I am nearing completion of my ‘dig-out’ from the recent Nor’easter that blew through New England, dumping quite a bit of snow. When you dig out of a snow storm, you start with paths to the garage or car, paths to the utilities, and in some cases paths to the wood pile and other out buildings. Sooner or later that perfect landscape of white is marred by new mounds of snow and clear-cut paths through it to the various locations on the property. When you look at these paths and the snow is high enough, they look like tunnels. The large tunnels (driveway) meet smaller and smaller ones. The perfect landscape of snow is now marred. This is just how a firewall looks when you put holes in it to let through various services. The more services, the more tunnels and paths will be cut. When speaking about the cloud or virtual environments, the increase in paths and entry points becomes a serious issue.So what is the solution? Defense in depth. As we discussed in “Threat Analysis: Layers upon Layers” there are also many layers and where those layers meet we can start to discuss defense in depth. The ingress ports for IaaS, PaaS, and SaaS would be protected by edge hardware firewalls but how do you protect each of the layers? Figure 1, Multiple Firewalls, shows a possible logical placement for any firewall.
The brick colored lines with an orange glow represent logical placements of possible physical firewall use. These firewalls allow through just the necessary protocols to support each of the SaaS, PaaS, and IaaS clouds. Or if this is a virtual environment and not a cloud, the protocols to support your applications, guest OS access for administration, management access, network access, and IP storage access. These ingress and egress points are fairly well understood within any datacenter as they are your edge firewalls.
However, since we need to tunnel many things through these firewalls to work within the virtual environment as administrators and even for applications in behooves us to consider defense in depth more. With that we can add two new logical firewalls, the yellow lines with an orange glow represent a new class of security device. One that protects the administrative or management components of any Cloud or virtual environment from access and improper use. These tools were discussed in the Low Hanging Fruit of Virtualization Security article of a few months back. The tools that fit in this space are firewalls and tools like the HyTrust appliance.
Now comes the fun part and those are the orange lines with a red glow. This is where we can put some good defense in depth. Directly within the virtual network. We can do this by putting firewalls and security controls:
- between virtual switches ala VMware vShield Edge, Catbird Security, or any other virtual appliance based firewall that you care to use.
- before each virtual NIC ala VMware vShield Zones 2.0, vShield App, Reflex Systems, Trend Micro Deep Security, IBM VSS, Altor Networks, Checkpoint, or any other Introspection based firewall you care to use.
- to offload anti-malware scanning ala Trend Micro Deep Security which makes use of vShield Endpoint
The use case for adding in these additional security controls is growing and should be added when your virtual environment or cloud supports multiple trust zones such as those defined by a tenant, DMZ, management, etc.
Within the virtual environment many people claim we have flattened the network, but this does not imply that your security within the environment should be flat. It should be robust, layered, and under your control. To go back to our digging out after a snowstorm analogy, you want to make it easy to get places, but at the same time limit access outside your paths, perhaps limit the location of those snow walled tunnels as well.