Taking A Deeper Dive Into Cloud Native: Firewall Technology Compatibility With Containers

A cloud native approach to development helps DevOps organizations streamline release cycles and take advantage of the speed, reliability, and scalability of cloud-based infrastructure. However, cloud native applications require different security strategies than traditional web applications.

Monolithic web apps, whether they’re hosted on-premises or in the cloud, are typically protected by an appliance called a web application firewall (WAF). A WAF applies a set of firewall rules to an HTTP session, defending against common attacks like Cross-Site Scripting (XSS) and SQL injections and other common vulnerabilities. However, traditional WAFs can’t address the specific security challenges presented by containerized environments, which is why cloud native applications require cloud native firewall technology.

Cloud Native Firewall Challenges

Cloud native container environments operate differently from traditional environments, which creates certain challenges for network security.

Containers generally use an overlay network to encapsulate and encrypt network traffic between nodes. The IP addresses of endpoints are largely irrelevant in such a network. Plus, endpoint IP addresses are ephemeral, so they frequently change. Traditional firewall rules, like “from 192.168.1.115 to 192.168.1.145 allow tcp/27031,” aren’t useful for containerized environments because you don’t know (and usually don’t care about) each endpoint’s IP address.

Tip:

In Amazon Elastic Kubernetes Service (EKS), you can have pods that get IP addresses directly from your Virtual Private Clouds in AWS. Operating without an overlay network can affect how you put security in place.

Another characteristic of cloud native applications is the ability to auto-scale, which means new containers automatically spin up and down and serverless functions automatically run and delete according to current demands. Traditional WAFs aren’t equipped to automatically scale, so you often need to manually upgrade their capacity and update firewall rules to account for a sudden increase in new instances.

How Cloud Native Firewall Technology Works

Cloud native firewall technology is designed specifically to protect cloud native environments. There are two basic functions required of cloud native firewalls:

1. Protecting the cluster from the outside world.
2. Securing the connections between individual containers, pods, and namespaces within a cluster.

Cloud native container platforms often provide some built-in security and firewall capabilities. For instance, Kubernetes allows you to create network policies that determine how pods can communicate with pods in other namespaces within a cluster. AWS allows you to create security groups and network ACLs to protect traffic between different VPCs (virtual private clouds) and subnets.

Companies like Cisco and Palo Alto Networks have also developed cloud native network firewalls that address the security challenges specific to containerized environments. Cloud native network firewalls are applications or services that run directly from your cloud (e.g., AWS). These virtual services use automatic discovery to locate all the entities in your environment, giving you a visual network topology of containerized apps and hosts. Cloud native firewalls use this discovery process to identify agents they can use that run inside each host, function, or VM. You can create microsegments and firewall rules that are bound to these agents instead of ephemeral IP addresses.

In addition, firewall as a service (FWaaS) takes advanced firewall technology like that found in next-generation firewalls (NGFWs) and makes it available as a cloud-based service. While FWaaS isn’t intended specifically for containerized environments, it is cloud native and is meant to protect cloud resources. The benefit of FWaaS is that it allows you to apply enterprise security policies to the cloud, so you have consistent protection. This is also useful for compliance with regulations like SOC2 or PCI, which have specific firewall security requirements that can be difficult to meet in a cloud environment. Some container platforms have built-in FWaaS capabilities, but there are also third-party platforms that integrate with cloud native applications as well as other cloud resources, giving you centralized network security management across your cloud infrastructure.

Securing Cloud Native Apps with Cloud Native Firewall Technology

Keeping your cloud native applications secure will require a multilayered defense. You need a firewall that can inspect north-south traffic, meaning the traffic flowing between your clusters and the outside world, to prevent and detect attacks. You also need to monitor east-west traffic, which is the traffic between containers and nodes within your clusters, so you can limit the lateral movement of an attacker who has breached your external perimeter.

There is cloud native firewall technology to cover each of these tasks in a containerized environment. Inbuilt firewall capabilities govern communication between pods, namespaces, VPCs, and subnets. Cloud native network firewalls are mostly concerned with monitoring and inspecting east-west traffic on layer 4 of the OSI model, but some also protect traffic to and from external networks. Finally, FWaaS technology acts like a traditional firewall in that it protects the outer perimeter of your cloud environments by monitoring north-south traffic. Combining all three technologies allows you to protect your cloud native applications with the same level of security as your on-premises environments.