Cloud
Firewall vs. Network Firewall
Being involved in security application for
many years I try to follow all the technology progress and all new challenges.
So, a spell ago, I met “Clouds”, Cloud computing, Cloud Architectures etc. No
doubts, the idea is perfect, there is lot of perfect implementations and almost
anyone realizes and utilizes all the cloud benefits in full.
But what Cloud Security is exactly. What
Cloud Security is beyond nearly idiomatic and habitual phrases of computer
security, network security or entire information security? What are the new
possible threats brought by Cloud Architectures to us? There are tons or articles and posts with
attempts to theorize, categorize new challenge and describe the existing
approaches. However, the main implicit starting point is still: it’s like the
computer/network/information security we already know, but much more important
as it is cloud related now.
Trusting
brands or Understanding
Once I tried to ask CTO of a big IT
security company, actually a friend of mine, so the answer was definitely
honest. Surprisingly the answer was “nobody knows”. Almost any network security software and
(especially) appliance manufacture develops a cloud related product or product
range. But, technically, often all the new cloud features lead to next step of
habitual network protection. But Cloud is not just a network…..The good news is
I am not the only one though, I am not the only one who is not able to
understand the problem in full.
I recall a story. A small non-IT company
with growing IT infrastructures realized the security challenge and addressed
to IT security professionals. The professionals offered the typical set of
security solutions. The solution just covered all the typical (i.e. expected)
threats. No specifics were even discussed; there were a lot of specifics
actually…… Though, the approach like “get products of market leaders and be ‘happy’
(safe and relaxed)” won. The more budget for security solutions, the more
happiness (safety and relaxation) should be expected. In other words, if you
can’t perceive the details for a reason, you would be better to trust the
brands. You just have nothing beyond.
With Cloud Security everything is nearly
the same. The expected budget for the security just determines the amount of
various software applications and appliances without deep understanding what
Cloud Security is exactly, not how it is important, not what it is intended
for, but what it is exactly.
In-Cloud/In-Network
Environment
I can easily admit there are cloud
applications that do not introduce new directly cloud related threats at all.
The first sample came into my mind is using the cloud for scaling a resource
only. For instance a group of (virtual or real) hosts together provides the
same service. The hosts roles are equal, there is no “in-cloud” communication,
excepting the service load coordinator (maybe), so all the security cares may
be reduced to protecting a single (standalone) elementary service provider unpretentiously
scaled up to the cloud. The architecture is widespread, but not the only
definitely. The approach should be different if the “in-cloud” hosts are of
different roles and functionalities.
Let’s try to realize the features that
differentiate network security from cloud security. Ordinary network security
architecture is based on firewall. The firewall separates the internet (the
external network) from the intranet (the internal network). Let’s omit for the
moment various specifics (DMZ, NAT, port forwarding, VPNs, tunnels, STUNs etc)
for the sake of simplicity, just to extract the key features. The firewall mostly
filters out the incoming connections making the internal network unavailable
from the internet that is treated as untrustworthy. All the outgoing
connections are mostly enabled, so any in-LAN host may access the internet.
It’s the main basic structure. No doubts, the firewall may be configured to set
specific per-host permissions, but those are rather exceptions.
In-Cloud/Network
Threats
Anyway, the hosts inside the LAN can
communicate each other without any regulations.
Here is probably the point where Cloud-Network
similarity starts. Actually, a cloud is a set of hosts as well, exactly as
local network, but the hosts may be of different roles. The roles, however, are
not network protected at all. Strictly speaking, there is a way to install a
personal firewall on every in-LAN (and in-Cloud) host and try to regulate the
traffic inside the LAN/Cloud. Most probably it would be a nightmare to deploy
personal firewalls to every host and then configuring/reconfiguring the filtering
individually.
However accidentally we came very close to
realize the key option required for the cloud security and hopefully for the in-LAN
security as well. So, let’s imagine that cloud or local network is a set of
hosts with individual roles; the hosts should be regulated with mutual
connectability.
Mutual
Security
What are the roles and what the connection
policy should be introduced to make the in-LAN/in-Cloud functionality safer.
The policy will be definitely the roles and the roles assignment dependent.
Here is the sample came into my mind – 3 roles, say a web server, a file server
and an SQL server. The web server can access the file server, but the reverse
connections are rather dangerous (hardly explainable from the functionality
point), so the connections should be disallowed. The web server can access the
SQL server but not vice versa for the same reason. It’s the subject for the
traffic regulation as well.
So, whenever LAN or Cloud consists of hosts
with different roles you probably need to create and implement a special
in-LAN/in-Cloud network security policy to protect the roles functionalities.
Actually, nearly the same problem can be
faced in regular home networks. Imagine a home network, adults and kids, and
personal computers for everybody. At first glance all the computers are of the
same role, every computer has the internet access and used for surfing the web,
listening music, watching video, shares files mutually etc. However, when the
multi computer home meets the real network life, the computer roles get
different. I am fairly often asked questions like “how to protect my computer
from a kid”. Typically kids are very curious and download greedy. They download
and install almost any “nice” program. As the result, a kid computer is getting
dangerous. Sometimes (I was once surprised realizing) a kid computer is treated
even more dangerous than the entire internet. You can easily perceive the
problem yourself. Your home computer is protected from the internet by a
firewall/router/modem, i.e. a device that shares the internet connections to
your home users. Do you have a protection from a computer of the same network.
The computers are directly connected by the LAN .
Distributed
Firewalls
The solution of the problem above is
probably installing a network filter, which can regulate in-LAN/in-Cloud mutual
connectability, on every host. The filter installation should be better
automatic and remote. So, connecting a new host to the network/cloud must not require
significant administration efforts. The Cloud/Network firewall should detect
the new hosts appearance automatically, install the filters accordingly and
obviously has to monitor existing hosts for the filters presence and
operability. Probably the best definition for the filters is Agents.
So, the agents (automatically and remotely)
installed on every Network/Cloud host should be able to protect the internal
networking.
Obviously, there should be a centralized
control panel to set the agents with desired policy to determine mutual access
permissions. For instance, the control panel would have to generate specific
filtering rules and deliver the rules to the agents automatically, without a
need of individual agent configurations.
Firewall
Agents under Centralized Control
Practically we would need to create a
policy for mutual access permissions. The policy could look like a set of
virtual subnetworks dividing the Network/Cloud into virtual groups i.e. subsets
of hosts. Every subnetwork/group has to list hosts with mutual access
permissions enabled and (optionally) disabled. The entire policy may consist of
several subnetworks obviously.
Taking a home network as a sample, we
should be able to create the following policy. Let’s think we have a home
network with a computer for business purpose, a home fileserver, a media server
and a kid (potentially dangerous, as discussed above) PC. Most probably, there
could be two virtual subnetworks, say BusinessSubnetwork (BSN) and
EntertainmentSubnetwork (ESN). BSN would have to enable the business targeted
PC, the fileserver and internet connectivity enabled, but disable the media
server and the kid PC. ESN would enable the kid PC, the media server and the
internet, but disable business PC and the fileserver. As the result, all the
network participants would be safer.
Implementation
I do hope I will be able to provide you
with more details on the specifics and the implementation