It's great to have a ringside view into how network security has been dramatically changing in just a few years - from the zone-based controls of the past through the virtual appliance route (combining virtualization and traditional firewall functionality) to today’s software-defined dynamic and flexible security solutions. As we journey from the legacy perimeter security model to today’s cloud-native security model, multiple functions have emerged along the way to gather a deeper understanding of the content and intent of network flows. Lately, the increasing abstraction of the infrastructure has changed security to require a deep understanding of application connections.
A Little History
The early days of security were characterized by simple trust boundaries - connections between a trusted entity and the rest of the world. Packet processing appliances (either alone or in a cluster) were designed to process packets to control communications crossing these trust boundaries. As the trust boundaries multiplied, more and more firewall appliances were added to pursue a defense in depth approach. There were a few problems with this approach - firewalls were notoriously sticky and switching vendors to pursue throughput was extremely painful. Added to that, these trust boundaries stopped at the edge, so they stopped addressing the business and threat models in the evolving digital world. For a time, security vendors took their hardware appliances and refactored them in software – the standalone virtual appliance was born running within a VM on an x86 server. While this strategy delivered the computing footprint, it could not address other challenges created by dynamic cloud architectures and changing security threats.
The Migrating Perimeter
As cloud computing, mobility, and connectivity options have evolved, the trust boundary has become fuzzy. The new reality in our digital world is that our applications and data are now mostly distributed - across our infrastructures and the cloud. For a typical organization, this means that enterprise code is executing in various places and valuable data is no longer confined within a trust boundary. The assumption that attackers are on the outside of a trust boundary is certainly not true anymore. With new threat vectors like remote connections to public zones, insider threats, and BYOD trends, they do not need to breach the perimeter to be inside and causing havoc.
The obvious next step then is to introduce internal segmentation to mitigate the porous nature of the perimeter. This is not an earth-shattering revelation; this requirement was recognized by the Jericho forum a number of years ago, with the core concept being that data protection should be as close to the data as possible, the ultimate state being self-protecting data (i.e., the data carries its own protection).
In today’s software-defined infrastructures and multi-clouds, multiple policy enforcement options provide segmentation and lateral east-west security. These options include simple agent-based packet filters using iptables and netfilters, SDN-based network controls running in software or custom ASICs, and public cloud IaaS controls like AWS Security Groups or Azure Network Security Groups. Each of these methods provides packet processing and filtering at Layer 4 (some stateful, some stateless), and lack many of the advanced benefits provided by ‘security-first’ offerings such as Next-Generation Firewalls (NGFWs) and cloud-native distributed controls.
NGFWs and Cloud-Native Distributed Controls
NGFWs entered the scene to consolidate network security edge appliances in a single box form factor. They took traditional firewall functionality and added user and application knowledge. Designed for the edge, NGFWs had limited visibility into lateral flows within a data center. This limitation was circumvented by deploying multiple instances of NGFW (hardware or software) across the infrastructure, dramatically driving up both complexity and cost. Ultimately, NGFW appliances refactored for the virtual environment are not the answer - they need to be both function and intent driven.
Cloud-native distributed controls are a modern solution to security. The approach is completely different - the architecture scales out. These solutions typically have a centralized control and management place, which programs a distributed set of dataplane elements – all in software. As the environment scales, the number of dataplane elements scales with it. As can be imagined, this approach scales costs incrementally as servers are added, with no disruption whatsoever. The “horizontal scaling” process is a very common approach to building cloud-scale applications, especially for problems that can be parallelized. Now, vendors are applying this relatively modern computer science principle to security.
As we look ahead, the ability to tie into automation is key. The benefits of cloud-native distributed controls are obvious:
They have the ability to scale seamlessly.
They provide the coverage needed to process all the traffic, resulting in tremendous visibility.
They offer the flexibility to build security policies and deploy controls in a flexible manner, depending on evolving business and risk requirements.
They allow DevOps integrations to create secure cloud solutions - this is a big deal as such functionality is not native to NGFWs most of the time.
Modern distributed approaches, including distributed systems and networks solutions based on SDNs and agents, offer these benefits.
A number of NGFW vendors are now offering cloud-based network security solutions as an alternative to traditional hardware offerings. NGFWs are still widely deployed in various critical verticals and could benefit from cloud-scale architecture and a centralized management and control plane. The concept of an NGFW hardware appliance is certainly heading toward the annals of networking security history.