If you’ve been in networking long enough you’d probably noticed an interesting pattern:
- Some topic is hotly debated;
- No agreement is ever reached even though the issue is an important one;
- The debate dies after participants diverge enough to stop caring about the other group.
I was reminded of this pattern when I was explaining the traffic filtering measures available in private and public clouds during the Designing Infrastructure for Private Clouds workshop.
Almost a decade ago I was observing a heated “I don’t need no stinking firewalls” debate. Fast forward to 2019 and you’ll find a huge gap: enterprise environments insist on using stateful firewalls in front of application stacks, sometimes deploying complex deep packet inspection, while all you can get from public cloud providers like AWS, Azure or GCP is packet filters with reflexive ACL functionality.
It’s obvious which approach scales. It’s also obvious that the scalable approach (reflexive ACLs) makes perfect sense and works well assuming you have a vague idea what you’re doing.
The laws of physics haven’t changed in the meantime: any volume-based DoS attack will crash a stateful firewall before affecting the servers the firewall is protecting. Considering all this, why do we still see stateful firewalls deployed as the weakest link in the application stack?
The only reason I can see is the CYA mentality: security team in an enterprise environment is strictly separate from the application team which is not responsible for the security aspects of whatever they deploy. The security team, in turn, doesn’t trust the application developers and deploys the most complex firewall possible in front of the application stack hoping that Santa Claus and his $vendor elves will save the day.
The real fun starts when the CIO of a dysfunctional organization I just described decides it’s time to move into the cloud. You’ll either see developers that never had to care about security deploying their workloads directly into the public cloud, or security team trying to replicate enterprise environment in a public cloud and desperately trying to figure out how to push all traffic through a firewall running in a virtual machine. Fun times either way ;)
While it’s hard to fix siloed teams (and I stopped trying or caring a long while ago), there’s something we can try to do: educate people who might care. Matthias Luft already covered the big picture in DevOps and Security for Enterprise Environments webinar, will start the journey into cloud security with Cloud Security Basics webinar on April 16th, and continue with deep dive into individual topics throughout 2019.
You can access both webinars and attend the live session on April 16th with Standard ipSpace.net Subscription.