Organisations are increasingly moving large portions of their IT to the cloud to realise the wide range of benefits associated with virtualised IT. However, if you’re moving applications to the cloud, then you need to protect them and the data they process. As with on premise IT, Firewalls are the cornerstone of these security controls – but public or private cloud deployments present organisations with two choices when deploying firewalls.
The first option is to use network-based protection, i.e. the protection that is built into the cloud infrastructure. For instance, VMware’s NSX, Amazon’s firewall in AWS environments or a virtualised offering from vendors such as Check Point or Cisco.
The second option is to use host-based firewalling which means not using any built-in defences in the cloud but instead putting host-based firewalls on every virtual machine (VM) you have in the cloud environment. These firewall products could be the Microsoft firewall that is bundled on Windows PCs, a third-party solution such as ZoneAlarm, or Netfilter on Linux.
But which is best for organisations in terms of protecting applications and data, and enforcing and managing security policies? Here, we will examine both options, and the capabilities of each.
Network-based firewall options can offer a stronger defensive barrier compared with host-based products. IDS or IPS functions operating on network firewalls are more likely to spot any traffic generated by backdoor malware or trojans, because the traffic will need to cross the network barrier to its command and control centre. Disguising this traffic adds a significant layer of complexity for an attacker.
Network-based firewalls are fully hardened devices, without the vulnerabilities that can be found in the platforms that support host-based products – in turn, presenting a much smaller attack surface. What’s more, even if the attacker does manage to break through the network’s perimeter protection, they still have to gain access to the host.
An accommodating host
Using host-based firewalls does offer organisations a high degree of flexibility: it’s possible to move applications and VMs between cloud environments (from AWS to Azure, for example), and in these cases the host-based firewalls will move together with the VMs, with the security policy following them. They are also feature-rich, supporting anti-virus and data loss prevention functions as well as auditing to enable analysis of what’s running on the host, and identification of suspicious activity.
However, host-based firewalls are also easier to circumvent than network-based solutions. Once attackers gain access to the host, either using a new variant of a backdoor or trojan, they may be able to escalate their privileges to administrator level, enabling them to switch off the firewall or install further malicious code in a way that will not be detected by IT teams – which in turn presents a significant risk if host-based firewalls are used in isolation.
While both types of firewalls have their advantages an organisation’s cloud security posture is strengthened by using network-based firewalls in conjunction with host-based products. This approach supports effective network segmentation, giving a critical extra line of defence by partitioning access to sensitive information so that only those applications, servers, and people who need access can get it.
Even if a determined attacker managed to breach the layer of security at the network perimeter, they would still have to contend with the protection around each host. Proper network segmentation significantly reduces your exposure to data theft or system outages.
While the future of IT is undoubtedly the virtualised environment of the cloud, organisations must ensure that they do not rush to make the move without ensuring that their data will be secure. With businesses likely to invest heavily in the cloud it is critical that they make the right choice for securing their deployments – and in this instance the right option for cloud security isn’t either host-based or network-based firewalls: it’s both.
Avishai Wool, CTO and Co-Founder, AlgoSec
Image Credit: Slavoljub Pantelic / Shutterstock