Next Generation Firewalls are Old News in the Cloud

Wednesday, March 27, 2019

Sanjay Kalra

B68c8cbebf6b412d9fd4f9d0950a5901

Having been in the security field for many years, long enough that I’ve seen the firewall be replaced with the “Next Generation Firewall.” What was special about this change was that it signaled a big milestone as we went from a model that focused on IP addresses to one that targeted applications, users and content. This major shift provided a lot more visibility and context on what was being protected.

As you move to the cloud, the “Next Generation Firewall” is no longer “Next Generation” but looks like an antique “Grandfather’s Generation,” which will inevitably take on the same fate as, say, the dinosaurs.  In the case of the Next Generation Firewall, application visibility provides the ability to do deep packet inspection to identify and inspect applications. The challenge is that in the cloud most traffic is encrypted which means the network has no ability to inspect it.  Even if by some miracle you are able to perform a “Man in the Middle” attack to decrypt the data, the scale and elasticity of the cloud would make the current Next-Generation Firewalls useless.

Next Generation Firewall Can’t Keep Up in the Cloud

Applications in an IaaS environment are custom-written so there are no known signatures to identify the app.  Even if you are able to identify the application, its security profile can be different based on how it’s used. The security profile and behavior of these two database apps is completely different when it comes to communication patterns but from a launch perspective, they are the same application.  Next Generation Firewall is not able to distinguish between the launch and communication patterns to understand the application behavior or required policy.

Containers, Kubernetes, and serverless computing also make Next Generation Firewalls completely blind as they were never built to understand these new generations of microservices.  

IaaS has actually become a PaaS and any application which is in the cloud is surely using a lot of native service offerings from cloud providers. All the activity accessing these native cloud services never cross the network so the Next Generation Firewall has no visibility to this critical piece of an app.

User Identification in the Cloud

The Next Generation Firewall also makes user identification more difficult in the cloud as the same user might have different permissions on the same application in different environments. In other words, production versus development environments changes how users interact. Next Generation Firewalls have no context for deployment models as they were built before the CI/CD concept.

The majority of activity in the cloud is not really by users but is done by machines or applications assuming roles to accomplish various tasks. The Next Generation Firewall is completely blind to these users as they accomplish tasks using APIs which never shows up in network traffic.

In the cloud, the other challenge is that users use service accounts or SUDO to do the work which means you cannot attribute activity to the right user by just looking at network traffic or Active Directory as the effective user is not necessarily the original user doing all the work.

Enforcement Rules in the Cloud

The enforcement function is one of the main capabilities of the firewall but in the cloud, service providers now offer their own ability to set the firewall policies, e.g. security groups in AWS, for example, which provides more control and is built from the ground up to support elasticity and tags which provide finer control. The Next Generation firewalls struggle with elasticity and have no context on machine tags.

The Next Generation firewalls were built using static rules which even in a static environment were impossible to maintain. In every firewall configuration I have come across there are at least 10 rules which no one can explain why they exist, but everyone is scared to touch them as they do not know what it will break. In an elastic environment like the cloud, building and maintaining rules is an impossible task.

New Data Set will be needed in the Cloud

To identify the apps and users in the cloud you need a new set of data which does not exist in network traffic and rules/signatures cannot be used as you need to use behavior and context to do application and user attribution.

Here is the list of applications, users and behaviors which are significant in the cloud, along with a comparison between a “Next Generation Firewall” and a solution natively built for cloud.

Application Visibility     Next Generation Firewall    Solution Built for Cloud

Custom Apps                   No Visibility                            App identification uses behavior

                                                                                       and context

Containers                       No Visibility                            Supported

Kubernetes                      No Visibility                            Supported

Cloud Services                No Visibility                            Supported

Encrypted Traffic             No Visibility                            At host, so able to identify the

                                                                                       app and user

Intra-VM Traffic               No Visibility                            All traffic on the host is also visible

Serverless                       No Visibility                            Supported

Machine/Cloud Tags       No Visibility                            Supported

 

User Visibility        Next Generation Firewall        Solution Built for Cloud

Assumed Roles      No Visibility                                  Supported

SSH Users             No Visibility                                  SSH tracking makes it possible to

                                                                                   attribute activity to right users

Cloud Admins         No Visibility                                 Console activity using account API

 

Behaviors for Kill Chain   Next Generation Firewall    Solution Built for Cloud

Network Communication     IP address Level                   App/User/Container/Kubernetes

Privilege Changes               No Visibility                           Track users and their privileges

File Changes                       No Visibility                           FIM

User Activity                        No Visibility                           SSH tracking to attribute activity

   to right user

Cloud Config Changes        No Visibility                          Best practices and Compliance

Account API Behavior         No Visibility                          Account based IDS

Application Launches          No Visibility                          Application Launch Tracking

File Malware                        No Visibility                          SHA based malware detection


Users are going to have to change the way they deploy infrastructure to the cloud. As users start to do this, they will also need to find security solutions that are built by using the cloud in order to secure the cloud. The idea of the Next Generation firewall will need to change its name from “Next Generation” to a new moniker such as the “Grandfather’s Generation” to better adapt to new cloud technology.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.

Possibly Related Articles:
71876
Cloud Security Firewalls Enterprise Security
Firewall Cloud Security Cloud Adoption Visibility
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.