A virtual firewall is a network security system that is implemented as software rather than physical hardware. Virtual firewalls provide the same security functionality as traditional hardware firewalls, including traffic filtering, intrusion prevention, and VPN access. Some key benefits of virtual firewalls are that they are more cost-effective, flexible, and scalable when compared to physical firewall appliances.
In this article, we will examine the various costs associated with implementing a virtual firewall solution. This includes upfront costs like software licensing and installation fees as well as ongoing expenses for maintenance, support, and scaling the solution as needs change. Understanding these total cost implications is important for organizations to properly budget for and choose the right virtual firewall option.
Hardware Costs
The main hardware costs for a virtual firewall come from the physical servers or appliances needed to run the virtual firewall software. Unlike traditional hardware firewall appliances that come pre-loaded, virtual firewalls run on general purpose servers. The hardware costs will depend on the server specifications in terms of CPU cores, RAM, and storage.
According to Sophos, a basic virtual firewall setup with 1 CPU core and 4GB of RAM can run on a server priced around $2,500. More advanced setups require servers with higher specs, which can cost $5,000 or more.
For large implementations, organizations may use Cisco or Dell blade servers which start around $6,000 per chassis and allow adding compute power modularly. Overall, the hardware costs for virtual firewalls are much lower compared to traditional hardware appliances.
Software Costs
The main software cost for a virtual firewall is the licensing fee for the firewall software itself. This varies significantly between vendors. For example, Sophos offers its XG Firewall software starting at $45 per year for a basic virtual machine with 1 core and 4GB of RAM (source). Palo Alto Networks charges substantially more, with its VM-series virtual firewalls starting at around $700 per year for the software license (source).
The software license pricing is often based on factors like number of cores, amount of throughput, and enabled features. So costs scale up as you add capacity and capabilities. Professional services like configuration assistance and training also add to the software licensing fees. Overall software costs can range from a few hundred dollars per year for basic small business firewalls, up to tens of thousands for large enterprise deployments.
Installation & Configuration
The costs of installing and configuring a virtual firewall largely depend on the complexity of the implementation and the required IT staff time. Basic installation of a virtual firewall like the VM-Series Next-Generation Firewall from Palo Alto Networks on a virtualization platform such as VMware can often be performed in 4-8 hours by an experienced network engineer. However, more complex deployments integrating the virtual firewall into the overall network architecture with traffic redirection and security policies enabled can take 20-40 hours of IT staff time.
Ongoing configuration and policy management also requires IT staff time, ranging from 2-4 hours per week for a basic implementation to 10-20 hours per week for a complex multi-site deployment. Some key factors that affect installation and configuration costs include:
- Number of network segments and zones to protect
- Complexity of rule sets and policies
- Integration with other security tools like SIEM and malware sandboxes
- Number of interfaces and VPN connections
- High availability and redundancy requirements
To reduce IT staff time, many organizations choose to work with a Managed Security Service Provider (MSSP) to help with virtual firewall deployment, configuration and ongoing policy management. Professional services from the firewall vendor are also available to assist with installation and configuration.
Management & Maintenance
The ongoing costs for managing, monitoring, and updating the virtual firewall can be significant. According to the NJ state government’s price list for security services, the annual management fee for a virtual firewall ranges from $493 to $657 per firewall instance, depending on bandwidth [1]. This covers 24/7 monitoring, updating firewall policies, providing reports, and troubleshooting issues.
In addition, most enterprise-grade virtual firewalls like Palo Alto, Cisco, and Fortinet require an annual subscription for support and software updates. For example, Palo Alto charges around 20% of the hardware cost for an annual support contract [2]. Fortinet and Cisco also have comparable support contracts.
The ongoing management and maintenance costs should be factored into the total cost of ownership when evaluating virtual firewall solutions.
Scalability
One of the main benefits of a virtual firewall is the ability to easily scale capacity up or down as your needs change. With a traditional hardware firewall, scaling capacity often requires purchasing additional appliances which can be costly and disruptive. With a virtual firewall, you can simply allocate more resources like CPU, memory, and bandwidth to the virtual machine as traffic demands increase.
There are typically no incremental licensing costs to scale up a virtual firewall, you only pay for the additional infrastructure resources needed. For example, on AWS you would pay for a larger EC2 instance size and increased network bandwidth. The hourly EC2 instance pricing scales linearly, so doubling the instance size roughly doubles the hourly cost. Some vendors like Palo Alto Networks do not charge extra to enable additional capacity or features on the virtual firewall (Source).
The ability to quickly and easily scale virtual firewall capacity up or down is a key advantage compared to traditional hardware appliances. It provides agility and allows you to closely align firewall costs with the actual resources required at any given time.
Advanced Features
Virtual firewalls typically include basic security features like stateful packet inspection, VPN, and basic reporting. However, advanced security capabilities often cost extra. Common advanced features that add to the cost include:
Intrusion detection and prevention (IDS/IPS) analyzes network traffic for malicious activity and can block or log threats. For example, the VM-Series firewall on AWS offers intrusion prevention as part of a bundle.
Anti-malware and antivirus scanning detects and prevents malware, viruses, spyware, and other threats. Sophos’ virtual firewall includes advanced multilayer spam and malware detection.
URL filtering blocks access to websites based on category, reputation, or blacklist. This prevents access to inappropriate or malicious sites.
Advanced networking features like dynamic routing protocols (BGP, OSPF) and traffic shaping add complexity and cost.
Reporting, monitoring and analytics provide visibility into network activity and security events. More advanced options like full packet capture and forensic analysis can significantly increase costs.
These capabilities require additional processing overhead and memory, driving up the Virtual Machine (VM) size and license fees. Advanced security features can add anywhere from 25% to 100%+ to the base virtual firewall price.
Professional Services
Professional services like consulting, training, support, and managed services can add additional costs when implementing a virtual firewall. Many vendors offer professional services to help with the design, implementation, optimization, and ongoing management of virtual firewalls.
According to VMware, setup and ongoing configuration of the VM-Series firewall is included with the purchase of the software license and subscriptions. However, additional services like architecture design, custom integrations, training, and managed services are available for an extra fee.
Sophos also provides additional professional services beyond the basic support included with the license. These services are priced according to the specific requirements and can include activities like health checks, upgrades, onsite training courses, and 24/7 monitoring and management.
When budgeting for a virtual firewall deployment, it’s important to consider any professional services that may be required for initial deployment as well as ongoing management and optimization. Though the exact fees will vary, providers generally charge by the hour or day for consulting and custom services.
Total Cost of Ownership
When evaluating the costs of a virtual firewall solution, it’s important to consider the total cost of ownership (TCO) over a 3-5 year period. TCO takes into account not just the upfront costs of hardware and software, but also ongoing expenses like maintenance, upgrades, and technical support.
According to The True Cost of DIY Firewall Virtualization: PART 2, the TCO of a DIY virtual firewall build over 5 years could include:
- $250,000 for initial hardware
- $50,000 for annual software licensing fees
- $100,000 for maintenance and upgrades
- $200,000 for IT staff to manage and support
Adding up these estimated expenses, the total 5-year TCO for a DIY virtual firewall comes to around $850,000. Companies like SonicWall offer pre-configured virtual firewall solutions that can significantly reduce TCO by optimizing hardware usage, bundling licensing, and providing turnkey management.
When evaluating TCO, businesses should account for all direct and indirect costs to determine the most cost-effective virtual firewall solution for their needs and budget.
Conclusion
Calculating the total cost of a virtual firewall solution can seem daunting at first, but breaking it down into individual components makes it more manageable. The main costs to consider are the virtual firewall software license, any associated hardware or cloud infrastructure, implementation and configuration services, ongoing management and maintenance fees, and any additional features or capabilities that are needed.
While virtual firewalls often have lower upfront costs than traditional hardware firewalls, their subscription-based licensing model and reliance on underlying compute resources means there are still significant ongoing expenses. The flexibility and scalability of virtual firewalls provides major advantages for organizations with variable traffic volumes or multi-cloud environments, but unused capacity still represents sunk costs.
By carefully projecting future needs, utilizing available resources efficiently, implementing automation, and negotiating enterprise agreements, organizations can optimize their virtual firewall investment. The total cost over the lifecycle should account for all one-time and recurring fees to determine the overall value proposition and ROI compared to alternatives.
In the end, calculating the total cost of ownership for a virtual firewall requires analyzing both short-term budgetary needs as well as longer-term business and technical objectives. With the right strategy and service provider partnership, virtual firewalls can provide strong security with agility and cost-efficiency.