Before your organization can move business applications to the cloud, it must deploy network security solutions that can reliably block cybercrime and malware.
Firewalls are essential cybersecurity tools that protect network traffic against threat actors. There are many different types of firewalls available, but put the same basic principles in action.
Before finding out which types of firewalls offer the best security performance for your cloud implementation, it’s important to cover how firewalls work and what characteristics set them apart.
Firewalls are best explained through analogy. Think of firewalls as 24/7 security guards with deep knowledge of millions of criminals. Whenever the security guard sees a criminal approaching an access point, they block access and turn the criminal away.
This kind of access control is accomplished in a few different ways. Some firewalls inspect packets for suspicious characteristics. Others use stateful inspection to identify malicious traffic. Some incorporate contextual awareness to tell the difference between harmless traffic and cyberattacks.
Here are some of the major types of firewalls and how they work:
All of these firewalls exist in different forms. Traditional hardware firewalls are physical devices that sit between network devices and the internet. Network-based firewalls are software-defined apps designed to do the same thing.
Organizations have multiple options when deciding to host firewalls on their private networks. The market offers a vast number of security devices and firewall providers, ranging from Cisco hardware to software solutions like Microsoft’s Windows firewall.
Large enterprises use a combination of firewall solutions to adopt a multi-layered security posture. This allows them to achieve network scalability and segmentation while offering different levels of protection to data centers, individual devices, and user endpoints.
As firewall technology becomes more accessible, smaller organizations are following suit. Here are some of the delivery formats that firewall solutions commonly come in:
Every organization has a unique security risk profile. Finding the right firewall deployment for your organization requires in-depth knowledge of your network’s security vulnerabilities and potential for long-term growth.
Some of the issues you have to consider include:
Organizations that are transitioning to cloud infrastructure need to completely rethink their firewall deployment strategy. Firewalls are the cornerstone of access control, and cloud-hosted infrastructure comes with the shared responsibility model that puts pressure on security leaders to carefully deploy security resources.
In many cases, you’ll face tough decisions concerning which type of firewall to deploy at particular points in your network. Building an optimal deployment means working through the pros and cons of each option on a case-by-case basis.
Host-based firewalls and network-based firewalls are the two main options you’ll encounter for most use cases. Let’s look at what each of those options look like from a complete network security perspective.
A cloud-native organization that exclusively uses host-based firewalls will have a cloud environment filled with virtual machines that take the place of servers and individual computers. To protect those devices, the organization will implement host-based firewalls on every virtual machine and configure them accordingly.
This provides the organization with a great deal of flexibility. IT team members can clone virtual machines and move them within the cloud on demand. The host-based firewalls that protect these machines can move right alongside them, ensuring consistent security policies are enforced without painstaking manual configuration.
It’s even possible to move virtual machines between cloud environments – like moving a virtual server from Amazon AWS to Microsoft Azure – without having to create completely new security policies in the process. This makes it easy for IT teams to work securely without introducing friction.
However, if attackers gain privileged access to host-based firewalls, they gain the same level of control. They may switch off the firewall or install malicious code in ways that other security technologies cannot detect.
Even highly secure organizations are subject to this kind of risk. Imagine an attacker compromises the credentials of a system administrator with firewall configuration privileges. Very few obstacles stand between an insider threat and the sensitive data they wish to exfiltrate.
Compared to host-based firewall products, it’s much harder for a malicious insider to compromise a network-based firewall solution managed by a cloud provider. That’s because the physical hardware is operating on a completely separate system from the host.
In a cloud-native environment, the network-based firewall would be a fully hardened device managed by a third-party provider running their own intrusion detection systems. This makes it much harder for attackers to successfully infiltrate and compromise systems without being noticed.
At the same time, independent network-based firewall architecture means that the attacker would have to compromise both your network and the cloud provider’s network without triggering security alerts from either. This adds a great deal of complexity to any attack, and significantly increases the chance it will be detected.
However, few organizations can afford to exclusively deploy hardware firewalls at every layer of their network. Even those that can afford it will run into significant challenges when planning for growth and scalability.
While they offer increased security, hardware firewalls are costly to deploy and maintain. Most organizations segment their networks in ways that offer extensive multi-layered protection to their most sensitive data while allowing more flexible host-based firewalls to protect less critical assets.
Every organization has a unique balance between optimal network-based firewall and host-based firewall deployment. This depends heavily on the volume of sensitive data the organization regularly accesses, and the security of its connections with users and third-party service providers. Proper network segmentation helps reduce the organization’s attack surface and decrease the risk of business disruption.
Receive notifications of new posts by email.