Cloud Network Security: AWS firewall Selection

Firewalls are the core and increasingly complex part of network security, and are constantly fighting against the ever-changing threats faced by enterprises. The updated firewall can analyze network traffic behavior, protocols, and application layer data. However, when resources are transferred to Amazon cloud, enterprises may find that there are no firewalls of the same quantity and type available. In this article, we will investigate the built-in firewalls, third-party firewalls, and open-source firewalls for cloud network security.

AWS Firewall

The built-in AWS firewall has many improvements to information security experts. To create firewall rules in EC2, enterprises can create "security groups ." These groups describe the firewall rule set applied to EC2. Each group only allows enterprises to configure inbound rules. For users who use the Amazon virtual private cloud (VPC) service, they can create inbound and outbound rules. However, the high cost of the cloud VPC Service will lead to more cost for this implementation.

As for the inspection capability, AWS firewall filters and IP options are bundled together to manipulate basic grouping segments (but allow attackers to normally block the exception fragments created by the Intrusion Detection System ), and execute a simple status filter. However, in the AWS firewall, it is very obvious that no logon is allowed for any rules. Most network and security teams want to conduct intrusion detection and analysis on these logins and use stand-alone or security event management tools. Although Amazon firewall may be sufficient in some scenarios, security professionals prefer AWS network security options.

Third-party firewall for AWS

Almost no third-party firewall options can be integrated with AWS. Check Point has integrated Check Point Security Gateway R75 into the AWS marketplace. This means that enterprises seeking to install the VPC environment can create a new virtual Check Point firewall and integrate it into the private cloud of the enterprise.

The Check Point firewall is more like a traditional Check Point device. It provides status traffic detection and control functions, application and protocol analysis rules, and VPN connections. Check Point virtual devices can be integrated with various Amazon instance types, and also support the Check Point "software blade" function, which provides a modular approach to security performance sets. Check Point is the only product that has proven in the firewall field and can be fully integrated into Amazon's market. Cisco and Juniper do not have any products in the AWS marketplace, even though they both provide virtual firewall platforms (ASA 1000v and vGW ).

In addition to the Check Point option, installing a firewall in Amazon EC2 depends on the open-source software solution they use. Smoothwall is an open-source and commercial product that provides packet filtering, Web filtering, and email protection in a single package. The software-based business options provided by the company can be directly installed in Amazon images, or directly imported into EC2 as VMware images. Other open-source options include Openwall, which provides firewall functions and other security options. They can be installed as virtual machines and then imported to Amazon.

Host Firewall

Many enterprises are switching to the host-type firewall option to increase network-based security in Amazon EC2. In addition to the built-in operating system firewall for Linux and Windows virtual machines, enterprises can consider managing firewall control through security as a service provider. A vendor like CloudPassage provides a free Halo firewall proxy and management platform for restricted use, and provides additional plans and functions, including configuration monitoring, vulnerability assessment, and account management. The firewall proxy of this vendor is connected to the existing firewall on Linux and Windows, but provides simple central management and control, as well as logon and filtering tools.

In the future, more commercial firewall providers may apply their products to Amazon and other clouds, but enterprises have at least some firewall options.

This is important for information security experts who attempt to develop sound "in-depth defense" in the cloud environment. With the public infrastructure as a service (IaaS) cloud assets must be protected when exposed on the Internet or intranet. Many enterprises may not realize that their own AWS firewalls have limited functions, far less than the equivalent firewall platforms in the modern enterprise world. More firewall instances and host filters and detection are added to provide a wider coverage.