Cloud Security: Should It Be Firewall-based on Hosts or Networks?

Cloud Security: Should It Be Firewall-based on Hosts or Networks?

In the realm of cloud security, the debate between host-based and network-based firewalls has been a topic of discussion. However, according to Professor Avishai Wool, CTO of AlgoSec, the optimal approach isn't about choosing one over the other; it's about leveraging the strengths of both.

Host-based firewalls, installed directly on individual cloud hosts, offer deep customization and visibility into application-level traffic. They provide precise security policies tailored to the host environment, but they do consume local resources and require ongoing management and updates.

On the other hand, network-based firewalls operate at the perimeter or segments of the cloud network, inspecting and filtering traffic flowing between different network zones. They are effective at blocking unauthorized access and filtering traffic based on network-level rules, thus protecting multiple hosts collectively and reducing attack surfaces from outside the network.

The combination of both firewall types offers several benefits:

1. Defense in Depth: Network firewalls provide a broad perimeter defense, while host-based firewalls offer granular control within the system, catching attacks that bypass network layers.
2. Layered Security: Some threats may evade network filtering via encrypted or lateral internal traffic; host firewalls detect and control such traffic locally.
3. Microsegmentation and Isolation: Distributed or next-generation firewall strategies in the cloud use both host and network firewalls to enforce microsegmentation, isolating workloads and limiting lateral movement by attackers.
4. Comprehensive Visibility: Host firewalls offer insight into application-level anomalies, while network firewalls monitor traffic flows across the cloud. Together they provide full-spectrum monitoring and control.

Using network-based firewalls in conjunction with host-based products strengthens an organization's cloud security posture. This approach supports effective network segmentation, offering a critical extra line of defense.

Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) functions on network firewalls are more likely to detect traffic from backdoor malware or trojans. Network-based protection, such as Amazon's firewall in AWS environments, VMware's NSX, or offerings from Check Point or Cisco, is the protection built into the cloud infrastructure.

However, it's essential to note that even if an attacker breaches the network's perimeter protection, they still need to gain access to the host. Traffic from malware needs to cross the network barrier to its command and control centre, adding complexity for an attacker. Proper network segmentation significantly reduces exposure to data theft or system outages.

While this article mentions five steps to optimise firewall configurations, it does not elaborate on these steps. Nonetheless, it is clear that both host-based and network-based firewalls have distinct roles and, combined, provide the most effective cloud security.

[1] Host-based firewalling involves putting firewalls on every virtual machine in the cloud environment, such as Microsoft firewall on Windows PCs, ZoneAlarm, Netfilter on Linux, etc.

[2] This presents a significant risk if host-based firewalls are used in isolation.

[3] [4] In cloud environments, organizations can deploy firewalls using either host-based firewalling or network-based protection.

[5] Network-based firewalls can offer a stronger defensive barrier compared to host-based products. They are fully hardened devices, reducing the attack surface compared to host-based products.

[5] Host-based firewalls offer flexibility as they can move with VMs between cloud environments and support additional features like anti-virus, data loss prevention, auditing, etc.

Both cybersecurity strategies, host-based firewalling and data-and-cloud-computing network-based protection, have distinct roles and work synergistically to bolster an organization's cloud security posture. While host-based firewalls, such as Microsoft Firewall on Windows PCs or ZoneAlarm on Linux, offer flexibility by moving with VMs between cloud environments and additional features like anti-virus and data loss prevention, they present a significant risk if used in isolation. On the other hand, technology like network-based firewalls, such as Amazon's firewall in AWS environments, VMware's NSX, or offerings from Check Point or Cisco, offer a stronger defensive barrier and are fully hardened devices, reducing the attack surface compared to host-based products, thereby providing a comprehensive approach to cloud security.

Read also: