Next Generation Firewall is Your Grandfather’s Generation in the Cloud

I have been in security for a long time. Seeing the firewall replaced with the “Next Generation Firewall” signaled a big milestone as we went from a model that focused on IP addresses to one that targeted applications, users and content. It was a major shift that provided a lot more visibility and context on what was being protected.

As you move to the cloud, the “Next Generation Firewall” is no longer “Next Generation” but looks like an antique “Grandfather’s Generation,” which is going to disappear like dinosaurs.  In the case of the Next-Generation Firewall, application visibility provides the ability to do deep packet inspection to identify and inspect applications. The challenge is that in the cloud most traffic is encrypted which means the network has no ability to inspect it.  Even if by some miracle you are able to perform a “Man in the Middle” attack to decrypt the data, the scale and elasticity of the cloud would make the current Next-Generation Firewalls useless.

Applications in an IaaS environment are also custom-written so there are no known signatures to identify the app.  Even if by some miracle you are able to identify the application, its security profile can be different based on how it’s used e.g. customer might be using database app and it might be used by different groups within the organization. The security profile and behavior of these two database apps are completely different when it comes to communication patterns but from a launch perspective, they are the same application.  Next-Generation Firewall is not able to distinguish between the launch and communication patterns to understand the application behavior or required policy.

Containers, Kubernetes, and serverless computing also make Next-Generation Firewalls completely blind as they were never built to understand these new generations of microservices.  

IaaS has actually become a PaaS and any application which is in the cloud is surely using a lot of native service offerings from cloud providers. All the activity accessing these native cloud services never cross the network so the Next Generation Firewall has no visibility to this critical piece of an app.

The Next Generation Firewall also makes user identification more difficult in the cloud as the same user might have different permissions on the same application in different environments. In other words,  production versus development environments changes how users interact. Next-Generation Firewalls have no context for deployment models as they were built before the CI/CD concept.

The majority of activity in the cloud is not really by users but is done by machines or applications assuming roles to accomplish various tasks. The Next Generation Firewall is completely blind to these users as they accomplish tasks using APIs which never shows up in network traffic.

In the cloud, the other challenge is that users use service accounts or SUDO to do the work which means you cannot attribute activity to the right user by just looking at network traffic or Active Directory as the effective user is not necessarily the original user doing all the work.

The enforcement function is one of the main capabilities of the firewall but in the cloud, service providers now offer their own ability to set the firewall policies, e.g. security groups in AWS, for example, which provides more control and is built from the ground up to support elasticity and tags which provide finer control. The Next Generation firewalls struggle with elasticity and have no context on machine tags.

The Next Generation firewalls were built using static rules which even in a static environment were impossible to maintain. In every firewall configuration I have come across there are at least 10 rules which no one can explain why they exist, but everyone is scared to touch them as they do not know what it will break. In an elastic environment like the cloud, building and maintaining rules is an impossible task.

To identify the apps and users in the cloud you need a new set of data that does not exist in network traffic and rules/signatures cannot be used as you need to use behavior and context to do application and user attribution.

Here is the list of applications, users and behaviors which are significant in the cloud, along with a comparison between a “Next Generation Firewall” and a solution natively built for the cloud.

Application Visibility

Next Generation Firewall

Solution Built for Cloud

Custom Apps

No Visibility

App identification uses  behavior and context

Containers

No Visibility

Supported

Kubernetes

No Visibility

Supported

Cloud Services

No Visibility

Supported

Encrypted Traffic

No Visibility

At host so able to identify the app and user

Intra-VM Traffic

No Visibility

All traffic on the host is also visible

Serverless

No Visibility

Supported

Machine/Cloud Tags

No Visibility

Supported

 

User Visibility

Next-Generation Firewall

Solution Built for Cloud

Assumed Roles

No Visibility

Supported

SSH Users

No Visibility

SSH tracking makes it possible to attribute activity to right users

Cloud Admins

No Visibility

Console activity using account API

 

Behaviors for Kill Chain

Next Generation Firewall

Solution Built for Cloud

Network Communication

IP address Level

App, User, Container, Kubernetes Level

Privilege Changes

No Visibility

Track users and their privileges

File Changes

No Visibility

FIM

User Activity

No Visibility

SSH tracking to attribute activity to right user

Cloud Config Changes

No Visibility

Best practices and Compliance

Account API Behavior

No Visibility

Account based IDS

Application Launches

No Visibility

Application Launch Tracking

File Malware

No Visibility

SHA based malware detection

As users change the way they deploy infrastructure in the cloud, they also need to start looking at the security solutions which are built using the cloud to secure the cloud. The notion of the Next Generation firewall needs to change its moniker from “Next Generation” to “Grandfather’s Generation.”

Categories

Suggested for you