Several years ago, many security and network administrators lamented the lack of decent firewall technology for cloud environments. At the time, most public cloud firewalls were rudimentary at best and offered little in the way of management or reasonable security configuration controls. Today, that situation has thankfully changed, with new and capable options available for creating and operating both network-based and host-based firewalls for cloud infrastructure.
For most enterprises, the bigger challenges are now likely to be managing and monitoring these systems from afar, and automating the process as much as possible.
For most enterprises, the bigger challenges are now likely to be managing and monitoring these systems from afar, and automating the process as much as possible. Fortunately, some cloud providers are making firewall management easier than ever, and numerous automation frameworks and platforms can often help with rule management and monitoring as well. How, you ask? That's what we'll discuss in this tip.
Host-based cloud firewall management
Numerous options are available for organizations looking to manage host-based firewalls in the cloud. In Infrastructure as a Service (IaaS) environments, enterprises can simply install any agent-based product from vendors they may already use, including McAfee Inc., Symantec Corp. and others. Many such agents are also capable of supporting cloud-based management consoles. Once installed into IaaS instances, the products can be monitored with existing or virtual appliance management platforms.
New options in this area are being brought to market by vendors such as CloudPassage Inc. and Dome9 Security Ltd., both of which offer IaaS firewall management as a Software as a Service (SaaS) offering. These services may offer some efficiency in implementation and control, as well as resource utilization on cloud systems. In some cases, network-based firewalls may not be available in a public cloud environment, leaving security up to host-based controls that can be configured and managed via a cloud dashboard. These services may not offer all features currently in use within a network environment, however, and migrating to a cloud service model might require additional planning and configuration changes.
Network-based firewall options
While host-based cloud firewall management seems to be maturing, most enterprises still struggle with developing and maintaining network-based firewall rule sets in the cloud. Some of those difficulties are due to the lack of granularity and capability in many cloud providers' own firewalls, but other challenges often arise from building an automation strategy that can easily keep up with wire-speed firewalls and their complex rule sets in IaaS environments.
One option for enterprises is the simple yet manageable Amazon Elastic Compute Cloud (EC2)'s built-in network firewall, which can be automated and managed through command-line and application programming interface (API) access. Firewall rules in EC2 are created through what are known as Security Groups. The groups support protocols, ports, Internet Control Message Protocol types and codes, source and destination addresses, and security group names/identifiers, which are used to easily access and modify individual groups and rules within EC2. While the standard groups only support inbound traffic filtering rules, the Amazon Virtual Private Cloud (VPC) services also support outbound rules.
A number of commands and API calls are available in EC2 security groups that enable the flexible creation of new groups and rules, as well as the removal of rules and changes to which EC2 instances are associated with groups and rules. Examples of such commands include the following:
- ec2-create-group: Ccreates a new security group (equivalent API call is CreateSecurityGroup)
- ec2-authorize: Adds rules to a security group (equivalent API calls include AuthorizeSecurityGroupIngress and AuthorizeSecurityGroupEgress for VPC rules)
- ec2-describe-group: Lists security groups and attributes (equivalent API call is DescribeSecurityGroups)
- ec2-modify-instance-attribute: For VPCs, this command can modify an instance to associate it with one or more security groups (equivalent API call is ModifyInstanceAttribute)
- ec2-revoke: Removes rules from a security group (equivalent API call is RevokeSecurityGroupIngress)
- ec2-delete-group: Deletes a security group (equivalent API call is DeleteSecurityGroup)
Administrators can easily write simple scripts that routinely call the "ec2-describe-group" command and output the data into a file for parsing and reporting. A script can be created to run hourly or daily to verify results to see if changes have been made. The output of this file includes the group name and ID, Amazon account ID (i.e., the owner of the group), a description, rules associated with the group, and, if applicable, the name of the VPC group. The "ec2-authorize" command could be scripted to automatically execute within a specified change window if a new rule is approved, and the "ec2-revoke" command could also be used to automate rule removal just by specifying the group ID and rule attributes. API automation could simplify this process with orchestration tools from providers such as RightScale or cloud management frameworks including Eucalyptus and OpenStack.
More automatable firewalls from other cloud providers are beginning to make their way onto the market too. Rackspace Inc., for example, now offers customers a firewall appliance from Vyatta that allows for command-line access and scripting functionality. Some traditional firewall providers have adapted virtual appliance models within Amazon as well; for instance, now, customers using Check Point Software Technologies Inc.'s SmartConsole to manage firewalls and rules can add the AWS appliance as another node in the existing management dashboard.
Cloud firewall automation
An increasing number of organizations leverage automation toolkits such as Puppet and Chef for more flexible and scriptable API access. Dome9 offers SecOps for AWS, a complete product that allows customers to monitor and manage all EC2 Security Groups from a SaaS console, with unified reporting across all Amazon regions and accounts in use by the organization.
An organization looking to implement more automation in its cloud firewall platform should take a number of considerations into account, including, but not limited to, the following:
- What firewall(s) is available within the cloud provider environment? Does the provider have traditional firewall appliances available to implement? In some clouds, typically private clouds, firewall appliances such as the Juniper vGW or Cisco ASA 1000V may be available for additional fees. Customers of most public cloud providers will be relegated to the provider's firewall offering.
- Does the available firewall provide command-line and/or API access? If so, this bodes well for scripting and integration with automation and orchestration tools.
- Do your cloud management tools (e.g., OpenStack) offer native API integration with your cloud provider? AWS integration is a popular option for many tools, but support for other cloud providers is scattered.
- Can you implement and use tools such as Puppet and Chef to automate firewall management tasks? These tools are specifically designed to handle these kinds of functions and are flexible in terms of implementation. Keep in mind that implementing tools like these will require additional policies and processes for ensuring that any scripted changes go through approved change control and review workflows.
- Does it make sense to augment, or even replace, existing firewall policies and processes with new cloud-based offerings? For example, a host-based offering may make more sense for some organizations, especially if additional endpoint security features such as file integrity monitoring and configuration management are desired. Tools like those from Dome9 may also alleviate the installation of management tools by offering a cloud-based dashboard and control center in a SaaS format.
More cloud firewall options coming
Aside from new SaaS offerings, the biggest changes coming for cloud firewall management and automation will be in the areas of change control and remote scripting to access firewall rule sets and data. Administrators and operations teams will need to refine their processes to ensure that more frequent rule validation is performed, and rule changes will likely require new methods that may not integrate well with existing in-house firewall tools. Over time, higher levels of integration with leading vendors will likely occur, but today, there are still unfilled gaps for organizations attempting to create a single management framework for all in-house and cloud firewall controls and data.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO at Configuresoft; as chief technology officer at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.