Next Generation Firewalls are Old News in the Cloud

Having been in the security field for many years, long enough that I've seen the firewall be replaced with the "Next Generation Firewall." What was special about this change was that it signaled a big milestone as we went from a model that focused on IP addresses to one that targeted applications, users and content. This major shift provided a lot more visibility and context on what was being protected.

As you move to the cloud, the "Next Generation Firewall" is no longer "Next Generation" but looks like an antique "Grandfather's Generation," which will inevitably take on the same fate as, say, the dinosaurs.  In the case of the Next Generation Firewall, application visibility provides the ability to do deep packet inspection to identify and inspect applications. The challenge is that in the cloud most traffic is encrypted which means the network has no ability to inspect it.  Even if by some miracle you are able to perform a "Man in the Middle" attack to decrypt the data, the scale and elasticity of the cloud would make the current Next-Generation Firewalls useless.

Next Generation Firewall Can't Keep Up in the Cloud

Applications in an IaaS environment are custom-written so there are no known signatures to identify the app.  Even if you are able to identify the application, its security profile can be different based on how it's used. The security profile and behavior of these two database apps is completely different when it comes to communication patterns but from a launch perspective, they are the same application.  Next Generation Firewall is not able to distinguish between the launch and communication patterns to understand the application behavior or required policy.

Containers, Kubernetes, and serverless computing also make Next Generation Firewalls completely blind as they were never built to understand these new generations of microservices.  

IaaS has actually become a PaaS and any application which is in the cloud is surely using a lot of native service offerings from cloud providers. All the activity accessing these native cloud services never cross the network so the Next Generation Firewall has no visibility to this critical piece of an app.

User Identification in the Cloud

The Next Generation Firewall also makes user identification more difficult in the cloud as the same user might have different permissions on the same application in different environments. In other words, production versus development environments changes how users interact. Next Generation Firewalls have no context for deployment models as they were built before the CI/CD concept.

The majority of activity in the cloud is not really by users but is done by machines or applications assuming roles to accomplish various tasks. The Next Generation Firewall is completely blind to these users as they accomplish tasks using APIs which never shows up in network traffic.

In the cloud, the other challenge is that users use service accounts or SUDO to do the work which means you cannot attribute activity to the right user by just looking at network traffic or Active Directory as the effective user is not necessarily the original user doing all the work.

Enforcement Rules in the Cloud

The enforcement function is one of the main capabilities of the firewall but in the cloud, service providers now offer their own ability to set the firewall policies, e.g. security groups in AWS, for example, which provides more control and is built from the ground up to support elasticity and tags which provide finer control. The Next Generation firewalls struggle with elasticity and have no context on machine tags.

The Next Generation firewalls were built using static rules which even in a static environment were impossible to maintain. In every firewall configuration I have come across there are at least 10 rules which no one can explain why they exist, but everyone is scared to touch them as they do not know what it will break. In an elastic environment like the cloud, building and maintaining rules is an impossible task.

New Data Set will be needed in the Cloud

To identify the apps and users in the cloud you need a new set of data which does not exist in network traffic and rules/signatures cannot be used as you need to use behavior and context to do application and user attribution.

Here is the list of applications, users and behaviors which are significant in the cloud, along with a comparison between a "Next Generation Firewall" and a solution natively built for cloud.

Application Visibility     Next Generation Firewall    Solution Built for Cloud

Custom Apps                   No Visibility                            App identification uses behavior

                                                                                       and context

Containers                       No Visibility                            Supported

Kubernetes                      No Visibility                            Supported

Cloud Services                No Visibility                            Supported

Encrypted Traffic             No Visibility                            At host, so able to identify the

                                                                                       app and user

Intra-VM Traffic               No Visibility                            All traffic on the host is also visible

Serverless                       No Visibility                            Supported

Machine/Cloud Tags       No Visibility                            Supported

 

User Visibility        Next Generation Firewall        Solution Built for Cloud

Assumed Roles      No Visibility                                  Supported

SSH Users             No Visibility                                  SSH tracking makes it possible to

                                                                                   attribute activity to right users

Cloud Admins         No Visibility                                 Console activity using account API

 

Behaviors for Kill Chain   Next Generation Firewall    Solution Built for Cloud

Network Communication     IP address Level                   App/User/Container/Kubernetes

Privilege Changes               No Visibility                           Track users and their privileges

File Changes                       No Visibility                           FIM

User Activity                        No Visibility                           SSH tracking to attribute activity

   to right user

Cloud Config Changes        No Visibility                          Best practices and Compliance

Account API Behavior         No Visibility                          Account based IDS

Application Launches          No Visibility                          Application Launch Tracking

File Malware                        No Visibility                          SHA based malware detection


Users are going to have to change the way they deploy infrastructure to the cloud. As users start to do this, they will also need to find security solutions that are built by using the cloud in order to secure the cloud. The idea of the Next Generation firewall will need to change its name from "Next Generation" to a new moniker such as the "Grandfather's Generation" to better adapt to new cloud technology.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company's product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.

Copyright 2010 Respective Author at Infosec Island

via Infosec Island Latest Articles https://ift.tt/2FvZJzD
RSS Feed

If New feed item from http://www.infosecisland.com/rss.html, then send m


Unsubscribe from these notifications or sign in to manage your Email Applets.

IFTTT

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to...
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic...
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs? ...
Read more