Cloud Boundary Protection using Next Generation Firewalls (NGFW)

NIST Special Publication 800-53 Rev 4 for FedRAMP and US Federal system mandates the use of robust boundary protection mechanisms. The Systems and Communications (SC) family of controls, specifically SC-7 mandates that the information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Choosing the right boundary protection solution requires understanding the form and function of the available solutions. A rapidly emerging category of boundary protection systems are Next-Generation Firewalls (NGFW) that offer an increasing array of capabilities. However, many organizations struggle with formulating the right set of requirements that should exist in the Firewall solution. The cloud and security experts at stackArmor have been working with security focused customers since 2010 on AWS based architectures and have formulated a list of key requirements that enterprises should consider.

Enterprise Need Description of Enterprise Need
User and/or Role Based Access Control (RBAC) A. User and/or user group identification
B. User based traffic analytics
C. Control access to applications by user and/or user group
Single Sign-On A. Support a mechanism for SSO for both firewall admins and end users
B. Support SAML 2.0 Authentication or other mechanism including one that is HSPD-12 compliant
C. LDAP support
D. Multi-Factor Authentication
E. PIV integration (for Federal Agencies)
F. Web portal needs to support certificates
Compliance with Standards A. The devices should comply with regulations, guidance, and best practice including validated support FIPS 140-2.
B. Solution UI needs to support TLS 1.2 + and control (Enable/Disable) connections from older encryption algorithms such as TLS 1.1, 1.0, and SSL 3.0, 2.0, 1.0 etc.
Granular Control for Policy and/or Configuration Changes A. Configuration changes can be grouped based on administrator context and changes can be pushed by an individual admin without including other Admin changes
B. Configuration changes are tracked in real-time
C. Configuration changes can be readily reverted
D. Centrally managed policy distribution across all firewalls
System Health Monitoring Provide firewalls & clusters performance monitoring and system health including environmental telemetry
Real Time Change Monitoring The system should be able to log configuration changes based admin and provide attribution
Granular Policy Control Applied Based on Unique Zones and Networks A. The next generation platform has to support a zone based security model that would allow for where multiple zone segregation shall be aggregated future growth or re-engineering of the infrastructure, including support of multiple zones per physical interface future growth or re-engineering of the infrastructure, including support of multiple zones per physical interface
B. Policy and access control applicable to multiple zones per physical interfaces
C. Be able to share a single physical interface with a switch where multiple zone segregation shall be aggregated

Additional requirements exist in the area of level of application level support for various QoS, Control and Support functions for the maintenance and operation of the NGFW device/appliance.

Application Based Quality of Service (QoS) Solution can apply QoS by application or application group allowing for granular control of platform resources and performance.
Application Control A. Support application specific policy, allowing certain applications and block others
B. Verify that the applications are controlled and operating as expected.
C. Identification and control applications running on ports other than the application’s default port. For example, SSH on port 80 and Telnet on port 25
Update Stability Solution stable through updates and provides method for rollback
Secure Socket Layer (SSL) Decrypt/ReEncrypt and Analysis A. Support SSL traffic analysis.
B. Firewall should support on appliance SSL processing
C. Dynamic server certificate validation
SSL Decrypt Broker Capabilities Support for the following:
Step 1. Traffic enters the Firewall and is decrypted and policy is applied (the policy could be applied either in this step, or in step 4).
Step 2. The decrypted traffic is sent out of an interface to a third party security device.
Step 3. The decrypted traffic is then received back from the third party security device.
Step 4. The traffic is then re-encrypted and sent on to its destination.
No Port Change When Processing SSL The SSL session should remain transparent to the user and no ports should be change during the decryption, decrypted traffic forwarding or re-encrypting process.
Dynamic Integration Ability to dynamically incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, threat feeds, etc.

The ability to integrate with third-party products and services for the purposes of logging, monitoring and compliance is essential. Common technologies like Splunk or other similar solutions is an essential requirements. Some additional requirements include:

SIEM Integration A. Security Information and Event Management
(SIEM) integration
B. Audit and compliance monitoring and reporting
SSL Certificate Management Certificate management for SSL decryption should support local certificate storage as well as integration with certificate management applications for off the box certificate storage.
Best of Class User Interface (UI) A. Management dashboard – visual, interactive, detailed
B. Dashboard capable of high granularity and a “single pane of glass” compliance and reporting analytics
C. Troubleshooting tools
D. Customizable filters for custom reporting
E. Verify that UI displays user names in addition to the IP
F. Ability to view threats from summary view
G. Ability to drill down on the summary to see top attackers, top victims by their user ID, etc.
H. Ability to get detailed information per threat
(Vulnerability, Virus, Spyware, etc.)
I. Ability to view and quickly filter through detailed logging information by any searchable fields.
J. Built in troubleshooting tools
Malware Analysis A.Provide analysis of malware threats on a custom virtual environment
B. Analyze unknown malware and must be able to analyze the following file types over all ports JAR, SWF, APK, EXE, PDF, DLL and
standard office document files for zero-day threats.
C. Provide event correlation for activity seen traversing the platform.
D. Provide malware analysis over all protocols and applications
Simultaneous Multi-Interface Modes Support multiple interface modes simultaneously on each device, modes including Layer 1, Layer 2, Layer 3, and Passive Transparent mode.
The enablement of these modes shall allow the solution to be flexible in support of network segregation where it could be deployed in support of multiple environments and still be able to provide complete feature support.
Single Pass Processing Perform packet inspections that will be analyzed by all of the platform features at one time, thus avoiding multiple packet re-inspections by various modules
URL Filtering Support granular control of web access
Support URL categorization, built in and custom
Trunking/VLAN tagging Used to support port consolidation
Ether/Port Channeling Used to support port consolidation
High Speed Ports Minimum speeds to support 10 Gbps+
Stateful Firewall Solution must track the operating state and characteristics of active network connections. The solution uses this information to determine traffic validity and legitimacy.

stackArmor’s engineers have compiled the list for organizations looking to conduct an RFP or for creating a robust set of requirements based on which various product offerings can be evaluated. The AWS Marketplace offers a rich selection of ready to go firewall solutions such as Palo Alto VM-300, Sophos UTM or Cisco ASAv. The ideal solution depends on the customer requirements, budget and internal skill level with the various manufacturers. An increasing area of concern is the Country of origin due to the emergence of Supply Chain Risk as part of the NIST Cybersecurity Framework.