What’s the Difference Between Container Firewalls and Next-Generation Firewalls?
As containers become an ever more popular way to develop software, protecting the data within them has become a paramount concern.
Join the DZone community and get the full member experience.Join For Free
Both container firewalls and next-generation firewalls (NGFWs) are important solutions playing separate-but-critical roles in securing containers. But because the distinctions between these solutions are sometimes misunderstood or conflated, it can be useful to really be aware of the differences between the two. While NGFWs were introduced to help address the latest threats and data center designs, they did not anticipate the rise of cloud microservices environments, and that’s where the additional protections offered by container firewalls are needed.
It’s important to understand containers and microservices within the context of the greater technology shift towards virtualized application workloads. These virtualized workloads – which can include containers, IoT devices, or serverless computing – offer declarative metadata that is useful to informing security policies and decisions. At the same time, the move from monolithic apps to container-based microservices has vastly increased internal “east-west” traffic within (and between) hosts. And while running containers can be hardened to limit their attack surfaces, monitoring and securing container traffic at the network layer is a difficult challenge. Containers are constantly started and stopped to meet the current service demands and the available host resources, with each container utilizing its own mapped network interfaces that are assigned and de-allocated as needed.
Traditional firewalls and NGFWs – which are intended to act as gateways for external “north-south” traffic – simply aren’t the right tool for this job. They aren’t built to observe internal traffic, and they can’t keep pace with the dynamic nature of an environment where containers are constantly deployed and removed. The ability to monitor run-time containers is critical to ensuring security. With container applications in production, it can be easy to lose track of the vulnerabilities associated with each software package or library that is used, especially in cases where they aren’t discovered until years later.
Alternatively, container firewalls are designed to safeguard container traffic in a cloud-native environment in much the same way that NGFWs provide protection at the edge. Container firewalls can help isolate and protect workloads, application stacks, and services as containers scale up, down, and across hosts during run-time. They also provide container-aware oversight of connections between external networks and legacy applications.
Here’s a quick primer on the key features inherent to a cloud-native container firewall:
- Intent-based intelligence. Container firewalls use metadata and behavioral analysis to understand the intent of applications. This enables automated protection as the firewall discovers application behavior and security requirements, and then adapts to any changes or updates. It also informs whitelist-based rules that define all allowed behavior, and an application-based (Layer 7) policy that doesn’t use iptables or L3/L4 rules alone.
- Container level protection. Container firewalls can drop suspicious connections or place entire containers under quarantine when appropriate.
- Integration with container orchestration. Container firewall protections naturally scale across hosts and clouds and incorporate updates.
- Container platform and run-time engine support. Container firewalls are built to run alongside the Docker engine and system security libraries, as well as overlay networks.
- Support for the protocols of standard containerized applications. Policies based on commonly used application protocols (such as Redis, MySQL, or MongoDB) are simple for container firewalls to recognize and enforce.
- Compatible with continuous integration and continuous delivery (CI/CD) processes. Container firewalls are capable of integration into automated pipelines, utilizing REST APIs to support scripting, tools like Jenkins, and more.
Additionally, many container firewalls also have:
- Host process monitoring to recognize privilege escalations, suspicious processes, and breakouts.
- Vulnerability scanning of registries, hosts, and running containers.
- Auditing and compliance testing based on CIS Benchmarks.
- Packet capture for forensics and debugging.
Container firewalls and NGFWs do also offer several components in common, including:
- Layer 7 deep packet inspection. Because so many microservices use HTTP to communicate, implementing application protocol-based threat detection and protection is essential to both container and edge security.
- Threat protection. Both firewall types offer protection from application-level threats, such as DDoS and DNS attacks.
- Blacklist rules. Each firewall type allows for blacklist rules using IP addresses, ranges, or other L3/L4 policies.
To be effective, container firewalls also need the wherewithal to curtail common application attacks that arise internally. However, it’s important to make clear that container firewalls are focused on securing container traffic, and aren’t intended as a replacement for solutions that secure the edge, such as NGFWs, intrusion detection and protection systems (IDS/IPS), or web application firewall devices.
NGFWs, designed to protect traditional data centers by securing traffic from the internet or external networks, include these key features:
- L7 stateful application inspection. NGFWs inspect application protocols at network layer 7 as well as layers 2-4 to monitor connections and enforce policies based on their state.
- IDS/IPS systems. These systems make use of signatures, behaviors, and other techniques to detect and defend against attacks.
- User-based access controls. Policies can limit access to resources based on the user’s identity.
- Routed and bridged mode support. An NGFW can be deployed as a bridge (L2) and/or as a router (L3) to best fit the topology and requirements of the environment.
Containerized environments are just like any other in that a security strategy including multiple layers of protection is the most effective one. Container security must be in place continuously throughout the build, ship, and run cycle, complete with run-time visibility and protections. By utilizing both container firewall technology to monitor and secure containers, and next-generation firewalls to protect the edge, organizations can implement the best practices for keeping their containerized environments safe from attacks.
Gary Duan is CTO at NeuVector, a Docker container network security solution that uses behavioral learning to secure containers during run-time.
Opinions expressed by DZone contributors are their own.