No One Crosses the Line, The Technology Used in Next-Gen Cloud Firewalls

No One Crosses the Line, The Technology Used in Next-Gen Cloud Firewalls

A firewall serves one purpose. It denies passage. IT firewalls are put in place to prevent unauthorized access to a network. In the past, a network firewall was a separate piece of hardware installed at the entry point. All incoming traffic was checked at the firewall, and only friendly traffic was allowed to pass through it. A few decades ago, that technology was enough to effectively protect a network. Not today. In a worldwide highly connected cloud network, there are too many ways around traditional firewall technologies. A new generation of firewall technology is emerging to protect against the threats and attacks prevalent today.

Cloud-based firewalls work in tandem with other security products to defend the network perimeter from attacks, data breaches, and other cyber threats. The cloud firewall is application and user aware. It elastically scales across all ports and protocols to handle all your cloud application traffic.

Most firewall implementations include technologies such as:

  • Geo-restrictions (or geo-blocking)
  • Identity (entities and groups)
  • Rule-based controls
  • Policy-based controls
  • Logging
  • Reporting

 

Next-generation cloud firewalls include deep packet inspection (DPI), intrusion prevention systems (IPS), and application control, typically not present in traditional firewalls.

Deep packet inspection (DPI)

Deep packet inspection examines not just the data packet headers but the payload as well. Attacks on data can come from deeply embedded malicious data within the contents of a data packet with a header that would otherwise be allowed to pass through the firewall.

Deep packet inspection (DPI) refers to examining the full content of data packets before allowing past a network checkpoint. Traditional forms of packet inspection only evaluate packet header information, such as source IP address, destination IP address, and port number. Deep packet inspection looks at a broader range of data and metadata associated with individual packets.

DPI provides a more accurate identification of complex threats that may be hiding within a data stream. These advanced threats might include:

  • Malware, ransomware, phishing, and botnet infections
  • Data theft attempts
  • Content policy violations
  • Access from Command & Control (C&C) servers

 

With the ability to better identify these threats, DPI provides better protection against the more technically advanced threats and attacks in the cloud infrastructure.

Deep packet inspection is sometimes described using TSA procedures at an airport. Examining packet header information would be akin to checking the luggage tag to ensure the source and destination align with flight and passenger records. Deep packet inspection would include luggage and carry-on x-ray systems and hand-checking luggage contents when something seems out-of-place.

Packet header inspections will stop the wrong luggage from being placed on a plane. The more in-depth examination prevents harmful items from entering the plane through properly checked baggage.

DPI can be used for both inbound and outbound network traffic. Inspections of inbound traffic can block attacks before they compromise endpoints and other network assets. DPI can help filter out incoming ransomware, viruses, and spyware. DPI can also be used to stop data breach attempts by outside attackers or potential data leaks by both malicious and negligent insiders.

Intrusion prevention system (IPS)

An intrusion prevention system is specifically designed for hunting down malicious activity occurring within the network. IPS identifies malicious activity, records and reports on that activity, and stops it before it does harm. Intrusion prevention systems are also referred to as intrusion detection and prevention systems (IDPS) due to its ability to only find but also stop malicious activity.

Intrusion prevention systems are typically positioned behind a firewall, allowing IPS to function as an additional filter for malicious network behavior. By locating intrusion prevention systems behind the firewall, they can analyze and act on all network traffic. Potential actions include:

  • Alerting administrators
  • Dropping dangerous packets
  • Halting traffic from the source of malicious activity
  • Restarting connections

The two main methods used by IPS are:

Signature-based detection

Signature-based detection uses a dictionary of uniquely identifiable signatures located in each exploit’s code.

Statistical anomaly-based detection

Statistical anomaly-based detection randomly samples network traffic, comparing the samples to a baseline performance level.

An intrusion prevention system is an independent technology. It is not a comprehensive firewall solution. Including IPS in a network security system is a valuable technology for detecting threats and attacks. Additional technologies are required as part of a complete solution for data protection, endpoint security, and incident response.

Application control

Application control blocks or restricts unauthorized applications from putting data at risk. The control functions vary, but the objective remains constant—to protect the privacy and security of data used by and between applications.

Application control provides valuable information about applications, web traffic, data patterns, and threats. This information helps identify application usage patterns, which the application control solution uses to protect the network with whitelisting and blocking capabilities.

Application controls may include:

  • Completeness and validity checks
  • Identification
  • Authentication
  • Authorization
  • Input controls

Application controls ensure the confidentiality, integrity, and availability of the application and its associated data. With application controls, applications are prevented from executing if they put the network or data at risk.

Summary

The cloud firewall provides protection at the cloud edge to ensure users have consistent protection, regardless of the source or the destination of the connection. The firewall provides real-time monitoring and evaluation of traffic between source domains and data ports. Next-gen cloud firewalls accept or block traffic based on a set of security rules—stopping unwelcomed visitors at the door. The new generation of cloud firewalls are well equipped and prepared to deny passage and protect valuable data and assets.