Yup, I called them last-generation firewalls (LGFW) because the term next-generation firewall (NGFW) was coined 15 years ago. Today, with the rapid advancements in cloud technology, these LGFWs are based on an architecture that was developed for the data center and are not meeting the security needs of cloud and multi-cloud environments. I’d like to explore the challenges faced by enterprises when using LGFW architecture in the cloud and highlights emerging alternatives.
Here are three reasons cloud architecture changes the game for LGFWs:
- The changing perimeter: The traditional concept of a static perimeter no longer exists in the cloud. In fact, I would call cloud perimeterless. Cloud networks are dynamic, endless, and constantly evolving, making it difficult to defend using traditional methods. LGFWs require traffic redirection to centralized inspection and policy enforcement points, resulting in operational complexity, bottlenecks, increased latency, and high data processing costs. Furthermore, managing a large number of dynamic ingress and egress points in the cloud becomes operationally unfeasible with the LGFW approach.
- Dynamic cloud applications: Cloud applications are highly dynamic, using microservices architecture and containerization and often rely on direct internet connections and service mesh networks. These apps require elastic scale and rely on native cloud PaaS services and API gateways, which break both LGFW and agent-based security approaches in the cloud. Further, from a policy creation perspective, security teams can no longer define policies based on IP addresses because IP addresses constantly change in these dynamic application environments.
- Infrastructure agility requirements: Cloud infrastructure teams need to keep up with the agility demands of modern applications. They must adopt to rapid release cycles, DevSecOps automation, and leverage CI/CD pipelines application teams have used for years. However, the centralized appliance operational model of LGFWs, which originated in the data center era, cannot meet the software-defined agility expectations of the cloud. Migrating LGFWs to the cloud leads to operational pain, tool sprawl, and unsustainable cost increases.
Enterprises now require a cloud network security solution specifically designed for the cloud. A distributed cloud firewall has emerged as a promising alternative that leverages the distributed nature of the cloud.
Distributed cloud firewalls defined
It’s the familiar firewall policy creation security pros are used to, but architected to take advantage of the distributed nature of cloud. This approach doesn’t distribute firewalls everywhere, it distributes the inspection and policy enforcement into the cloud network, in the natural application communication path, while maintaining centralized policy creation. This approach lets the entire cloud network operate like a single, infinitely scalable, firewall. Starting to sound a little more like cloud? Here are the five characteristics security pros should look for when exploring a distributed cloud firewall approach:
- Distributed enforcement in native cloud traffic flow: The product should embed inspection and policy enforcement into the native cloud infrastructure and natural application communication paths, eliminating the need for traffic redirection, load-balancer sandwiches, and other network gymnastics. This ensures scalability, eliminates bottlenecks, and enables the entire cloud network to function as a single, scalable firewall.
- Centralized policy creation across multi-cloud environments: Cloud-aware policy creation abstracts enforcement details using dynamic cloud-native application workload identities, such as tags and attributes, instead of static IP addresses. Security teams can define policies through a single, programmable interface, while enabling inspection and policy enforcement across multiple cloud environments.
- A cloud operational model: The product should offer full visibility and control, support elastic auto-scaling to align with application requirements, and feature programmability using industry-standard infrastructure-as-code automation tools such as Terraform. It should seamlessly integrate into DevSecOps CI/CD pipelines.
- Native cloud network and security orchestration: The product should leverage native cloud APIs for both network and security orchestration, abstracting underlying infrastructure complexities. This ensures consistency across cloud service providers and prevents conflicts between networking and security configurations.
- Advanced security services consolidation: A distributed cloud firewall should offer more than basic firewalling capabilities. It should support micro-segmentation, network isolation, automated threat detection and mitigation, anomaly detection, vulnerability scanning, cloud workload risk scoring, L7 decryption and inspection, full traffic visibility, and audit reporting. It must maintain role-based access control to separate networking and security duties, all integrated into the native cloud infrastructure and operations.
Implementing a distributed cloud firewall can deliver significant business value for enterprises compared to existing LGFW implementations. The benefits include reduced total cost of ownership, improved cloud infrastructure agility, better performance, shorter mean time to detection and resolution, simplified corporate and regulatory compliance, and reduced overall business risk. By embracing a cloud-native security approach, enterprises can better protect their cloud environments and adapt to the dynamic nature of the cloud.
Rod Stuhlmuller, vice president, solutions marketing, Aviatrix
