adam's notes

Cloud Firewall Security

  • traffic routed between subnets can be subject to security rules that allow or block connections
    • can be enforced by
      • a cloud provider’s virtual firewall solution
      • the traffic could be routed or switched through a virtual firewall instance
      • other security appliance
  • Firewalls work with multiple accounts, VPCs, subnets within VPCs, and instances within subnets
    • to enforce the segmentation required by the architectural design
      • may be needed for many different reasons:
        • separating workloads for performance and load balancing
        • keeping data processing within an isolated segment for compliance with laws and regulations
        • compartmentalizing data access and processing for different departments or functional requirements

Filtering Decisions

  • Filtering decisions can be made based on packet headers and payload contents at various layers in the OSI model:
    • Network layer (layer 3)
      • firewall accepts or denies connections on the basis of
        • IP addresses or address ranges and TCP/UDP port numbers
          • the latter are actually contained in layer 4 headers,
            • but described as basic layer 3 packet filtering
    • Transport layer (layer 4)
      • firewall can store connection states and use rules to allow established or related traffic
      • because it must maintain a state table of existing connections
        • requires more processing power
    • Application layer (layer 7)
      • firewall can parse application protocol headers and payloads and make filtering decisions based on their contents
      •  requires even greater processing capacity
        • or load balancing
        • otherwise will become a bottleneck and increase network latency

Implementation

  • can be implemented in several ways to suit different purposes:
    • As software running on an instance
      • sort of host-based firewall
        • identical on-premises host ones
      • could be a
        • stateful packet filtering firewall
        • or a web application firewall (WAF)
          • with a ruleset tuned to preventing malicious attacks
      • drawback
        • software consumes instance resources and is not very efficient
        • managing the rulesets across many instances can be challenging
    • As a service at the virtualization layer
      • to filter traffic between VPC subnets and instances
      • equates to an on-premises network firewall

Costs

  • Default cloud application-aware firewalls incur transaction costs
    • calculated on time deployed and traffic volume
  • might be a reason to choose a third-party solution

Graph View

Backlinks