It sounds to me like the comments here are largely appropriate,

virtualizing firewalls in the limited context that has been explained

probably isn't a real good idea...at least due to perceived load.

Additionally, if there are that many fireuwalls being ran, instead of

numerous interfaces in a fewer number of machines, you're going to

continue to have problems being able to virtualize enough hardware

network interfaces.
However, I don't fully agree with the sentiment that running a firewall

in a virtual machine (let's be specific, VMWare ESX) guest environment.

I'm running my firewall on a ESX 3.0.2 guest, and it works perfectly

fine.  That being said, you have to be aware of the VM configuraton.

The majority of vulnerabilities in VMWare are patchable (so yes, someone

needs to do maintenance), but are also issues that affect the VMKernel

or service console, and with careful planning, the vulnerabilities can

largely be prevented for being used as exploits on external interfaces.
And one final note...although I am a fan of virtualization (I work for

the company that owns VMWare), I really, really wish they did not have

so many freaking patches...
Kent Watsen wrote:

quoted text
> Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear)

> have been offering virtual-systems for years now.  I think the

> negative comments received here may be appropriate when sharing the

> system with non-secure guest OSs, but it seems that it might be

> alright if its nothing but firewalls

>

> Cheers,

> Kent

>

>

> Josh wrote:

>> Hello there.

>>

>> We have a bunch of obsd firewalls, 8 at the moment, all working nice

>> and so forth. But we

>> need to add about another 4 in there for new connections and

>> networks, which means more

>> machines to find room for.

>>

>> So basically I have been asked to investigate running all these

>> firewalls in two big boxes, with lots

>> of NIC's, with a bunch of openbsd vritual machines on them. One main

>> box for the primary firewalls,

>> one for the secondary. Each virtual machine getting its own physical

>> NIC.

>>

>> Personally I dont really like the idea, I can see things going wrong,

>> lots of stuff balancing on a

>> guest os and box.

>>

>> Can someone please inform me if this is a really bad idea or not,

>> ideally with some nice reasoning?

>>

>>

>> Cheers,

>>    Josh