I've heard AWS security groups compared to traditional firewalls. What is a security group and how is it different...
from a firewall? Would the two ever be used in conjunction?
AWS security groups and firewalls are similar in that they are both defensive mechanisms for restricting network communications.
Firewalls are used to control network flows to and from subnets of networks or between networks, such as an enterprise network and the Internet. In some cases, firewalls are used on individual machines such as personal firewalls on desktop computers.
Firewalls are a class of network security controls available from a wide range of vendors as well as open source projects.
AWS security groups are a vendor-specific feature of Amazon Web Services. Security groups provide a kind of network-based blocking mechanism that firewalls also provide. Security groups, however, are easier to manage.
Firewalls are generally configured with IP-specific rules, such as allowing or blocking traffic on a specific port or accepting traffic from a particular server. This kind of hard-coded rule can be difficult to manage. For example, if the IP address of a server changes, firewall rules referencing the old IP address will need to be updated. Also, if additional servers are added to a cluster that provides a service, consumers of those services will need to update firewall rules to allow traffic from the new members of the cluster.
AWS security groups streamline management using policies. A policy is a set of rules that is referenced by multiple servers. For example, servers in a cluster can all reference the same policy, which we will call SecPol_Cluster. When new servers are added to the cluster, they are configured to reference the SecPol_Cluster. Client devices that access services from the cluster are configured with a policy that allows communication with the servers using the SecPol_Cluster policy.
Using security groups reduces the number of distinct configurations that have to be maintained and thereby help reduce the chances of configuration errors. Since firewalls and security groups perform overlapping functions, there are only marginal benefits to running both (e.g., a catastrophic failure in one system would be mitigated by using the other mechanism).
Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your questions now via email. (All questions are anonymous.)
Gain further insight into developing a security group policy
Dig Deeper on Cloud Network Security Trends and Tactics
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading