Firewalls in the cloud era: They improve the cloud and the cloud improves them
Firewalls will always be required as they are the sole devices that analyse and control communication of data and applications.
Firewall technology ensures networks are running the way we want them to. As a result I came to the conclusion that the question is not ‘will on-premise firewalls disappear’, but ‘how will firewalls be influenced by cloud technologies?’.
In order to address this we have to look at some of the history.
Enter Unified Threat Management
10 years ago the first perimeter architectures consisted of a fast packet processor (the firewall) and a battery of content scanning servers. Each server was dedicated to a specific task (a duty) such as locating spyware or virus scanning. Each was from a different vendor and each was managed separately – it was genuinely best of breed and from a pure performance perspective it was ideal.
However this design is a complicated multi-component perimeter infrastructure, and managing this infrastructure was a real challenge.
We then saw an evolution from a best of breed architecture to a Unified Threat Management (UTM) architecture. The UTM fashion was largely driven by some well-meaning industry analysts in a quest to solve implementation issues. But it failed.
There was simply no efficient and reliable way one device could do everything and defend against every threat. E.g. anti-virus engines in UTM devices have typically offered limited solutions with limited capabilities in comparison to a stand-alone anti-virus solution. As a result, firewall implementation always ended up as a security compromise - i.e. a balance between network performance and network security. The ratios of the balance were mostly dictated by the organisation’s sector of operation.
Sadly both strategies had their limitations and alternatives were sought which fortunately coincided with the growth of cloud computing. As acceptance of cloud computing grew, organisations looked at utilising the cloud for a variety of uses, including security.
The future is ‘cloudy’
Getting back to firewalls and the cloud, firewalls interact with ‘cloudy IT’ in two ways:
- as a technology that benefits/utilises the cloud
- as a solution which is not only a foe to our enemies (hackers), but a friend of our business-critical applications
1. The benefits of the cloud: Performance, Efficiency, Reduced costs
The performance issue – Freeing up on-site bandwidth from the asynchronous workload
As recently as ten years ago, networks had a plethora of perimeter scanning servers. HHHowever when consolidated in one box, in the hope of making management easier, it ‘killed’ the performance. The firewalls ran into several problems in trying to keep up with the tasks they had to do such as analysing, prioritising and blocking the network traffic they deal with. The issue then was the sheer amount of data firewalls have to process. Data is increasing far faster than hardware can handle it and it is the sheer availability of bandwidth that causes the problem. There is no such thing as unused network bandwidth. If you physically provide more bandwidth it will be used - which simply adds to the problem. All this real-time data flow puts a huge strain on the analysing capabilities of the firewalls. Ideally the most secure behaviour would be for firewalls to stop the traffic, analyse things and then send it on its way. However, this causes delays and it is not practical. It is not the way end-users want to work. But from a security aspect it would be exactly what IT wants from firewalls.
So, the main challenge for firewalls is the ability to handle the hugely increased data throughput without compromising security.
The cloud helps to solve this performance problem by pulling out the asynchronous workload from the perimeter and redirecting it to cloud-based content filters. This allows one to scale the firewall infrastructure in enterprise environments, as the computing power available in the cloud is practically unlimited.
UTM device efficiency, but with far more performance
From an administration perspective, nothing changes in comparison to the UTM approach; administrators still have one management console where they can manage the on-site firewall capabilities like fast packet processing, but also the content filtering capabilities taking place in the cloud.
So, cloud-based, scalable computing power can be used to handle the asynchronous CPU intense content filtering part of a firewall’s function, and make it a cleaner and more predictable environment for fast packet processing. From a cost perspective this brings us to another benefit; cloud-based scanning methods are far cheaper and more efficient than current firewall architectures.
What the cloud offers users is to have the benefit of the ‘separation of duty’ architecture without the cost associated. Eventually, firewalls will become a far better device and will finally provide a solution to the 15-year-old dilemma, ‘which firewalls in a perimeter architecture’ struggled with.
2. The Firewall of the cloud era – friend to the application – and foe to your enemies
In a private cloud or a closed and simple IT architecture, the basic questions asked of the firewall are; Do you block these attacks? Do you restrict access to that type of system? Can you limit access to the outside world?
In cloudy IT the cloud is a strange entity. It is both internal and external and as parts of the data and applications are now somewhere outside the organisation, the questions change. Questions which were originally asked of application delivery controllers in the application and internal data centre world, are now asked of firewalls.
Questions such as; Can you accelerate access to that particular application? Can you prioritise the traffic from this user group to this data? Can you provide access to that particular data? Suddenly the firewall becomes involved in a lot different ways. And many firewalls are not prepared for that.
Firewalls are in the middle of everything
Most firewall vendors try to address the issues of what can be blocked, however, the modern firewall is not a device that blocks/separates malware and cybercriminals from the controlled part of the network. From an application architecture point of view, the firewall is somewhere in the middle of everything.
This poses the crucial question - can a firewall contribute positively to data application access? Traditionally, a firewall’s function is to create obstacles for the ‘bad guys’. The downside of this approach is that it also causes a problem for the good guys. Everyone knows the excuse of security administrators in organisations – ‘Apologies but we are down for security reasons’. This excuse is becoming less tolerated.
Many people thought that application detection capabilities are primarily used to block bad applications. However, in reality they are used to identify applications in order to prioritise them for end-user access. E.g. SAP access, WAN optimisation techniques to some parts of the file sharing network. This is the primary reason for the use of use deep application detection.
Even making the transition to the cloud, a firewall will still be required. The cloud will complement the firewall, relieving it of some of its responsibilities, yet the need for a firewall will still be exist.
Five points to consider
The end result is have a ‘firewall plus cloud’ architecture for a unified management capability but with separated engines. You don’t want everything in ‘one box’ but you want to manage it as if it were ‘one box’. So to conclude:
- Cloud-amended firewalls provide the ultimate solution to the performance and management dilemma that has plagued firewalls for the past 15 years
- Firewalls should support/accelerate access to applications or data
- Deep application analysis should be used to prioritise good applications and data access – as well as blocking the malicious.
- To accelerate cloud-based applications you need scalable management to be effective to maximise the benefit of modern firewall capabilities.
- If things are overcomplicated, it will put people off using them.
- » Identity management in the cloud: What does it actually mean?
- » Why UK CIOs are dissatisfied with their cloud providers
- » It's time to take your big data strategy beyond the data lake
- » CORD: The telco central office rearchitected as a data centre
- » Bringing DRaaS to the C-suite: The key job roles analysed