пятница, 11 мая 2012 г.

Cloud Firewall or Firewall in the Cloud?

Cloud Firewall vs. Network Firewall

Being involved in security application for many years I try to follow all the technology progress and all new challenges. So, a spell ago, I met “Clouds”, Cloud computing, Cloud Architectures etc. No doubts, the idea is perfect, there is lot of perfect implementations and almost anyone realizes and utilizes all the cloud benefits in full.

But what Cloud Security is exactly. What Cloud Security is beyond nearly idiomatic and habitual phrases of computer security, network security or entire information security? What are the new possible threats brought by Cloud Architectures to us?  There are tons or articles and posts with attempts to theorize, categorize new challenge and describe the existing approaches. However, the main implicit starting point is still: it’s like the computer/network/information security we already know, but much more important as it is cloud related now.

Trusting brands or Understanding

Once I tried to ask CTO of a big IT security company, actually a friend of mine, so the answer was definitely honest. Surprisingly the answer was “nobody knows”.  Almost any network security software and (especially) appliance manufacture develops a cloud related product or product range. But, technically, often all the new cloud features lead to next step of habitual network protection. But Cloud is not just a network…..The good news is I am not the only one though, I am not the only one who is not able to understand the problem in full.

I recall a story. A small non-IT company with growing IT infrastructures realized the security challenge and addressed to IT security professionals. The professionals offered the typical set of security solutions. The solution just covered all the typical (i.e. expected) threats. No specifics were even discussed; there were a lot of specifics actually…… Though, the approach like “get products of market leaders and be ‘happy’ (safe and relaxed)” won. The more budget for security solutions, the more happiness (safety and relaxation) should be expected. In other words, if you can’t perceive the details for a reason, you would be better to trust the brands. You just have nothing beyond.

With Cloud Security everything is nearly the same. The expected budget for the security just determines the amount of various software applications and appliances without deep understanding what Cloud Security is exactly, not how it is important, not what it is intended for, but what it is exactly.

In-Cloud/In-Network Environment

I can easily admit there are cloud applications that do not introduce new directly cloud related threats at all. The first sample came into my mind is using the cloud for scaling a resource only. For instance a group of (virtual or real) hosts together provides the same service. The hosts roles are equal, there is no “in-cloud” communication, excepting the service load coordinator (maybe), so all the security cares may be reduced to protecting a single (standalone) elementary service provider unpretentiously scaled up to the cloud. The architecture is widespread, but not the only definitely. The approach should be different if the “in-cloud” hosts are of different roles and functionalities.

Let’s try to realize the features that differentiate network security from cloud security. Ordinary network security architecture is based on firewall. The firewall separates the internet (the external network) from the intranet (the internal network). Let’s omit for the moment various specifics (DMZ, NAT, port forwarding, VPNs, tunnels, STUNs etc) for the sake of simplicity, just to extract the key features. The firewall mostly filters out the incoming connections making the internal network unavailable from the internet that is treated as untrustworthy. All the outgoing connections are mostly enabled, so any in-LAN host may access the internet. It’s the main basic structure. No doubts, the firewall may be configured to set specific per-host permissions, but those are rather exceptions.

In-Cloud/Network Threats

Anyway, the hosts inside the LAN can communicate each other without any regulations.
Here is probably the point where Cloud-Network similarity starts. Actually, a cloud is a set of hosts as well, exactly as local network, but the hosts may be of different roles. The roles, however, are not network protected at all. Strictly speaking, there is a way to install a personal firewall on every in-LAN (and in-Cloud) host and try to regulate the traffic inside the LAN/Cloud. Most probably it would be a nightmare to deploy personal firewalls to every host and then configuring/reconfiguring the filtering individually.

However accidentally we came very close to realize the key option required for the cloud security and hopefully for the in-LAN security as well. So, let’s imagine that cloud or local network is a set of hosts with individual roles; the hosts should be regulated with mutual connectability.

Mutual Security

What are the roles and what the connection policy should be introduced to make the in-LAN/in-Cloud functionality safer. The policy will be definitely the roles and the roles assignment dependent. Here is the sample came into my mind – 3 roles, say a web server, a file server and an SQL server. The web server can access the file server, but the reverse connections are rather dangerous (hardly explainable from the functionality point), so the connections should be disallowed. The web server can access the SQL server but not vice versa for the same reason. It’s the subject for the traffic regulation as well.

So, whenever LAN or Cloud consists of hosts with different roles you probably need to create and implement a special in-LAN/in-Cloud network security policy to protect the roles functionalities.

Actually, nearly the same problem can be faced in regular home networks. Imagine a home network, adults and kids, and personal computers for everybody. At first glance all the computers are of the same role, every computer has the internet access and used for surfing the web, listening music, watching video, shares files mutually etc. However, when the multi computer home meets the real network life, the computer roles get different. I am fairly often asked questions like “how to protect my computer from a kid”. Typically kids are very curious and download greedy. They download and install almost any “nice” program. As the result, a kid computer is getting dangerous. Sometimes (I was once surprised realizing) a kid computer is treated even more dangerous than the entire internet. You can easily perceive the problem yourself. Your home computer is protected from the internet by a firewall/router/modem, i.e. a device that shares the internet connections to your home users. Do you have a protection from a computer of the same network. The computers are directly connected by the LAN .

Distributed Firewalls

The solution of the problem above is probably installing a network filter, which can regulate in-LAN/in-Cloud mutual connectability, on every host. The filter installation should be better automatic and remote. So, connecting a new host to the network/cloud must not require significant administration efforts. The Cloud/Network firewall should detect the new hosts appearance automatically, install the filters accordingly and obviously has to monitor existing hosts for the filters presence and operability. Probably the best definition for the filters is Agents.
So, the agents (automatically and remotely) installed on every Network/Cloud host should be able to protect the internal networking.

Obviously, there should be a centralized control panel to set the agents with desired policy to determine mutual access permissions. For instance, the control panel would have to generate specific filtering rules and deliver the rules to the agents automatically, without a need of individual agent configurations.

Firewall Agents under Centralized Control

Practically we would need to create a policy for mutual access permissions. The policy could look like a set of virtual subnetworks dividing the Network/Cloud into virtual groups i.e. subsets of hosts. Every subnetwork/group has to list hosts with mutual access permissions enabled and (optionally) disabled. The entire policy may consist of several subnetworks obviously.
Taking a home network as a sample, we should be able to create the following policy. Let’s think we have a home network with a computer for business purpose, a home fileserver, a media server and a kid (potentially dangerous, as discussed above) PC. Most probably, there could be two virtual subnetworks, say BusinessSubnetwork (BSN) and EntertainmentSubnetwork (ESN). BSN would have to enable the business targeted PC, the fileserver and internet connectivity enabled, but disable the media server and the kid PC. ESN would enable the kid PC, the media server and the internet, but disable business PC and the fileserver. As the result, all the network participants would be safer.


I do hope I will be able to provide you with more details on the specifics and the implementation