Distributed Firewall

Firewall is a collection of components, interposed between two networks, that filters the traffic between them according to some security policy. If we consider the modern data-centers as a use-case, the scope of security enforcement offered by a traditional firewall is limited to north-south traffic, i.e., firewall serves as a sentry between trusted and untrusted networks as shown in the Fig. 2. below.

Figure 2. Traditional Firewall blocking traffic between untrusted and trusted network.

Modern cloud data-centers have become complex with the advent of new architectural and deployment models (e.g., containers and microservices). The demand for higher service availability and low latency have assumed a central role. The security, however, has been left as an afterthought. Cloud Service Providers (CSPs) usually deploy security using Firewall similar to the one shown above at the edge of the network. This leaves the core of the network, in particular, east-west traffic pass through without any security inspection.

Limitations of Centralized Firewall

Conventional firewall architecture relies on restricted topology and controlled network entry points to enforce traffic filtering. The key assumption of this model is that everyone on one side of the entry point of the firewall is to be trusted, hence they are protected, and that anyone on the other side is, at least potentially, an enemy. However, with the expansion of network connectivity, multiple entry points, different overlay and underlay technologies such as GRE, VxLAN, and configuration complexities, this model offers limited scalability and security enforcement guarantees in a large scale network.

The volume of east-west traffic in the data-center environment is around 76%, as compared to north-south traffic ~ 17% [1]. A centralized firewall lacks granular security checking inside the core network, which can lead to security exploits by malicious insiders [2]. Moreover, a centralized firewall will face scalability challenges, whenever datacenter traffic exceeds its capacity. One solution can be to allow different network segments of a large complex network have their own sub-network level firewalls, as can be seen for Fig. 1, where Network 1, and Network 2 have their own firewalls. We can consider this a De-centralized Firewall architecture.

Insider Threats Issues

Once a crafty attacker has managed to breach the security restrictions at the network edge, he can laterally move inside the network (east-west traffic), exploiting key resources, virtually unchecked. Even when each network segment has a protective edge-firewall, as in the case of de-centralized architecture discussed above, the issue still persists.

Figure 3. Security Policy Inconsistencies in a decentralized firewall architecture.

Consider the example in Fig. 3. The network traffic on the internal network is completely trusted by default. If there is a security vulnerability on SSH software present on host 172.16.0.4, the attacker located on external network ext-net (10.0.1.0/24) can compromise the host on internal network (int-net, 172.16.0.4) .

• In step 1 of the attack, the attacker uses Firewall 1 rules defined in Fig. 3(a), and SSH vulnerability to get elevated privileges on a machine inside internal network.
• Next, in step 2 of the attack, attacker compromises ssh service on host 172.16.0.5 based on Firewall 3 (host-level firewall in 172,16.0.5) rules in Fig. 3(c).
• In step 3, attacker can compromises vulnerable FTP, MySQL service on 192.168.1.5, which is allowed based on white-listing policy defined by Firewall 2 - Fig. 3(b) for the hosts present in the de-militarized zone (dmz) network (192.168.1.0/24).
• Finally in attack step 4, since all internal traffic is allowed, attacker can easily compromise target machine 192.168.1.4.

The conventional or de-centralized firewall architectures discussed in this case have no built-in defense mechanism to deal with lateral movement of the attackers, since there was no inherent monitoring over east-west traffic.

Distributed Firewall - A potential solution

A distributed firewall can help in addressing security and scalability challenges, which limit the traditional firewall architectures. The implementation of a distributed firewall, requires a global view of the entire network infrastructure, including the current topology, access control list (ACL) rules and state of each running host.

Figure 4. A distributed firewall (DFW) design for addressing security issues in traditional firewall architectures.

The firewall can be logically distributed with the capability of inspecting not only north-south but east-west traffic as well, as shown in Fig. 4. A distributed firewall (DFW) manager can inspect security situation of the network and enforce security at a granular level. The southbound APIs can be used to enforce security policies on each network component. A common protocol e.g., OpenFlow [4] can be used to achieve consistency over the entire network. Each participating device that wants to join the DFW framework will require OpenFlow capability in this design.

VMWare NSX [3] provides a similar framework, known as Microsegmentation, for implementing a distributed firewall in a data-centric network. This allows the network administrator to implement security policies at the granularity of each network, subnet and VM instance. There is, however no built-in connection tracking and security policy conflict analysis mechanisms in the current distributed firewall implementations. In the DFW design above, we can include connection tracking mechanism to ensure stateful inspection of traffic. This will help address network attacks like TCP SYN Flood attack, ACK storm attack, etc.

Parts of this blog post are from my book "Software-Defined Virtual Network Security: From Theory to Practice". Feel free to check out Chapter 6, Microsegmentation if you are interested.

References

[1] CISCO.Trendsindatacenter security.avail-ableathttps://blogs.cisco.com/security/trends-in-data-center-security-part-1-traffic-trends, 2014

[2] IOANNIDIS, S., KEROMYTIS, A. D., BELLOVIN, S. M.,ANDSMITH,J. M.Implementing a distributed firewall. InProceedings of the 7thACM conference on Computer and communications security(2000),ACM, pp. 190–199

[3] Sreejith, C. VMware NSX Network Essentials. Packt Publishing, 2016.

[4] McKeown, Nick, et al. "OpenFlow: enabling innovation in campus networks." ACM SIGCOMM Computer Communication Review 38.2 (2008): 69-74.