Understanding cloud-based firewalls

There are cloud firewalls and there are cloud firewalls. While the underlying technology may be the same, there really are two types of products and use cases: One aims to protect the organization's network and users, while the other protects cloud infrastructure and servers. Let's contemplate the differences.

Cloud-based firewalls come in two delicious flavors: vanilla and strawberry. Both flavors are software that checks incoming and outgoing packets to filter against access policies and block malicious traffic. Yet they are also quite different. Think of them as two essential network security tools: Both are designed to protect you, your network, and your real and virtual assets, but in different contexts.

Disclosure: I made up the terms “vanilla firewall” and “strawberry firewall” for this discussion. Hopefully they help us differentiate between the two models as we dig deeper.

Let's start with a quick overview:

  • Vanilla firewalls are usually stand-alone products or services designed to protect an enterprise network and its users—like an on-premises firewall appliance, except that it’s in the cloud. Service providers call this a software-as-a-service (SaaS) firewall, security as a service (SECaaS), or even firewall as a service (FWaaS)
  • By contrast, strawberry firewalls are cloud-based services that are designed to run in a virtual data center using your own servers in a platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) model. In these cases, the firewall application runs on the virtual servers and protects traffic going to, from, and between applications in the cloud. The industry sometimes calls these next-generation firewalls, though the term is inconsistently applied and sometimes refers to any advanced firewall system running on-prem or in the cloud.

So why do we need these new firewalls? Why not stick a 1U firewall appliance into a rack, connect it up to the router, and call it good? Easy: Because the definition of the network perimeter has changed. Firewalls used to be like guards at the entrance to a secured facility. Only authorized people could enter that facility, and packages were searched as they entered and left the building. Moreover, your users worked inside the facility, and the data center and its servers were also inside. Thus, securing the perimeter was fairly easy. Everything inside was secure, everything outside was not secure, and the only way in and out was through the guard station.

That world is gone, gone, gone. Authorized users can be anywhere, and increasingly, users access applications that might be anywhere. Those applications live in on-prem data centers, inside enterprise-controlled servers inside public or private IaaS/PaaS clouds, and as third-party SaaS applications also in the cloud. Relatively little enterprise traffic passes through the enterprise on-prem router, which is why we need cloud-based vanilla firewalls to protect all the users and cloud-based strawberry firewalls to extend security policies into the IaaS/PaaS environment.

Firewalls as a service 

Plain-vanilla firewalls in the cloud act like your traditional on-premises firewall appliances except they are a service offered by your Internet service provider or perhaps a dedicated SaaS provider of firewall services—that is, a FWaaS provider. You might pay a fixed fee for this service. That’s more likely if the service is provided by your local ISP or telephone company. Alternatively, you might pay a monthly bill based on several factors, such as total bandwidth consumed and optional services (such as domain filtering) beyond strictly watching for malware.

Configuring the FWaaS is pretty straightforward. If this is an add-on service provided by your telco, you probably don’t need to change settings or do anything else at your main business location. System administrators get a dashboard or management console that shows activity and perhaps lets them select options for what to screen, domains to blacklist or whitelist, and so on.

If the FWaaS is offered by a third-party provider, you'll need to change router settings to connect to that provider. In a sense, it will be your Internet provider now.

The state of the telco industry in a hyperconnected world

A benefit of FWaaS is that you can extend protection to remote employees or those who are traveling. These users will connect to the cloud firewall provider via a secure tunnel, probably a virtual private network (VPN). From there, they can access the Internet with enterprise-class firewall protection, access cloud-based services through that firewall, and connect back to your enterprise to be authenticated by Active Directory or another directory service (and thus access internal servers or other resources). In short, this is a great way to give remote and traveling employees the exact same protection as your main office.

Remote employee support is one benefit of FWaaS over on-prem firewall appliances. Another is that it shifts the cost from a capital expense to an operational expense, which is extremely important for many businesses.

With FWaaS, you only pay for what you use (if that’s how the contract works), so you don’t have to buy more firewall appliance capability than you usually need in order to be prepared for your busiest time periods. There’s a good chance, by the way, that you have excessive on-prem firewall capacity, especially if you’ve already started migrating services to the cloud. By turning off those appliances (and releasing their expensive contracts), you are essentially outsourcing your security perimeter to a more efficient service.

Another win is that when there are new zero-day threats or fixes, the FWaaS provider can make that change instantly. There’s no need for you to download and install updates. The potential downside, of course, is that you are dependent on the FaaS provider to do this. However, given that most service providers have full-time security teams that subscribe to all the threat intelligence services and can respond 24/7, my belief is that they do a better job keeping the firewall up to date and configured properly than most small and midsize businesses, and even many enterprises.

Another benefit is in guarding against distributed denial-of-service (DDoS) attacks. “In the past you would protect from DDoS at the end of your Internet pipe, but the reality is that a DDoS attack can swamp you, no matter how much bandwidth you have,” says Simon Leech, chief technologist of the digital solutions and transformation team at Hewlett Packard Enterprise. “Going cloud-scale can help, because the cloud provider has bandwidth to repel attacks at gigabit or terabit scale.”

In other words, any attack will be directed and blocked by the bandwidth-rich FWaaS servers and should not affect your own Internet connection. End result: The FWaaS provider still should be able to provide you with a clean Internet connection.

Many providers offer FWaaS options, such as Managed Firewall Security from AT&T and Cloud Network Defense from Wedge Networks (offered in partnership with ISPs). Some suggestions from my own experience: Most small and midsize businesses will find that the FWaaS offerings from your telco or ISP are easier to work with and likely to be affordable. The service provider may also have one or more partnership agreements with name-brand firewall providers.

Firewalls for your IaaS/PaaS

A virtual firewall in the cloud that protects your cloud infrastructure and services is an entirely different beast from FWaaS designed to protect your network perimeter and remote or traveling end users.

In the IaaS/PaaS world, you are renting infrastructure from a service provider on which you create, provision, and manage your own virtual servers. Those servers can be used for storage, hosting off-the-shelf or homegrown applications, two-tier or three-tier web serving—it’s entirely up to you. In some cases, those cloud-based applications are entirely stand-alone. In others, they may link back (over VPNs) to other servers and applications in your data center. What’s important is that these virtual servers are entirely managed by you and your team. That gives you the ultimate in flexibility, but also 100 percent responsibility.

In this context, virtual firewalls are a must. They protect your cloud servers against malicious traffic or attacks coming from the outside. They also protect your cloud servers from other servers, in the case of an insider attack, or even a successful outside attack that takes over one of the cloud servers. 

The cloud firewall here is an application that you license either from the cloud host or your favorite name-brand firewall vendor. These next-generation firewalls, or virtual firewalls, are packaged in different ways. You may see them presented as fully configured virtual machines (VM) that you instantiate and use as a front end to your cloud infrastructures. Alternatively, they can be provided as a binary that you install and run on existing VMs, such as a web server or transactional database server.

Nearly every major name-brand firewall provider offers products and license options for IaaS/PaaS firewalls. A couple of examples: the VM-Series virtualized next-generation firewall from Palo Alto Networks and Zscaler's Cloud Firewall.

With virtualized firewalls you have nearly unlimited choices in defining how they are configured and what they protect. You can create a firewall that protects only one specific group of virtual servers or maybe only a single server. The term for this is microsegmentation. Unlike racked firewall appliances in a physical data center, you can change firewall configurations in seconds, with the click of a mouse or while running a script. No more cable moves! The firewall can also be microsegmented with rules tied to specific applications or user roles, not simply virtual servers. 

The advantage of the microsegmentation approach is that it lets you tie security policies to individual virtual machines. “In a software-defined data center—or a hybrid cloud with orchestration—every time I provision a new virtual machine, I want that VM to have a security policy tied to it at provisioning," says HPE's Leech. "That way, as that VM moves around the cloud network and migrates from one machine to another, that security policy will follow it. Also, when that VM is torn down, I want that security policy to go away as well.”

Vanilla or strawberry? Lessons for leaders

  • Remember, when you migrate your servers and application to the cloud in an IaaS/PaaS architecture, you are not migrating responsibility for security. Sure, the cloud service provider might have some responsibility overall, but it’s not protecting your servers against malware, hack attacks, data exfiltration, or unpatched vulnerabilities in those virtual servers’ operating systems or applications. That’s your job. And while a big piece of that challenge is to keep your software up to date, it’s equally important to protect everything with firewalls.
  • If you are protecting your networks with an on-prem firewall, and you have remote or traveling users who are not protected with enterprise-grade firewalls, consider a vanilla FWaaS.
  • And if you have IaaS/PaaS virtual servers that are protected only by your cloud provider’s basic security service, you should definitely install and manage your own virtual firewalls to protect your servers. It’s your job—and your responsibility.

Want to read more? A paper from 451 Security, "Critical Security and Compliance Considerations for Hybrid Cloud Deployments," has a lot more information on this topic.