This post is a follow-up to Understanding Firewalls Through the Lens of Stateful Protocol Inspection.
I recently wrote about the concept of state and context for firewalls. But to understand why stateful firewalling is vital to security segmentation, you have to understand the why and where enterprises segment.
Why Segment Your Applications and Network
Let's first consider the why. Security segmentation is based on principles of least privilege and Zero Trust – creating trust boundaries to thwart the lateral spread of attacks. Think of a potential attack where one compromised application or endpoint will be used to launch an attack on connected or network-reachable neighbors. We have heard or read of many high-profile breaches over recent years, which highlights how hackers and attackers have been able to compromise well-secured enterprises. The principal modus operandi is to compromise a low-value asset in an enterprise environment (like a public-facing web server or unpatched desktop) to laterally spread to high-value assets in the data center. So, to avoid and prevent the lateral spread of attacks in an enterprise environment, you would start building segmentation around high-value assets and move towards low-value assets.
Where are enterprises beginning the segmentation journey
An enterprise IT footprint usually involves campus, data center, cloud, or a mix of all three. Today they are serving more users, traffic, and applications compared to past years.
To illustrate the point, check out the diagram of Facebook's data center traffic over the years. It not only illustrates the overall traffic growth, but it also highlights the variation of internal or East-West traffic to approximately 80 percent and external or North-South Internet traffic to about 20 percent of entire traffic. As a second point of reference, Cisco's Global Cloud Index report estimates East-West traffic to be 76 percent, North-South traffic to be 17 percent, and the remaining 7 percent to be inter-data center traffic.
These two sources of traffic information point to the importance of securing the data center where the bulk of the data and application services reside. Within the data center, as we saw, the majority of the traffic today is predominantly East-West traffic and hence a larger attack surface for a hacker. Traditional data center security tools have been designed to protect North-South traffic as it is open to the external world and are also lagging or are inadequate to provide security for East-West traffic.
Since it is a challenge to secure the majority of the traffic by traditional security tools, the concept of Zero Trust and security segmentation has come to prominence recently.
Why Stateful Firewalls are a Must for Security SEgmentation
With an understanding of why and where enterprises are focusing their segmentation efforts, let's explore the six reasons you need stateful firewalls for proper security segmentation:
1. The majority of East-West traffic is stateful
Here are two facts in support of this:
- Traffic pattern for Facebook data centers: Facebook provides an alternative view to the diagram referenced above that shows the traffic volume based on the application running in the data center. Applications like Hadoop, FE: web servers, Svc., Cache and DB are predominantly TCP stateful traffic.
- The world's biggest on-prem enterprise resource planning (ERP) solution: Enterprises use crown jewel applications like ERP or HRM for employees and partners alike who are within the enterprise network or may be connected by VPN. The developers for these applications assume high throughput connectivity and reliability of underlying intranet to power these applications, and hence TCP becomes the choice for an application developer. Here's a link to protocols used by the biggest on-prem ERP solution SAP.
Providing fine-grained micro-segmentation for these stateful applications requires a firewall that not only understands the stateful communication but can also verify every packet from the client and server to achieve Zero Trust. This demo illustrates why it is a must.
2. Stateless or reflexive firewalls cannot scale for segmentation
At first glance, it looks like scale is a problem for big players with large data centers. But this myth is quickly busted for even small scale data centers. To illustrate the point, let’s look at Kirner’s equation (created by Illumio CTO PJ Kirner).
To learn more about this issue, have a look at this blog post, which discusses this problem in detail. Scale not only introduces rule management problems, but it quickly hits the limit on the number of rules the stateless or reflexive firewall can support.
3. Newer applications are distributed and decomposed using microservices
The rise of developer first and fast to market agile development methodologies have led to a more modern way building applications using microservices. These microservices not only use stateful protocol for communication but also use an encrypted channel for communication. Microservices are increasingly deployed using containers on container orchestration platforms like Kubernetes. This heterogeneity in software components, complicated access relationships between them, and encrypted communication is beyond the capabilities of traditional stateless and reflexive firewall. Stateless and reflexive firewalls fail big time policing these types of communication.
4. Applications are reusing known open ports like TCP 80/443
Enterprise security administrators and architects traditionally have denied most of the communication passing through firewalls except commonly used services like web and mail as a best practice. Due to this fact, a lot of newer applications have come into existence that communicates over TCP port 80 or 443. These applications either just reuse the known open ports or build over them. It’s so prevalent that a lot of malware uses this mechanism to bypass the firewall. An application layer firewall built on stateful firewalling capabilities can help mitigate this kind of attack.
5. Performance requirements for applications
Enterprise applications are predominantly built for intranet use cases with the expectation of high bandwidth, low latency network environment. A delay in connection time leads to unexpected timeouts and user experience. Application performance is vital in the context of a security solution using a reflexive firewall with a control plane component in user-space (refer to my previous post).This user-space component will add latency on connection setup time. Also, the kernel will start dropping the packet during congestion as the user-space control plane lags in dequeuing the packet fast enough. Now the reflexive firewall has been exploited by the attacker to deny legitimate connections.
Compare this to a full stateful firewalling built into the kernel of the majority of the enterprise operating systems like Linux and Windows. Why would someone choose an inferior ACL or reflexive ACL-based technology when a stateful in-kernel firewall can do the job? Something to think about and ask your segmentation vendor about it.
6. Use of verified firewall code
This reason is less about whether a firewall is stateful or stateless and more about products offering segmentation solutions using secret software code. Building a stateful firewall takes substantial development and test time, and some micro-segmentation vendors take shortcuts to reduce development time to reach the market or lack in understanding of the value of full stateful inspection. These vendors have built stateless or reflexive firewalling capabilities using proprietary code with the kernel or user-space components. This is dangerous. Not only does it taint the kernel, leaving the enterprise to no support from active kernel developers, but it also hides the unverified software to obscurity. Further, they do not disclose this to unsuspecting customers who assume stateful firewalling as something that everyone does now by default, as this has existed for more than two decades.
In the present day, when we have full access to a battle-tested stateful firewall on the operating system itself, why would someone choose an inferior and inadequate technology to implement Zero Trust? As data center and cloud segmentation adoption matures, enterprises need to be vigilant and hold every segmentation solution to the standard of utilizing stateful firewalls.
To recap, we have:
- Explained how various firewalls work.
- Demonstrated the subtle difference between these firewalls.
- Considered multiple enterprise applications and the usage patterns for those applications.
- Outlined the security needs for those applications and the need for stateful firewalling in a Zero Trust environment.
Remember, an ACL or reflexive ACL is the tool to provide a non-security device with security capability, but for enterprise scale, a standard and fully functional stateful firewall is a must for segmentation.