If you’re thinking of moving business applications to the cloud, then you need to protect them and the data they process. Firewalls are the cornerstone of these security controls – and public or private cloud deployments present organizations with two main options for deploying firewalls.
The first option is to use host-based firewalls. This means putting host-based firewalls on every virtual machine (VM) you have in the cloud environment.
The second option is to use network-based protection, i.e. the protection that is built into the cloud infrastructure: Amazon’s firewall in AWS environments, VMware’s NSX, or a virtualized offering from vendors such as Check Point or Cisco.
So which is better? Here, we will examine both options and the capabilities of each.
Using host-based firewalls does offer organizations a high degree of flexibility: in cloud environments, it’s possible to clone VMs, move applications and VMs within the cloud provider’s infrastructure, or even between cloud environments (from AWS to Azure, for example), and in these cases host-based firewalls can move together with the VMs, with the security policy following them.
However, host-based firewalls are also easier to circumvent than network-based solutions. Once attackers gain access to the host through an exploit point, they may be able to escalate their privileges to administrator level, enabling them to switch off the firewall or install malicious code in a way that will be undetectable by the various IDS technologies, security and forensics teams. They can then also use the compromised host as a stepping-stone to other hosts, unhindered by the firewall.
Network-based firewall options can offer a stronger defensive barrier compared with host-based products. With network based firewalls, it’s more difficult for attackers to subvert the network firewall and take over it, and remove audit log entries etc., since the firewall is a separate system from the host. Further, network-based firewalls are fully hardened devices, without the vulnerabilities that can be found in the platforms that support host-based products – in turn, presenting a much smaller attack surface. Moreover, IDS or IPS systems are more likely to spot any traffic generated by backdoor malware or trojans, because the traffic will need to pass through the network security infrastructure. Disguising this traffic adds a significant layer of complexity for an attacker: they would need to masquerade their traffic in a way that will look benign to a firewall.
Ultimately, network-based protection coupled with effective network segmentation adds a critical extra line of defense by partitioning access to sensitive information so that only those applications, servers, and people who need access can get it. Even if a determined attacker managed to breach the layer of security at the network perimeter, they would still have to contend with the protection around each host. Proper network segmentation significantly reduces your exposure to data theft or system outages and increases your security posture.
Receive notifications of new posts by email.