Now, I’m not a firewall purist, but I and NSC42 have spent a fair amount of time implementing them in various cloud providers and of course on-prem.
In this series of articles, I'm going to illustrate the various challenges we faced and the solutions we proposed to achieve a cost-efficient access control implementation.
As we have undertaken multiple deployments we noticed that the implementation can be quite painful and not as straightforward as initially thought. In our experience, there is also an overall lack of comprehensive blueprints and reference architecture for access control.
As a result we decided to gather the NSC42 team’s knowledge on access control and firewall's in the cloud to provide a comprehensive overview of implementations.
A caveat I'd like to add though is that this article is by no means the finished product as the security controls in the cloud are ever changing.
These articles, do though illustrate a series of access control patterns, cases and advantages and disadvantages which should prove helpful and to make the article easier to digest, we’ve broken it down into a mini-series of several articles.
As our clients will already know, here at NSC42 we are whiteboard people, so some of the pictures will be in the form of whiteboard drawings, let me know if they're not clear, or you don’t like the style.
I have also used several acronyms in this article, and I apologise for that (10 push ups for each), I’ve summed the ones used at the end of the article to clarify.
Considerations to start with
Modern enterprises tend to utilise a mix or hybrid of cloud services like IaaS, PaaS and SaaS (Infrastructure/Platform/Software as a Service) to develop cloud applications. In a hybrid situation designing of the access control should be carefully planned.
Access control can be implemented at various levels:
• At the application level — embedding access control and roles in the logic of the application
• Infrastructure — implementing access control rules at network level
• Endpoint — implementing access control rules in a firewall endpoint or process access control.
We will explore and focus mainly on infrastructure and network as the application logic could take a whole different set of articles.
Network Virtual Appliances (NVA) aka Firewall Appliances
Modern firewall appliances integrate some security controls and are commonly referred to as Next Generation Firewalls (briefly NGFW).
The firewall appliances have been introduced into the cloud platforms as recent as the virtual instance. The cloud platforms are based on different architecture (like Software Defined Networks — SDN) that are quite different from traditional data centres. This difference makes the traditional firewall patterns challenging to implement in the cloud.
Firewall as access control and its history
Firewalls as technology have been around for a while and control was deployed in the enterprise and SMB. The control originated as a simple NAT device, and evolved, like the services. As the attacks became more and more sophisticated a range of security features were integrated like:
Access Controls (as firewall Rules)
• NAT/PAT Functionalities
• Deep Packet inspection (with IDS/IPS signature or behavioural based)
• Specialised Web Controls (as WAF rules)
• And many more…
With the added security features the traditional firewall rebranded itself as the Next Generation Firewall (aka NGFW) to make it sound more trendy.
Nowadays NGFW tends to fundamental be a security control that could be used to implement some of the building blocks of several security standards (e.g. PCI-DSS, ISO 27001, Security Essentials).
This control might not be directly related with GDPR but forms a fundamental element of the due diligence for the enterprise.
The NGFW is fundamentally the same virtual appliance as the On-Premises one.
Following all of our work I have discovered that cloud appliances can present the following challenges:
Number of interfaces
VLANs and Sub-interfaces
Networking and default gateways
VPN and termination of them
Zoning concept (a division of firewall interfaces in different logical trust areas)
The load balancer in high availability configurations
It took a bit of time for me to get the above elements right in the various implementation, in fact a lot longer than I expected.
Each appliance differs slightly in configuration, but the challenges mentioned above have remained quite a constant.
As there are more and more cloud platforms, I will focus on the more popular ones (Azure and AWS).
Networking, VLANs and HA
The fundamental difference in networking (layer 2 and layer 3) between on-Prem and cloud appliances is the fact that the cloud platforms implement software-based networking (SDN) and prevent the appliances interacting directly with the under-layering fabric.