant movement of information across the network and the internet.

Increasingly Dangerous Threat Landscape

40% of businesses have already suffered at least one cloud-based data breach, a remarkable percentage given the short duration of the cloud era. The victims of these successful attacks are not just cloud novices but established enterprises with considerable investment and expertise in network security.

Conflicting Security Views Between Cloud and Network Teams

Shifting to cloud-first strategies has profound implications for security, starting with application development. Security is not always top of mind for cloud developers. Their mandate is to develop and release as quickly as possible. In fact, 14% of cloud developers report that application security as a top priority, while two–thirds routinely leave known vulnerabilities and exploits in their code. Plus, the development group is often tempted into thinking the native security provided by cloud service providers is “good enough.”

Network security often arrives late in the development lifecycle, limiting the range of available options. Furthermore, when the network security team recommends a security solution such as as an NGFW, they bear the burden of proof to show their recommendations will not slow the business down or delay time to value.

Cloud-native Introduces Network Security Problems in Hybrid/Multi-cloud Architectures

One particularly disruptive change in development methodologies is the use of vendor-specific orchestration services like AWS Elastic Beanstalk, Azure App Service, and Google App Engine. With these tools, developers simply upload application code, and the orchestration service automatically handles deployment. While this level of automation greatly simplifies life for the developer, it also compounds the problems of network security in hybrid/multi-cloud architectures.

Larger Attack Surface

Data centers are evolving into private clouds in which local applications are hosted on virtual machines, not directly on physical servers. Other applications run on public clouds in virtualized environments, often using containers and Kubernetes orchestration. In this model, interconnections dominate the architecture, making the attack surface larger and more difficult to define.

Figure 3: Firewall security in traditional data center architecture

Diagram depicting firewall security in traditional data center architecture

Hybrid/Multi-cloud Environments Tend to Create Compliance Challenges

Shared Responsibility Model

  • The shared responsibility model is just one aspect of hybrid/multi-cloud architectures that can make it difficult to achieve compliance.
  • The service provider implements some required controls and therefore must provide evidence that can be incorporated into audits. Fortunately, customers can often “inherit” controls from the CSP. This streamlines compliance if the documentation is in place.
  • The items the CSP does not oversee, such as applications, are the responsibility of users from an auditing standpoint.

Geographic Disparity

  • Another compliance challenge is the way hybrid/multi-cloud architectures often span multiple geographies and jurisdictions. This can introduce concerns such as data locality and data protection regulations.

Benefits of Software Firewalls

Securing hybrid/multi-cloud architectures poses challenges that traditional security solutions are not designed to overcome. The physical firewall is a critical security tool for many network applications. However, it is not always the only choice when it comes to modern hybrid/multi-cloud infrastructures and cloud-native development methods.

Comprehensive Protection

Inbound protection

It’s well established that the perimeter of hybrid/multi-cloud environments is not well defined. Software firewalls make it easier to define the perimeter and desired enforcement points.

For example: a user can microsegment a database and establish a policy which only allows the back end of a particular application to communicate with it. This enables protection from inbound threats coming from the outside world. Threats designed to infiltrate applications, steal sensitive data, or encrypt data are blocked.

Outbound protection

Modern applications today routinely access third-party code or open-source code. This requires reaching out to repositories like GitHub for third-party software updates. Updates can be misdirected to a command and control server.

Software firewalls offer outbound protection. This ensures only necessary repositories are accessed. Outbound protection also ensures that only approved URLs are accessed, prevented unauthorized access to URLs which are malicious or infected with malware.

Lateral protection

In the cloud, applications don't work in a silo. Rather, they communicate through APIs and network communications. Applications also talk to users inside and outside of the cloud as well. This is generally to ensure users can access and use those applications.

If the protection surface is infiltrated, software firewalls prevent lateral movement within the cloud. This includes cloud to cloud or VCP. As a result, threats are extremely limited in their ability to move or pursue other resources within a cloud.

Relatively easy set up and maintenance

Software firewall don’t require traveling to a physical location, rearranging cables, or interacting with a CLI. In fact, deployment, scaling, and policy changes are typically automated. Staff do not have to invest hours doing routine manual operations.

Software Firewalls FAQs

Software firewalls are designed to protect data, workloads and applications in environments wherein it is difficult or impossible to deploy physical firewalls.
Software firewalls embody the same firewall technology as hardware firewalls (also known as next-generation firewalls or NGFWs). Software firewalls offer multiple deployment options to match the needs of hybrid/multi-cloud environments and modern cloud applications.
The most important difference between a hardware and software firewall is the form factor. A software firewall is installed on a server or virtual machine. A hardware firewall is a physical device installed between network elements and connected devices.