I'm not a firewall purist but I’ve spent a fair amount of time implementing them for various cloud providers and, of course, on-prem. In this series of articles we’ll describe the challenges I have faced and the solutions recommended to our clients to achieve a cost-efficient access control implementation. The implementation can be quite painful and not as straightforward as initially perceived.
In my experience, there is an overall lack of comprehensive blueprints and reference architecture for access control. I have decided to distill my knowledge on access control and firewall in the cloud to provide a comprehensive overview of implementations.
This article is by no means a finished product as the security controls in the cloud are ever-changing.
These articles will explain a series of access control patterns and use cases, as well as their advantages and disadvantages. To make the article lighter, we’ve broken it down into a mini-series of posts. Our clients know me as a “whiteboard architect”; so some of the pictures will be in the form of whiteboard drawings. Let me know if you don’t find them clear or don’t like the style.
Like many of you my team and I are learning on the the journey to the cloud and its evolutions. Please send us any feedback or opinions on the article, so we can improve and make these posts as accurate as possible.
I've used several acronyms in this article, and I apologise for that (10 push-ups for each). I made a glossary with all of them explained in the end of this post.
Consideration to start
Modern enterprises tend to utilise a mix/hybrid of cloud services like IaaS, PaaS and SaaS (Infrastructure/Platform/Software as a Service) to develop cloud applications. In a hybrid situation design of the access control shall be carefully planned.
Access control can be implemented at various levels:
- application level – embedding access control and roles in the logic of the application
- infrastructure – implementing access control rules at network level
- endpoint – implementing access control rules in a firewall endpoint or process access control.
We will explore and focus mainly on infrastructure and network, as the application logic could take a whole different set of articles.
Network Virtual Appliances (NVA) aka Firewall Appliances
Modern firewall appliances integrate some security controls and are commonly referred to as Next Generation Firewalls ( NGFW).
The firewall appliances have been introduced in relation to the cloud platforms of recent as a virtual instance. Cloud platforms are based on architecture quite different from traditional data centres (like Software Defined Networks - SDN). This makes the traditional firewall patterns challenging to implement in the cloud.
Firewall as access control and its history
Firewall as technology has been around for a bit, initially being a control deployed in the enterprise and SMB. The control originated from a simple NAT device, and evolved together with the services. The attacks became more and more sophisticated as well, integrating a range of security features like:
- Access Controls (as firewall rules)
- NAT/PAT functionalities
- Deep packet inspection (with IDS/IPS signature or behavioural based)
- Specialised web controls (like Web Access Firewall rules)
- and many more...
With the added security feature the traditional firewall evolved its name into the more marketing “trendy” one: Next Generation Firewall (aka NGFW).
Nowadays NGFW tends to be a fundamental security control that could be used to implement some of the building blocks of several security standards (e.g. PCI-DSS, ISO 27001, Security Essentials).
This control might not be directly related to GDPR, but it forms a fundamental element of the due diligence for the enterprise (GDPR has been in action since May 2018).
The NGFW is fundamentally the same virtual appliance as the on-premises one.
I’ve discovered that cloud appliances can present the following challenges:
- Number of interfaces
- VLANs and sub-interfaces
- Networking and default gateways
- High-availability configuration
- VPN and termination of them
- Zoning concept (a division of firewall interfaces into different logical trust areas)
- The Load balancer in high availability configurations
It took me some time to get the above elements right in various implementations (longer than expected!).
Each appliance will differ slightly in configuration, but the above challenges have been quite a constant. As there are more and more cloud platforms, I will focus on the more popular ones (Azure and AWS).
Networking, VLANs and HA
The fundamental difference in networking (layer 2 and layer 3) between on-prem and cloud appliances is the fact that cloud platforms implement software-based networking (SDN) and prevent the appliances from interacting directly with the underlying fabric. The absence of layer 2 communication implies that the firewalls can’t load balance with traditional Layer 2 Methodologies (Mac Address sharing, HRRP, GLBP etc...).
Going full cloud-native
Native Access control offers seamless integration between the fabric of the cloud infrastructure (networks, endpoints) and access control.
This seamless integration implies that it is possible to deploy access control lists fundamentally at any level:
- access control list at endpoints
- access control list in the network
However, “with great power comes great responsibility”.
This power and freedom imply that deploying too many access control lists in too many locations/networks/endpoints might turn into a management nightmare.
At this point, I haven’t come across any centralised solution that enables central management of rules, even though AWS is doing some great work on maintaining a ruleset for web access firewalls (AWS WAF/Firewall rules manager) .
Depending on the maturity of the organisation and deployment model (infrastructure as code) and teams (DEV-(SEC)-OPS), this deployment might be more appropriate.
In a scenario where rules are deployed per stack,they would be written into the deployment code (cloud formation, terraformation, Azure, PowerShell scripts). The code in the deployment stack implies that the security team would have a harder time controlling and auditing rules unless there is a reliable and engrained process (read as dev sec ops).
As mentioned before, the traditional firewall appliances have been around for quite a while. For legacy of firewall technology brings both good and bad heritage into the cloud world. The primary advantage is the level of talent and knowledge available on the market (any network and security engineer had to interact with NAT Firewalls and others).
Most of the firewall rules from different appliances can be managed from a central location that can maintain synchronous configuration amongst various models, facilitate redeployment and, most importantly, avoid direct human interaction with production appliances.
The disadvantages are that the network appliances are not integrated into the cloud fabric and are more complicated to deploy.
One of the advantages or disadvantages (depending on your views on the subject) is that the vendors tend to implement some software add-ons (sometimes referred to as blades) into their appliances. This can be of some convenience for small and medium business (SMB).
Nonetheless, firewall add-ons tend to be less effective or configurable than standalone controls. Enterprise usually prefers standalone controls from different vendors (to avoid vendor lock-in or complete outages if something goes wrong with an upgrade).
In this article, we’ve barely scratched the surface of the firewall implementation in the cloud. In the following articles, we’ll analyse patterns, challenges and other details.
We all hate them but we can’t live without them, for sake of clarity I’ll list the meaning of the terms that I’m going to use in the article:
- AD – Microsoft Active Directory
- AWS - Amazon Web Services
- ACL - Access control List (AWS)
- NACL - Network Access control list (AWS)
- NSG - Network Security Group (Azure)
- EU GDPR – European Union General Data Protection Regulation (in force May 2018)
- EU – European Union
- FW - Firewall
- HA - High Availability
- IDS/IPS - Intrusion Prevention/Detection System
- L3 - ISO/OSI Layer 3 - Network Layer
- L2 - ISO/OSI Layer 2 - Data Layer
- NAT/PAT - Network/Port Address Translation
- NVA - Network Virtual Appliances
- WAF – Web Application Firewall
- SMB – Small and Medium businesses
- MS – Microsoft
I hope you enjoyed this article and that it provided some insight, if you wanted to get in touch with me and talk to me about any aspect of my article, please drop me a note on LinkedIn or email me at francesco.cipollone@Nsc42.co.uk. You can also head over to our website and contact us through our contact forms.