In our last post on microsegmentation, we looked at a variety of reasons why host-based firewalls are needed when scaling microsegmentation in the public cloud. A little more than a month later, those reasons certainly remain accurate. But what if you want to create a scalable microsegmentation solution for a private cloud? Are there still benefits to using host-based firewalls? Do some of the SDN-based solutions like Cisco ACI or Vmware NSX still make sense? Is there a place for hardware appliances?
As the very premise of this post implies, neither host-based firewalls, SDN-based solutions, or hardware appliances can individually provide a level of security that will ensure your organization isn’t potentially on the verge of becoming another talking point in a CNN segment on “Your Money. Your Privacy.”
Why is that? Let’s answer by taking a closer look at each and then describe a solution that gives network security professionals the best of all worlds.
On a purely functional level, hardware is faster than software (even though the hardware is obviously running its own custom software, too, but come along with me here). That’s a given. It’s much less likely to fail, too, with MTBF exceeding what any software alone can pull off.
Hardware firewalls conjure visions of medieval walls blocking invaders and shunting traffic off through various gates to ensure no trouble gets in. Though it’s a lot more sophisticated than that, it’s still not a terrible metaphor for what those firewalls are achieving, since their main purpose is to filter north-south traffic coming in and out of your network.
That’s where our first limitation arises. Relying entirely on a hardware based approach mostly limits your security to north-south traffic. What if your server perimeter is breached? How is that east-west traffic being secured?
Even without taking east-west traffic into consideration, there are other limitations to consider. While hardware is faster than software in function, it’s a whole lot slower (and more expensive) to manage and upgrade. It’s highly unlikely a hardware based solution is just going to work with your application out-of-the-box. In a rapidly changing environment, you’re going to be rewriting code or making hardware upgrades to ensure new traffic and protocols are properly handled.
Software-defined networking solutions
SDN solutions can achieve many of the same goals as hardware based solutions, while going beyond the sort of perimeter defense described above. With SDN you can turn practically any connection point into its own firewall, allowing for east-west traffic to be secured via network slicing. Now different departments and groups within a network can have their own secure enclaves with different sets of rules appropriate to those individual groups. Simply put: the Accounting department can have its own slice of the network with different rules than the Design department’s slice, giving different groups within the company something new to hold against each other.
Considering that every port can technically act as its own firewall, SDN would ideally allow for a perimeter free network, eliminating the need for a hardware wall to keep an eye over all north-south traffic. The issue is that SDN is generally stateless and doesn’t operate above L3 or L4 protocol hygiene (while hardware gets you all the way up to L7). You simply cannot rely on it as your sole source of security.
Host-based firewalls are easily scalable and very close to the application, bringing security all the way down to the workload level. This is great, except a level of security this granular can’t possibly have the capacity and throughput of purpose-built hardware. It’s not possible to rely on this for all security, just as it’s not feasible to rely on a system of sophisticated trip-lasers to secure every entryway to your home. So we use locks for our doors, and save laser beam based security for the hope diamond and scenes from Ocean’s Eleven.
That’s why an appropriately balanced combination of all three security approaches is the way to go. This often means separating NAC into different Provider and Consumer responsibilities.
The Provider (typically the internal network organization or the CSP) implements traditional hardware devices for perimeter NAC, protocol hygiene, IDS / IPS, and anti-DDoS. As well as router ACLs and internal L3 / L4 firewall appliances to handle the broad strokes like segregating entire divisions from one another, and SDN to provision VPC-like networks at the Consumer level
The Consumer (typically the devops teams or other business level tech teams) implement host-based security, like Halo’s firewall capabilities or AWS security groups, to ensure that high-security use cases, high-value assets, and zero-trust situations are properly handled.
In this way, every part of the network is properly secured without putting too much faith in one set of hardware or software, or putting too much burden on one set of people.