Firewalls in the Cloud - Microsoft Azure

Download PDF

Introduction

A packet-inspection firewall is necessary for securing a data center’s network perimeter. At a minimum, it helps block basic IP-level attacks, port-scanning, and other Layer 3 - 4 threats. But as network services have evolved, so too has the complexity of attacks upon them, quickly defeating mere circuit, or even transport-layer protection.

More recently, application-layer firewalls have played a critical role in blocking many new and advanced security threats, and are widely seen as a “must-have” for security-conscious organizations that handle application traffic at their network edge.

However, the growth in cloud computing capabilities and services has driven more data into places where traditional IT security measures cannot reach - into data centers not owned by your corporate IT group.

Now, we will look at the requirements for cloud application security, and how a new category of threat defense - the cloud firewall - can deliver all of the benefits of traditional network security in a virtualized form-factor.

Security Challenges

The idea of virtual security appliances is not new; they have existed on Windows platforms for more than five years, providing deep content inspection and advanced security in a more portable and easily-deployed format. But while these have been more frequently used in private cloud deployments or virtualized data centers, the public cloud has been slower to adopt sophisticated virtual firewalls.

In particular, the lack of application-layer security support for Microsoft Azure has left tenants somewhat exposed if they place data-driven applications within virtual machines in the cloud, as opposed to re-architecting their solutions to be completely PaaS- or SaaS-centric. This limits the kinds of applications that can be quickly and easily migrated to the cloud.

Since Microsoft Azure provides security frameworks, rather than security services (excepting for WA Active Directory, WA Rights Management Services, VPN, or native capabilities in Windows Server), it is left to the individual customer to determine how best to protect digital assets in the cloud.

Typically, whatever threats you face in your physical data center will be present in a virtualized one, along with the added complexity of the remote link between the two, plus the lack of direct ownership and control. Thus, as you extend your applications to the cloud, you are also extending your notions of identity, network and access control, information protection, and endpoint security.

Unfortunately, many applications that are ported to the cloud will not benefit from thorough security reviews and redesigns, either because of the costs or resources involved—or both. This puts IT administrators in a bind to protect infrastructure from threats for which it wasn’t designed, requiring security architects to take a more holistic approach to network defense.

Cloud-based network and application security can be viewed in the same way as physical data centers: capabilities provided by the platform (Windows Server as compared to Microsoft Azure), and what the application architecture must provide (a local web application vs. a cloud service).

Cloud Security Requirements

As mentioned above, looking at security from end to end increases your ability to identify and block threats across multiple vectors, whether from internal or external sources. Called defensein-depth, it is a concept that seeks to place security capabilities at every layer and every boundary in the enterprise IT network. Defense-in-depth embodies secure design and deployment at both the architectural and management levels.

Deploying security in the cloud requires that you understand the differences between what is inherent in the platform, and what is incumbent upon the customer. The following tables break down many of these fundamental elements for network security (note that it does not cover application development).

Microsoft Azure Native Network Security

The benefit of cloud IT solutions is that you aren’t responsible for network hardware security. Microsoft Azure provides numerous security controls that protect the infrastructure, cloud fabric, hypervisors, workloads/services, and tenant environments.

Hardware Firewalls:

Situated at the perimeter of the physical networks operated by Microsoft Global Foundation Services, the “hosting provider” for Microsoft Azure, Office365, Hotmail, and more.

Host Firewall:

Microsoft Azure host-level firewalls with packet filters that block cross-tenant communications via virtual networks.

VM Firewall:

Packet filters within a tenant environment that control traffic between VMs within the same virtual network.

OS Firewall:

Windows Server’s built-in firewall, which is enabled by default on IaaS VM instances.

Port Controls:

Customer-defined endpoints map ports between private and public IP addresses, locked down by default.

Isolation:

Multiple mechanisms prevent damage to one tenant environment by another, such as by IP spoofing.

DDoS Prevention:

Microsoft Azure employs a variety of network-level controls such as DHCP rate-limiters, Host OS packet filtering, and IP Address ACLs.

SSL/IPsec:

All internal network communications (those within the confines of a Microsoft Azure data center) are on protected links and/or encrypted with SSL. Certain tunnels (such as through VPN) can alternatively use IPsec.

Logging/Auditing:

Comprehensive logging is a core capability of the platform, across infrastructure, applications, cloud services, and operating systems. These logs enable audit processes, forensic analysis, and other security lifecycle programs.

Basic IDS/IPS:

Microsoft Global Foundation Services data centers, which operate cloud services including Microsoft Azure, Office 365, and CRM Online, use IDS/ IPS devices at various boundary points, but these are not customerconfigurable and cannot be tuned for specific workloads.

VPN/Virtual Network Gateway:

Microsoft Azure Virtual Network provides traffic isolation on a subscription/ tenant basis. The Virtual Network Gateway enables customers to identify specific ports for external communications, place IP ACLs, and tunnel directly to a virtual network from an endpoint (such as the customer’s data center router).

Identity and Access Management:

Microsoft Azure Active Directory is Windows AD for the cloud, providing identity and policy storage. Access Control Services is the authentication and authorization mechanism, supporting a variety of identity providers, as well as AD Federation Services for extending a corporate directory.

Document Rights Management:

Microsoft Azure Rights Management Services provides durable identity-based access control and encryption on a variety of object types stored in Microsoft Azure, programmable via an SDK.

Workload Security Gaps

However, when it comes to workload-specific security, such as protecting application traffic from exploits, implementing anti-malware solutions, or defending against sophisticated targeted attacks on an individual entity, Microsoft Azure cannot (as outlined by the first article in this series) serve up an appropriate solution. This is primarily because the cloud service has no knowledge of what constitutes a customer’s normal operations versus malicious traffic.

The result is a set of gaps that customers’ IT administrators must address.

Application-layer Intelligence:

Detection and classification of applications and sub-applications by combining deep packet inspection and behavioural traffic analysis.

Deep Content Inspection/Filtering:

Deeper inspection of the application data stream by continually evaluating the actual intention of applications and the respective users.

IDS/IPS:

Real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases.

Web Filtering:

Protect user productivity, block malware downloads and other web-based threats, and enable compliance by blocking access to unwanted websites and servers.

DDoS Protection:

Ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks.

Identity Awareness:

Apply filtering, bandwidth allocation, and resource access based on user/group level policy and client health status.

Encrypted Traffic Protection:

Intercept, decrypt, and inspect SSL-encrypted application traffic.

Application Control:

Define custom application controls to enable/disable functionality.

Anti-Malware:

Detect and remove malicious content and programs in e-mail, web sessions, and application traffic to reduce the threats of zero-day attacks.

Network Management:

Fine-grain policy-based decisions on traffic routing and control to optimize performance and create more diverse - yet secure - network topologies.

The Next-Generation Firewall

Cloud IT deployments typically take one of three possible forms:

  • Private Cloud - on-premises solution where the benefits of virtualization come with complete IT control
  • Public Cloud - a capacity model where limitless scalability offers hardwareindependence, but platforms and infrastructure are not IT-owned
  • Hybrid Cloud - a mix of both private and public, helping augment on-premises scalability while retaining greater control

In private cloud scenarios, it is far easier—as with traditional physical IT—to isolate and protect network traffic throughout the enterprise’s infrastructure, and administrators can even virtualize certain components to provide a multi-layer security profile. All applications and services are still housed internally, where administrators have well defined policies and procedures for protecting them.

In the other two models, however, the loss of direct control means you can’t rely on the physical infrastructure to protect applications and data. While on-premises security devices such as firewalls, VPNs, IPSs, and so on provide a crunchy security exterior, cloud-based environments have only the basic protections afforded by the shared services, or those included in the server operating system (Windows Server or otherwise).

As a result, the role of the network and application firewall becomes even more critical because of the gaps between what enterprise IT can do and what the cloud foundation can deliver, as described in the tables above.

With Microsoft Azure, the functional needs can be addressed by deploying new layers of protection through a virtual security device which can sit within your tenant environment. Barracuda Network’s next-generation firewalls leverage the power of application visibility and user awareness to manage traffic and bandwidth intelligently; it also adds capabilities to optimize WAN performance and reliability. The Barracuda NextGen Firewall F-Series helps IT administrators re-establish control over networks made chaotic and vulnerable by the explosion of mobile and BYOD devices, evasive Web 2.0 applications, and remote network users.

By bringing these capabilities to Microsoft Azure, not only can customers gain application visibility to enhance security with deep application content inspection that blocks malware and other attacks or intrusions, but go well beyond to protect cloud infrastructure where it is needed most.

The Barracuda NextGen Firewall F-Series integrates into your Microsoft Azure virtual network by creating a network security gateway between Internet-facing “endpoints” (a port-mapping between a public virtual IP address and an internal Microsoft Azure private IP address) and your tenant virtual machines.

Application Firewalls in the Cloud

In the diagram below you can see how, from a virtual network perspective, deploying a virtualized application firewall is very similar to the topology used for a physical device. The principle differences are in how traffic is routed between the tenant’s environment and the outside world, although these are largely transparent to the end user (or to the customer IT administrator).

The Barracuda NextGen Firewall F-Series fills the functional gaps between cloud infrastructure security and a defense-in-depth strategy by providing protection where the application and data reside, rather than solely where the connection terminates.

Because of the isolation between VMs, tenants, and virtual networks, the Barracuda NextGen Firewall F-Series operates just as if it were a physical device bridging connections between application servers in a network DMZ and your ISP’s router. Since no traffic is allowed from the Microsoft Azure Fabric, host OS, or hypervisor to a tenant’s virtual network or VMs, the Barracuda NextGen Firewall F-Series can intercept all Layer 2 through 7 traffic, and apply policy-based controls, authentication, filtering, and other capabilities. And as with its physical counterpart, the same traffic management and bandwidth optimizations can be used to make the environment more efficient, thereby using fewer billable cloud resources.

Beyond its powerful network firewall, high availability, and VPN technologies, the Barracuda NextGen Firewall F-Series integrates a comprehensive set of next-generation firewall technologies, including Application Control, IPS, anti-malware, network access control enforcement, and comprehensive user awareness. The Barracuda NextGen Firewall F-Series is fully compatible with Microsoft Azure for establishing site-to-site and/or client-to-site connections to its cloud services, and creating a virtual DMZ in Azure to implement an additional high-security layer.

Deployment Scenarios

Here we will walk through a few examples to demonstrate how and where you would implement the Barracuda NextGen Firewall F-Series on Microsoft Azure to meet specific information security requirements in the cloud.

Secure Data Center

When focusing your IT infrastructure fully in a cloud deployment, as opposed to a hybrid cloud approach, you should consider the roles of each VM in the overall virtual network topology - just as if they were physical servers. You have the benefits of Microsoft Azure’s isolation mechanisms between VMs and tenants, but you still need to configure public and private IP addresses (and port mappings for endpoints within Microsoft Azure’s load balancer) so that traffic is appropriately routed through the VM running the Barracuda NextGen Firewall F-Series.

Securing the virtual data center (topologies for single VMs, VNETs, subscriptions)

  • Traffic flowing to or from the Internet, between virtual networks, or between tenants (that must first go out to the Internet since no tenant-to-tenant communication is possible in Microsoft Azure) should be filtered and managed by The Barracuda NextGen Firewall F - and TLS encrypted if necessary. As with physical networks, your virtual topology should reflect the necessary security zones between application servers, directory services, and public-facing endpoints (for example, web front-ends in a classic multi-tier application).
  • Configure routing rules in the Barracuda NextGen Firewall F-Series that correspond to input endpoints for services exposed to the Internet (public IP addresses). You can provide additional security for sensitive data by also routing traffic either within a VNET or between VNETs (using private IP addresses) through the firewall.

Securely extending the physical data center to the cloud (via site-to-site VPN)

  • For businesses that build net-new infrastructure in the cloud, there may be no need for server-side connectivity (such as between the various components in a CRM solution). In most cases, however, customers are either migrating solutions to the cloud from an existing data center, or augmenting on-premises systems with cloud scalability. This requires secure connectivity between your Microsoft Azure environment and your local IT infrastructure.
  • The Barracuda NextGen Firewall F-Series provides fully integrated VPN capabilities that route traffic securely between virtual and physical sites over a dedicated link. In particular, when a Barracuda NextGen Firewall F-Series device is used in both the data center and within Microsoft Azure, you benefit from unified enterprise administration, common policies, and remote configuration. This will make it easier to manage multiple cloud instances while guaranteeing end-to-end connection integrity.

Secure Remote Access

Microsoft Azure provides services for creating both site-to-site and point-to-site (a.k.a. client) VPN connections that are either static or dynamic/routed (currently only as a feature preview). Alternatively, you could configure a VPN gateway using Windows RRAS on a dedicated Microsoft Azure VM. And while these tunnels are certainly secure from an encryption and privacy standpoint, they do not provide the level of control that many enterprise IT groups have come to rely on through their hardware-based Firewall/VPN devices.

Client VPN

  • Using a virtual Barracuda NextGen Firewall F-Series within your Microsoft Azure environment provides the advanced access policy, filtering, and connection management necessary if you are going to provide client access to the cloud. This can be useful when offloading network management from local devices, with the added benefit of keeping potentially higher-risk connections further from on-premises IT infrastructure.
  • With support for policy implementation through both Barracuda Network Access Control (NAC) and Windows Network Access Protection (NAP) clients, as well as standard Windows and other third-party clients, you can control all traffic that moves in and out of your cloud services. This includes client health verification, deep content inspection, anti-malware scanning, and more, helping to ensure that Microsoft Azure services are a secure extension of your on-premises systems.
  • SSL-VPN provides “clientless” remote access by tunneling both standard web and proprietary application protocols using SSL over HTTP. This provides full application functionality for client-server solutions, with the simplicity of a web connection, and no client-side software installation (although more advanced capabilities require at least a transient web-based agent). The Barracuda NextGen Firewall F-Series brings this capability to Microsoft Azure environments as an alternative to un-gated application access by business partners or vendors using your cloud solution.

Encryption

  • Encrypted content (even at the point of TLS) can pose a greater security threat than information sent in-the-clear … mostly because encrypted data doesn’t get inspected. The Barracuda NextGen Firewall F-Series, however, terminates SSL sessions and IPsec tunnels so that all data—no matter the source or the destination—is subject to policy application, malware scanning, confidentiality enforcement, and other firewall protections.
  • Deploying the Barracuda NextGen Firewall F-Series’s encryption capabilities on top of Microsoft Azure solves issues around applying policy to data transiting not only from the web, but from private connections to your data center. This includes site-tosite and endpoint VPN, helping to avoid risky configurations where Microsoft Azure virtual networks and tenants have multiple open ports and potential endpoints.

Identity

Microsoft Azure provides services for creating both site-to-site and point-to-site (a.k.a. client) VPN connections that are either static or dynamic/routed (currently only as a feature preview). Alternatively, you could configure a VPN gateway using Windows RRAS on a dedicated Microsoft Azure VM. And while these tunnels are certainly secure from an encryption and privacy standpoint, they do not provide the level of control that many enterprise IT groups have come to rely on through their hardware-based Firewall/VPN devices.

Granular, policy-based filtering

  • The Barracuda NextGen Firewall F-Series integrates directly with multiple AAA (authentication/authorization/access control) providers, including Windows Active Directory and Microsoft Azure AD. By leveraging user and security group account information coupled with comprehensive content inspection, administrators can enforce a high degree of application control and protection on a per-user basis
  • The Barracuda NextGen Firewall F-Series supports authentication of users and enforcement of user-aware firewall rules, web filter settings, and Application Control 2.0 using Active Directory, NTLM, MS CHAP, RADIUS, RSA SecurID, LDAP/LDAPS, TACACS+, as well as authentication with x.509 certificates, and local databases. When extending your corporate directory structure to the cloud, the Barracuda NextGen Firewall F-Series can authenticate users whether its host VM is domain-joined or not, using your on-premises data center AD or cloud AD, or via trusted domains through AD file system (FS).
  • While Microsoft Azure Virtual Networks effectively block unwanted communications between hosts, the Barracuda NextGen Firewall F-Series isolates cloud workloads, separates cloud application users from corporate user accounts if needed, and can differentiate cloud policies from on-premises ones to enforce cloud resource usage parameters on traffic. This provides a more effective framework for permitting appropriate traffic between tenants in a single subscription.
  • The Barracuda NextGen Firewall F-Series can further protect cloud infrastructure from potential exploits by using client health statements to enforce access policies. Creating user/security groups in AD that can be associated with particular use cases (such as how applications should work when accessed from a web kiosk versus a corporate laptop with a health agent) narrows application access and functionality when the cloud endpoint can’t be properly assessed.
  • Using the Barracuda NextGen Firewall F-Series with Microsoft Azure AD enables self-service IAM by using standard clients and protocols, and supporting multifactor authentication for cloud applications. This takes the load off of corporate developers to design complex authentication tools, and instead lets them take advantage of the same firewall capabilities they have in their data center.

Management

Virtual networking in Microsoft Azure provides tenant isolation and security, but does not offer the capabilities normally associated with virtual networks running within your on-premises physical LAN, such as traffic optimization, monitoring, and reporting. To provide the highest degree of control and validation of network operations across both on-premises and cloud infrastructure, the Barracuda NextGen Firewall F-Series provides a comprehensive set of tools for managing performance, usage, and configuration.

Optimization and traffic shaping

  • Whether in the physical or virtual environment, resources cost money. In the cloud, you pay for capacity, bandwidth, utilization, and so forth; in the data center, you pay for the hardware to make things run. The Barracuda NextGen Firewall F-Series will help you optimize network traffic between tenants, your data center, and end-users by applying familiar Barracuda technologies to virtual workloads. The Barracuda NextGen Firewall F-Series can enforce quotas, compress protocol traffic, and more effectively route connections so that bandwidth is conserved and applications run more efficiently.

Real-time network visibility and reporting

  • Performing root-cause analysis on security incidents is dependent on high-quality data from the infrastructure. Microsoft Azure can log almost every event that occurs on a compute node, but it does not record network traffic, packet statistics, or other network data types that could be useful in locating a fault or vulnerability inside a customer’s environment. The Barracuda NextGen Firewall F-Series brings all of the traffic analysis tools from the hardware-level device to the cloud, enabling administrators to create detailed views that support forensic investigations—or just to provide clearer insights on cloud operations.

Centralized administration

  • Most network administrators have faced the challenges that come with managing distributed infrastructure, which is now complicated by extending it into the cloud. Barracuda developed enterprise-scale tools for managing hardware firewalls that are part of the Barracuda NextGen Firewall F-Series Vx, making it possible to unify security operations across local on-premises devices and virtual devices in the cloud, no matter where they are.
  • Deploying the Barracuda NextGen Firewall F-Series Vx in Microsoft Azure also enhances corporate regulatory compliance activities by supplying a firewall revision control system to increase auditing ease.

Summary

Securing applications and data in Microsoft Azure is far easier with tools that are dedicated to the task. The Barracuda NextGen Firewall F-Series Vx merges the worlds of on-premises data center network protection with cloud IT security needs, helping you close the gaps between native Microsoft Azure capabilities and traditional hardware-based application firewalls.

Deploying the Barracuda NextGen Firewall F-Series in the cloud is very similar to running local network firewalls, and provides the advantages of common policy enforcement and distributed security management in a hybrid-IT environment.