Do host firewalls important in cloud deployment?
As you are aware, Cloud deployment offers unparalleled network flexibility for any workload. Companies build, connect, and configure networks at a rapid pace via convenient application programming interfaces (APIs). However, these easily configurable interconnections lead to situations where dangerous network paths remain open due to misconfiguration or complexity.
Someone asked me recently if host firewalls still matter in cloud deployments. In short, they do still matter. Host firewalls, such as tables or nftables, play a crucial role in a defense-in-depth strategy, often closing gaps in critical network infrastructure. Including a firewall management framework that delivers reasonable defaults and makes rule management easy.
This post explores potential scenarios where a host firewall can mitigate risk in a cloud deployment.
Protection against configuration changes
Network configurations in clouds evolve rapidly. A series of API calls has replaced trips to the data center with a network architect. Developers of cloud deployments now wield the power to modify systems beyond the application itself, including the networking stack.
More changes often lead to misconfigurations, especially for organizations that lack a robust testing strategy for their workloads. These could include:
- Removing rules temporarily to diagnose a problem and forgetting to reset them.
- Migrating to another region or zone with different network security capabilities.
- Old versions of network configuration are applied through a continuous integration/continuous delivery (CI/CD) system.
A basic set of firewall rules helps mitigate the risk associated with these changes. Start by taking an inventory of the applications running on the system and identifying which should be exposed. Adjust the firewall rules down to only those services. Furthermore, tighten the regulations by identifying which external systems must access the service and limit access to those specific networks.
Work on cloud provider feature gaps.
Each cloud provider offers distinct capabilities within its networking stack. Some allow for extremely granular control on each instance and each network segment. Some support IPv4 only, while others support dual-stack networks. These varying capabilities present challenges in multi-cloud deployment, but host firewalls help fill these gaps.
Most Linux instances will set up a link-local address for basic IPv6 connectivity, even if the underlying network is IPv4-only. This opens up a new, often overlooked, network path. The cloud provider may offer network security solutions that only operate with IPv4 addresses, leaving IPv6 connectivity vulnerable to attack.
The firewall manager provides a consistent method for handling IPv4 and IPv6 on each system. Opening and closing ports happen on both stacks at the same time, without ensuring the same changes are made via iptables and ip6tables.
Network protection
Network-based firewall options can offer a more substantial defensive barrier compared with host-based products. With network-based firewalls, it’s more difficult for attackers to subvert the network firewall and take control of it, as well as remove audit log entries, etc., since the firewall is a separate system from the host. Furthermore, network-based firewalls are fully hardened devices, without the vulnerabilities that can be found in platforms that support host-based products, in turn, presenting a significantly smaller attack surface. Moreover, IDS or IPS systems are more likely to detect any traffic generated by backdoor malware or trojans, as the traffic must pass through the network security infrastructure. Disguising this traffic adds a significant layer of complexity for an attacker, as they would need to masquerade their traffic in a way that appears benign to a firewall.
Avoid extra movement from a successful attack.
Experienced information security professionals always say, “It’s not a matter of ‘if, ‘but ‘when’ an attack will succeed in your deployment.” Once an attacker gets inside, you want to limit lateral movement. For example, if an attacker gains access to a monitoring system, how do you prevent them from moving to other instances in your deployment? What if they acquired your API keys for your cloud provider?
Host firewalls provide an extra layer of defense here. An attacker could use stolen API credentials to remove security restrictions on the network; however, if your instance already has limited access defined in the host firewall, their ability to move is significantly reduced.
If an attacker attempts to move laterally within your environment and you cannot defend against it effectively, at least make it noisy when they try to move around. Turn your attacker into a bull in a china shop by logging on to your host firewalls.
Add rules to log any traffic that is not explicitly allowed. Feed those logs into an alerting or monitoring system to quickly identify attacker movement. Enable this in the firewall by changing the LogDenied parameter in /etc/firewalld/firewalld.conf.
Egress traffic also sheds light on a potential compromise. Consider a database server that should never access something outside your deployment. Limit egress traffic via the cloud provider’s network configuration and add host firewall logging for outbound traffic on the database instance. If something suddenly tries to make plenty of outbound connections, you know about the problem quickly.
Conclusion
Host firewalls provide a valuable layer of a strong defense-in-depth strategy. Using firewalls enables administrators to configure a host firewall that consistently handles dual-stack networks quickly, provides detailed traffic logs, and closes gaps in cloud provider network implementations. Allows you to apply firewall configurations consistently across your entire fleet.
Do you need to take a step back to determine whether you should migrate your applications to the cloud? On how to decide.
