Having been in the security field for many years, long enough that I’ve seen the firewall be replaced with the “Next Generation Firewall.” What was special about this change was that it signaled a big milestone as we went from a model that focused on IP addresses to one that targeted applications, users and content. This major shift provided a lot more visibility and context on what was being protected.
As you move to the cloud, the “Next Generation Firewall” is no longer “Next Generation” but looks like an antique “Grandfather’s Generation,” which will inevitably take on the same fate as, say, the dinosaurs. In the case of the Next Generation Firewall, application visibility provides the ability to do deep packet inspection to identify and inspect applications. The challenge is that in the cloud most traffic is encrypted which means the network has no ability to inspect it. Even if by some miracle you are able to perform a “Man in the Middle” attack to decrypt the data, the scale and elasticity of the cloud would make the current Next-Generation Firewalls useless.
Next Generation Firewall Can’t Keep Up in the Cloud
Applications in an IaaS environment are custom-written so there are no known signatures to identify the app. Even if you are able to identify the application, its security profile can be different based on how it’s used. The security profile and behavior of these two database apps is completely different when it comes to communication patterns but from a launch perspective, they are the same application. Next Generation Firewall is not able to distinguish between the launch and communication patterns to understand the application behavior or required policy.
Containers, Kubernetes, and serverless computing also make Next Generation Firewalls completely blind as they were never built to understand these new generations of microservices.
IaaS has actually become a PaaS and any application which is in the cloud is surely using a lot of native service offerings from cloud providers. All the activity accessing these native cloud services never cross the network so the Next Generation Firewall has no visibility to this critical piece of an app.
User Identification in the Cloud
The Next Generation Firewall also makes user identification more difficult in the cloud as the same user might have different permissions on the same application in different environments. In other words, production versus development environments changes how users interact. Next Generation Firewalls have no context for deployment models as they were built before the CI/CD concept.
The majority of activity in the cloud is not really by users but is done by machines or applications assuming roles to accomplish various tasks. The Next Generation Firewall is completely blind to these users as they accomplish tasks using APIs which never shows up in network traffic.
In the cloud, the other challenge is that users use service accounts or SUDO to do the work which means you cannot attribute activity to the right user by just looking at network traffic or Active Directory as the effective user is not necessarily the original user doing all the work.
Enforcement Rules in the Cloud
The enforcement function is one of the main capabilities of the firewall but in the cloud, service providers now offer their own ability to set the firewall policies, e.g. security groups in AWS, for example, which provides more control and is built from the ground up to support elasticity and tags which provide finer control. The Next Generation firewalls struggle with elasticity and have no context on machine tags.
The Next Generation firewalls were built using static rules which even in a static environment were impossible to maintain. In every firewall configuration I have come across there are at least 10 rules which no one can explain why they exist, but everyone is scared to touch them as they do not know what it will break. In an elastic environment like the cloud, building and maintaining rules is an impossible task.
New Data Set will be needed in the Cloud
To identify the apps and users in the cloud you need a new set of data which does not exist in network traffic and rules/signatures cannot be used as you need to use behavior and context to do application and user attribution.
Here is the list of applications, users and behaviors which are significant in the cloud, along with a comparison between a “Next Generation Firewall” and a solution natively built for cloud.
Application Visibility Next Generation Firewall Solution Built for Cloud
Custom Apps No Visibility App identification uses behavior
Containers No Visibility Supported
Kubernetes No Visibility Supported
Cloud Services No Visibility Supported
Encrypted Traffic No Visibility At host, so able to identify the
app and user
Intra-VM Traffic No Visibility All traffic on the host is also visible
Serverless No Visibility Supported
Machine/Cloud Tags No Visibility Supported
User Visibility Next Generation Firewall Solution Built for Cloud
Assumed Roles No Visibility Supported
SSH Users No Visibility SSH tracking makes it possible to
attribute activity to right users
Cloud Admins No Visibility Console activity using account API
Behaviors for Kill Chain Next Generation Firewall Solution Built for Cloud
Network Communication IP address Level App/User/Container/Kubernetes
Privilege Changes No Visibility Track users and their privileges
File Changes No Visibility FIM
User Activity No Visibility SSH tracking to attribute activity
to right user
Cloud Config Changes No Visibility Best practices and Compliance
Account API Behavior No Visibility Account based IDS
Application Launches No Visibility Application Launch Tracking
File Malware No Visibility SHA based malware detection
Users are going to have to change the way they deploy infrastructure to the cloud. As users start to do this, they will also need to find security solutions that are built by using the cloud in order to secure the cloud. The idea of the Next Generation firewall will need to change its name from “Next Generation” to a new moniker such as the “Grandfather’s Generation” to better adapt to new cloud technology.
About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.
Copyright 2010 Respective Author at Infosec Island