Zero Trust and Firewalling

Network security is traditionally divided into zones contained by one or more firewalls. A trust level is assigned to each zone, which determines what network resources it is permitted to access. This model provides very strong defense in depth. An exclusion zone (often called a “DMZ”) is set up where traffic can be tightly monitored and controlled for resources considered to be more vulnerable, such as web servers that expose themselves to the public Internet.

Generally, firewalls are configured to control traffic on a deny-by-default/allow-by-exception basis. The firewall does not allow anything to pass simply because it is on the network (or is attempting to reach the network). The firewall requires all traffic to meet a set of requirements to proceed.

Controlling Traffic

You control which traffic passes through firewalls and which traffic is blocked as a network administrator or information security officer. In addition to ingress and egress filtering, you can determine whether filtering occurs on inbound or outbound traffic. It is usual for an organization to filter inbound traffic, as many threats are outside the network. It is also essential to filter outbound traffic, as sensitive data and company secrets may be sent outside the network

The Role of Abstraction

When considering distributed firewalls, let us start with the basics. Virtual computing changes the compute operational landscape by introducing a software abstraction layer. All physical compute components (NICs, CPU, etc.) get bundled into software and managed as software objects, not as individual physical components.

Virtualization offers many benefits in agility and automation, but static provisioning of network functions hinders its full capabilities. Server virtualization allows administrators to spin up a VM in seconds (Containers—250ms), yet it potentially takes weeks to provision the physical network to support the new VM. The compute and network worlds lack any symmetry.

Network Virtualization

However, their combined service integration is vital to support the application stack. Network virtualization creates a similar abstraction layer to what we see in the computing world. It keeps the network in line with computing in terms of agility and automation. Network services, including Layer 2 switching, Layer 3 routing, load balancing, and firewalling, are now available in the software enabling distributed firewalls. Moving physical to software changes the operational landscape of networking to match that of computing.

Both compute, and network is now decoupled from the physical hardware, meaning they can be provisioned simultaneously. These architectural changes form the basis for the zero trust networking design. 

For additional pre-information, you may find the following helpful:

1. Virtual Switch
2. Nested Hypervisors
3. Software Defined Perimeter Solutions
4. Cisco Secure Firewall
5. IDP IPS Azure

Back to Basics With Distributed Firewalls

Basics of Firewalls

Firewalls are differentiated in different ways: from the network size they are designed to work to how they protect critical assets. Firewalls can range from simple packet filters to stateful packet filters to application proxies. The most typical firewall concept is a dedicated system or appliance that sits in the network and segments an “internal” network from the “external” Internet.

However, the Internet and external perimeters are not as distinguishable as they were in the past. Most home or SOHO networks use an appliance-based broadband connectivity device with a built-in firewall.

Critical Benefits of Distributed Firewalls:

1. Scalability: One of the primary benefits of distributed firewalls is their ability to scale seamlessly with network growth. As new devices and users are added to the network, distributed firewalls can adapt and expand their security capabilities without causing bottlenecks or compromising performance.

2. Enhanced Performance: By distributing security functions across multiple points in the network, distributed firewalls can offload the processing burden from central devices. This improves overall network performance and reduces the risk of latency issues, ensuring a smooth user experience.

3. Improved Resilience: Distributed firewalls offer improved resilience by eliminating single points of failure. In a distributed architecture, even if one firewall node fails, others can continue to provide security services, ensuring uninterrupted protection for the network.

4. Granular Control: Unlike traditional firewalls that rely on a single control point, distributed firewalls allow for more granular control and policy enforcement. Organizations can implement fine-grained access controls by distributing security policies and decision-making across multiple nodes and adapting to rapidly changing network environments.

Use Cases for Distributed Firewalls:

1. Cloud Environments: As organizations increasingly adopt cloud-based infrastructures, distributed firewalls can provide security controls to protect cloud resources. Organizations can secure their cloud workloads by deploying firewall instances close to cloud instances.

2. Distributed Networks: Firewalls are particularly useful in large, geographically dispersed networks. Organizations can effectively ensure consistent security policies and protect their network assets by distributing security capabilities across different branches, data centers, or remote locations.

3. IoT and Edge Computing: With the proliferation of the Internet of Things (IoT) devices and edge computing, the need for security at the network edge has become critical. Distributed firewalls can help secure these distributed environments by providing localized security services and protecting against potential threats.

The Virtual Switch

Initially, we abstracted network services with the vSwitch installed on the hypervisor. It was fundamental, and it could only provide simple network services. There was no load balancing or firewalling. With recent network virtualization techniques, we introduce many more network services into the software. One essential service enabled by network virtualization is distributed firewalls.

The distributed model offers a distributed data plane with central programmability. Rules get applied via a central entity, so there is no need to configure the vNIC individually. The vNIC may have specific rule sets, but all the programming is done centrally.

VM mobility is minimal if you can’t move the network state with it. Distributing the firewalling function allows the firewall state and stateful inspection firewall ( connections, rule tables, etc.) to move with the VM. Firewalls are now equally mobile. Something 10 years ago I thought I would never see. As a side note, docker containers do not move as VMs do. They usually get restarted very quickly with a new IP address.

What is a feature of distributed firewalls?

Distributed firewalls – Spreading across the hypervisor.

When considering what a feature of distributed firewalls is, let’s first discuss that the traditional security paradigms are based on a centrally focused design; a centrally positioned firewall device, usually placed on a DMZ, intercepts traffic. It consists of a firewall physically connected to the core, and traffic gets routed from access to the core with manual configuration.

There is no agility. We had many firewalls deployed on a per-application basis, but nothing targeted east-to-west traffic. As you are probably aware, the advent of server virtualization meant there was more east-to-west traffic than north-to-south traffic. Traffic stays in the data center, so we need an optimal design to inspect it thoroughly.

Protecting the application is critical, but the solution should also support automation and agility. Physical firewalls lack any agility. They can’t be moved. If a VM moves from one location to another, the state in the original firewall does not move with the VM. They were resulting in traffic tromboning for egress traffic.

There are hacks to get around this, but they complicate network operations. Stretched HA firewall designs across two data centers are not recommended, as a DCI failure will break both data centers. Proper application architecture and DNS-based load balancing should fix efficient ingress traffic.

A world of multi-tenancy

We are in multi-tenancy, and physical devices are not ideal for multi-tenant environments. Most physical firewalls offer multiple contexts, but the code is still shared. To properly support multi-tenant cloud environments, we need devices built initially in mind to support multi-tenant environments. Physical devices were never built to support cloud environments. They evolved to do this with VRFs and contexts.

We then moved on to firewall appliances in VM format, known as virtual firewalls. They offer slightly better agility but still suffer traffic tromboning and a potential network chokepoint. Examples of VM-based firewalls include vShield App, vASA, and vSRX Gateway. There is only so much you can push into software.

Generally, you can get up to 5 Gbps with a reduced feature set. I believe Paolo Alto can push up to 10 Gbps. Check the feature parity between the VM and the corresponding physical device.

Network Security Components

Network Evolution now offers distributed network services among hypervisors. The firewalling function takes a different construct and is a service embedded in the hypervisor kernel network stack. All hypervisors become one big firewall in software. There is no more extended single device to manage, and we have a new firewall-as-a-service landscape.

Distributing firewalling offers a very scalable model. Firewall capacity is expanded, and different hypervisors are added to provide a scale-out distributed kernel data plane.

So, what is a feature of distributed firewalls? Well, scale comes to mind. They are distributed firewalls, and their performance scales horizontally as more hosts are added. Distributed firewalling is similar to connecting every VM directly to a separate firewall port. An ideal situation is yet impossible in the physical world.

Now that the VM has a direct firewall port, there are no traffic tromboning or network choke points. All VM ingress and egress traffic gets inspected statefully at the source and destination, not at a central point in the network. This brings a lot of benefits, especially with the security classification.

Distributed Firewalls: Decoupled from IP addressing

In the traditional world, security classification was based on IP address and port number. For example, we would create a rule that source IP address X can speak to destination IP address Y on port 80. We used IP as a security mechanism because the host did not have a direct port mapping to the firewall. The firewall used an IP address as the identifier to depict where traffic is sourced and destined.

This is no longer the case with distributed firewalls. Security rules are entirely decoupled from IP addresses. A direct port mapping from the VM to the kernel-based firewall permits the classification of traffic based on any arbitrary type of metadata: objects, tagging, OS type, or even detection of a specific type of virus/malware. 

Many companies offer distributed firewalling; VMware with NSX is one of them, and it has released a VMware NSX trial allowing you to test for yourself. NSX offers Layer 2 to Layer 4 stateful services using a distributed firewall running in the ESXi hypervisor kernel.

First, the distributed firewall is installed in the kernel by deploying the kernel VIB – VMware Internetwork Service. Then, NSX Manager installs the package via ESX Agency Manager (EAM). 

Then, the VIB is initiated, and the vsfwd daemon is automatically started in the hypervisor’s user space.

Each vNIC is associated with the distributed firewall. As mentioned, we have a one-to-one port mapping between vNIC and firewalls. Rules are applied to VM; the enforcement point is the VM virtual NIC – vNIC. The NSX manager sends rules to the vsfwd user world process over the Advanced Message Queuing Protocol message bus.