cybersecurity-2021-08-29-01-03-10-utc

Distributed Firewalls

 

 

Distributed Firewalls

In today’s interconnected world, where data breaches and network attacks are becoming increasingly common, protecting sensitive information has become paramount. As organizations expand their networks and adopt cloud-based solutions, the need for robust and scalable security measures has grown exponentially. This is where distributed firewalls come into play. In this blog post, we will delve into the concept of distributed firewalls and explore how they can help secure networks at scale.

Traditionally, firewalls have been deployed as centralized devices that simultaneously monitor and filter network traffic. While effective in small networks, this approach becomes inadequate as networks grow in size and complexity. Distributed firewalls, on the other hand, take a different approach by decentralizing the security infrastructure.

Distributed firewalls disperse security capabilities across multiple network nodes, enabling organizations to achieve better performance, scalability, and protection against various threats. By distributing security functions closer to the source of network traffic, organizations can reduce latency and increase overall network efficiency.

 

Highlights: Distributed Firewalls

  • The Role of Abstraction

When considering distributed firewalls, let us start with the basics. Virtual computing changes the compute operational landscape by introducing a software abstraction layer. All physical compute components (NICs, CPU, etc.) get bundled into software and managed as software objects, not as individual physical components.

Virtualization offers many benefits in agility and automation, but statically provisioning network functions hinder its full capabilities. Server virtualization allows administrators to spin up a VM in seconds (Containers – 250ms), yet it potentially takes weeks to provision the physical network to support the new VM. The compute and network worlds lack any symmetry.

  • Network Virtualization

However, their combined service integration is vital to support the application stack. Network virtualization creates a similar abstraction layer to what we see in the computing world. It keeps the network in line with computing regarding agility and automation. Network services, including Layer 2 switching, Layer 3 routing, load balancing, and firewalling, are now available in the software enabling distributed firewalls. Moving physical to software changes the operational landscape of networking to match that of computing.

Both compute, and network is now decoupled from the physical hardware, meaning they can be provisioned simultaneously. These architectural changes form the basis for the zero trust networking design

 

For additional pre-information, you may find the following helpful:

  1. Virtual Switch
  2. Nested Hypervisors
  3. Software Defined Perimeter Solutions
  4. Cisco Secure Firewall
  5. IDP IPS Azure

 



What is a feature of distributed firewalls?

Key Distributed Firewalls Discussion points:


  • Introduction to distributed firewalling and where it can be used.

  • The role of virtualization and the virtual switch.

  • The effects of traffic flow and firewalling.

  • Session state discussion. Stateful Inspection.

  • The different types of distributed firewalls.

 

Back to Basics With Distributed Firewalls

Basics of Firewalls

Firewalls are differentiated in different ways: from the network size they are designed to work to how they protect critical assets. Firewalls can range from simple packet filters to stateful packet filters to application proxies. The most typical firewall concept is a dedicated system or appliance that sits in the network and segments an “internal” network from the “external” Internet.

However, the Internet and external perimeters are not as distinguishable as they were in the past. Most home or SOHO networks use an appliance-based broadband connectivity device with a built-in firewall.

 

Critical Benefits of Distributed Firewalls:

1. Scalability: One of the primary benefits of distributed firewalls is their ability to scale seamlessly with network growth. As new devices and users are added to the network, distributed firewalls can adapt and expand their security capabilities without causing bottlenecks or compromising performance.

2. Enhanced Performance: By distributing security functions across multiple points in the network, distributed firewalls can offload the processing burden from central devices. This improves overall network performance and reduces the risk of latency issues, ensuring a smooth user experience.

3. Improved Resilience: Distributed firewalls offer improved resilience by eliminating single points of failure. In a distributed architecture, even if one firewall node fails, others can continue to provide security services, ensuring uninterrupted protection for the network.

4. Granular Control: Unlike traditional firewalls that rely on a single control point, distributed firewalls allow for more granular control and policy enforcement. Organizations can implement fine-grained access controls by distributing security policies and decision-making across multiple nodes and adapting to rapidly changing network environments.

Use Cases for Distributed Firewalls:

1. Cloud Environments: As organizations increasingly adopt cloud-based infrastructures, distributed firewalls can provide security controls to protect cloud resources. Organizations can secure their cloud workloads by deploying firewall instances close to cloud instances.

2. Distributed Networks: Firewalls are particularly useful in large, geographically dispersed networks. By distributing security capabilities across different branches, data centers, or remote locations, organizations can effectively ensure consistent security policies and protect their network assets.

3. IoT and Edge Computing: With the proliferation of the Internet of Things (IoT) devices and edge computing, the need for security at the network edge has become critical. Distributed firewalls can help secure these distributed environments by providing localized security services and protecting against potential threats.

 

The Virtual Switch

Initially, we abstracted network services with the vSwitch installed on the hypervisor. It was fundamental and could only do simple network services. There was no load balancing or firewalling. With recent network virtualization techniques, we introduce many more network services into the software. One essential service enabled by network virtualization is distributed firewalls.

The distributed model offers a distributed data plane with central programmability. Rules get applied via a central entity, so there is no need to configure the vNIC individually. The vNIC may have specific rule sets, but all the programming is done centrally.

VM mobility is minimal if you can’t move the network state with it. Distributing the firewalling function allows the firewall state and stateful inspection firewall ( connections, rule tables, etc.) to move with the VM. Firewalls are now equally mobile. Something 10 years ago I thought I would never see. As a side note, docker containers do not move as VMs do. They usually get restarted very quickly with a new IP address.

What is a feature of distributed firewalls?

Distributed firewalls – Spreading across the hypervisor.

When considering what a feature of distributed firewalls is, let’s first discuss that the traditional security paradigms are based on a centrally focused design; a centrally positioned firewall device, usually placed on a DMZ, intercepts traffic. It consists of a firewall physically connected to the core, and traffic gets routed from access to the core with manual configuration.

There is no agility. We had a lot of firewalls deployed on a per-application basis, but nothing targeted east-to-west traffic. As you are probably aware, the advent of server virtualization meant there was more east-to-west than north-to-south. Traffic stays in the data center, so we need an optimal design to inspect it thoroughly.

Protecting the application is critical, but the solution should also support automation and agility. Physical firewalls lack any agility. They can’t be moved. If a VM moves from one location to another, the state in the original firewall does not move with the VM. They were resulting in traffic tromboning for egress traffic.

There are hacks to get around this, but they complicate network operations. Stretched HA firewall designs across two data centers are not recommended, as a DCI failure will break both data centers. Proper application architecture and DNS-based load balancing should fix efficient ingress traffic.

 

  • A world of multi-tenancy

We are in multi-tenancy, and physical devices are not ideal for multi-tenant environments. Most physical firewalls offer multiple contexts, but the code is still shared. To properly support multi-tenant cloud environments, we need devices built initially in mind to support multi-tenant environments. Physical devices were never built to support cloud environments. They evolved to do this with VRFs and contexts.

We then moved on to firewall appliances in VM format, known as virtual firewalls. They offer slightly better agility but still suffer traffic tromboning and a potential network chokepoint. Examples of VM-based firewalls include vShield App, vASA, and vSRX Gateway. There is only so much you can push into software.

Generally, you can get up to 5 Gbps with a reduced feature set. I believe Paolo Alto can push up to 10 Gbps. Check the feature parity between the VM and the corresponding physical device.

 

Network Security Components

Network Evolution now offers distributed network services among hypervisors. The firewalling function takes a different construct and is a service embedded in the hypervisor kernel network stack. All hypervisors become one big firewall in software. There is no more extended single device to manage, and we have a new firewall-as-a-service landscape.

Distributing firewalling offers a very scalable model. Firewall capacity is expanded along with the addition of different hypervisors offering a scale-out distributed kernel data plane.

So what is a feature of distributed firewalls? Well, scale comes to mind. They are, essentially, distributed firewalls performance scales horizontally as more hosts are added. Distributed firewalling is similar to connecting every VM directly to a separate firewall port. An ideal situation is yet impossible in the physical world.

Now that the VM has a direct firewall port, there are no traffic tromboning or network choke points. All VM ingress and egress traffic gets inspected statefully at the source and destination, not at a central point in the network. This brings a lot of benefits, especially with the security classification.

 

Distributed Firewalls: Decoupled from IP addressing

In the traditional world, security classification was based on IP address and port number. For example, we would create a rule that source IP address X can speak to destination IP address Y on port 80. We used IP as a security mechanism because the host did not have a direct port mapping to the firewall. For the firewall to depict where traffic is sourced and destined, it used an IP address as the identifier.

This is no longer the case with distributed firewalls. Security rules are entirely decoupled from IP addresses. A direct port mapping from the VM to the kernel-based firewall permits the classification of traffic based on any arbitrary type of metadata; objects, tagging, OS type, or even detection of a specific type of virus/malware. 

Many companies offer distributed firewalling; VMware with NSX is one of them, and it has released a VMware NSX trial allowing you to test for yourself. NSX offers Layer 2 to Layer 4 stateful services using a distributed firewall running in the ESXi hypervisor kernel.

First, the distributed firewall is installed in the kernel by deploying the kernel VIB – VMware Internetwork Service. Then, NSX Manager installs the package via ESX Agency Manager (EAM). 

Then, the VIB gets initiated, and the vsfwd daemon is automatically started in the user space of the hypervisor.

Each vNIC is associated with the distributed firewall. As mentioned, we have a one-to-one port mapping between vNIC and firewalls. Rules are applied to VM; the enforcement point is the VM virtual NIC – vNIC. The NSX manager sends rules to the vsfwd user world process over the Advanced Message Queuing Protocol message bus.

 

distributed firewall