If you’re moving applications to the cloud, then you need to protect them and the data they process. Firewalls are the cornerstone of these security controls – but public or private cloud deployments present organizations with two main options for deploying firewalls.
The first option is to use host-based firewalling. This means not using any built-in defenses in the cloud (such as the Amazon firewall in AWS public-cloud deployments, or VMware’s VSX in private cloud deployments) but instead put host-based firewalls on every virtual machine (VM) you have in the cloud environment. These firewall products could be the Microsoft firewall that is bundled on Windows PCs, or a third-party solution such as ZoneAlarm, and Netfilter on Linux.
The second option is to use network-based protection, i.e. the protection that is built into the cloud infrastructure: Amazon’s firewall in AWS environments, VMware’s NSX, or a virtualized offering from vendors such as Check Point or Cisco.
But which is best for organizations in terms of protecting applications and data, and enforcing and managing security policies? Here, we will examine both options, and the capabilities of each.
Not the perfect host
Using host-based firewalls does offer organizations a high degree of flexibility: in cloud environments, it’s possible to move applications and VMs between cloud environments (from AWS to Azure, for example), and in these cases the host-based firewalls will move together with the VMs, with the security policy following them. They are also feature-rich, supporting anti-virus and data loss prevention functions as well as auditing to enable analysis of what’s running on the host, and identification of suspicious activity.
However, host-based firewalls are also easier to circumvent than network-based solutions. Once attackers gain access to the host, either using a new variant of a backdoor or trojan, they may be able to escalate their privileges to administrator level, enabling them to switch off the firewall or install further malicious code in a way that will not be detected by IT teams – which in turn presents a significant risk if host-based firewalls are used in isolation.
Network-based firewall options can offer a stronger defensive barrier compared with host-based products. IDS or IPS functions operating on network firewalls are more likely to spot any traffic generated by backdoor malware or trojans, because the traffic will need to cross the network barrier to its command and control centre. Disguising this traffic adds a significant layer of complexity for an attacker. Further, network-based firewalls are fully hardened devices, without the vulnerabilities that can be found in the platforms that support host-based products – in turn, presenting a much smaller attack surface.
What’s more, even if the attacker does manage to break through the network’s perimeter protection, they still have to gain access to the host. This is why an organization’s cloud security posture is strengthened by using network-based firewalls in conjunction with host-based products.
This approach supports effective network segmentation, giving a critical extra line of defense by partitioning access to sensitive information so that only those applications, servers, and people who need access can get it.
Even if a determined attacker managed to breach the layer of security at the network perimeter, they would still have to contend with the protection around each host. Proper network segmentation significantly reduces your exposure to data theft or system outages. So in conclusion, the right option for cloud security isn’t either host-based or network-based firewalls: it’s both.