Firewalls are a core part of network security and they're becoming more sophisticated and capable all the time to combat the changing threats organizations face. Newer firewalls are capable of analyzing network traffic behavior, protocols, and application-layer data. However, when moving resources into Amazon's cloud, organizations may find that they don't have the same number and types of firewall options available to them. In this tip, we'll examine the built-in
The built-in AWS firewall leaves much to be desired for security professionals. To create firewall rules within EC2, organizations can create "Security Groups." These groups represent firewall rule sets that can be applied to EC2 instances, and each group allows organizations to configure inbound rules only. For customers using Amazon Virtual Private Cloud (VPC) services, both inbound and outbound rules can be created, but this will cost more to implement due to the higher cost of VPC services.
As for inspection capabilities, the AWS firewall filters all packets with IP options set, handles basic fragmentation of packets (but allows unusual fragments that attackers often create to thwart intrusion detection systems), and performs simple stateful filtering. However, no logging is available for any rules within the AWS firewall, which is a significant shortcoming. Most network and security teams will want these logs for intrusion detection and analysis, either standalone or to use with security event management tools. Although the Amazon firewall may be deemed sufficient for some scenarios, security professionals will likely opt for other AWS network security options.
Many organizations are turning to host-based firewall options to augment network-based security in Amazon EC2.
Third-party firewalls for AWS
There are few third-party network firewall options that can be integrated with AWS. Check Point has integrated its Check Point Security Gateway R75 into the AWS Marketplace. This means that organizations looking to set up a VPC environment can create a new virtual Check Point firewall and integrate it into their private cloud. The Check Point Security Gateway R75, however, is solely for VPC, and cannot be used with standalone EC2 instances.
This Check Point firewall behaves much like a traditional Check Point device by providing stateful traffic inspection and control capabilities, application and protocol analysis rules, and VPN connectivity. Check Point's virtual appliance can integrate with a variety of Amazon instance types and also supports the Check Point "software blade" functionality, which offers a modular approach to security feature sets. This currently stands as the only mature vendor product in the firewall space that has been fully integrated into the Amazon Marketplace. Cisco and Juniper do not have offerings in the AWS Marketplace yet, although both offer virtual firewall platforms (the ASA 1000v and vGW products, respectively).
Aside from the Check Point option, enterprises looking to install network firewalls into Amazon EC2 are left to craft their own solutions using open source software. Smoothwall has both open source and commercial offerings and provides packet filtering, Web filtering, and email protection in a single package. The company provides software-based commercial options that can be installed directly into Amazon images or as a VMware image that can be imported directly into EC2. Another open source option is Openwall, which offers firewall capabilities and other security options as a hardened platform that can be installed as a virtual machine and then imported into Amazon.
Many organizations are turning to host-based firewall options to augment network-based security in Amazon EC2. Aside from native OS firewalls for Linux and Windows virtual machines, enterprises can consider firewall controls managed by security-as-a-service providers. One such provider is CloudPassage, which provides its Halo firewall agent and management platform for free for limited use, and offers additional plans and capabilities that include configuration monitoring and control, vulnerability assessment and user account management. The vendor's firewall agent ties into existing firewalls on Linux and Windows, but provides simplified central management and control as well as logging and alerting tools.
It's likely that more of the commercial firewall providers will adapt their products to Amazon and other clouds in the future, but organizations at least have a few firewall options today.
It's important for security professionals to try and develop a sound "defense in depth" posture in cloud environments whenever possible, as public Infrastructure as a Service (IaaS) cloud assets are exposed to the Internet or internal networks where protection is needed. Many organizations may not realize that the native AWS firewall is limited in capability, and nowhere near the equivalent of modern enterprise perimeter firewall platforms. Adding more capable virtual firewall instances, as well as host-based filtering and detection, provides significantly more coverage.
About the author: Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft, chief technology officer for the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Securityfrom Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
This was first published in July 2012