Do you actually need a firewall?
Posted by Matthew Bradley
In a traditional hosting environment, not having a physical firewall to protect your infrastructure would be laughable. You would be crypto’d before reading the end of this sentence and your business would quickly go into administration.
However, many deployments in Azure don’t have a firewall appliance for traffic to route through. The clients I have spoken to that do have one, are mainly doing so in order to tick a box and make their board sleep well at night.
But not having one doesn’t mean that they aren’t protected!
Azure has a plethora of ways to implement protection. A combination of Access Control Lists (ACLs), Network Security Groups (NSGs), and Application Security Groups (ASGs) allow you to add layer 4 protection at every level of your infrastructure. Layer 4 is to allow or deny traffic to destination IP’s and ports based on the source IP and port of the request…and that’s all it does.
These security offerings are built on software-defined networking (SDN). So even though there is no physical appliance in front of the applications, the rules are applied before the traffic reaches your application. Which means an influx in connections won’t increase the resource usage of the application or cause any port exhaustion or SYN flood.
The below shows a basic form of how SDN architecture works:
But layer 4 protection just isn’t sufficient and security at this layer is typically assumed. The focus on security should be moved up the OSI model…all the way up to layer 7. It is here that you protect yourself from the real nasty things in the world like DoS, SQL injections, cross-site scripting etc.
Azure provides a free level of DDoS protection on all public IP addresses. The free tier doesn’t give you any visibility of the work that it does, but you can trust that it is there (unless you disable it, in which case you need to give your head a wobble and have a serious word with yourself). If you have a spare couple of thousand each month then you can purchase their Standard support with access to their ‘DDoS experts’ and reporting functionality.
Application Gateways have a WAF option for protecting against SQL injections and cross-site scripting, which will set you back around £100 a month. The WAF offering is based on rules from the OWASP core rule sets 3.0 or 2.2 and automatically updates to include protection against new vulnerabilities, with no additional configuration needed.
So in a world with software-defined networking and other tools available, is a separate firewall appliance really needed anymore?
In a lot of cases, maybe not.
Now, I’m not saying that third party firewall appliances are obsolete as they do offer a portfolio of security tools that can be priceless to companies. But not everyone needs those features. For most small to medium sized business that aren’t prone to attack, using a WAF with DDoS mitigation and NSGs may provide everything that you need.
It is quite a paradigm shift when you start to think about hosting in Azure. Ask yourself what features you use of any 3rd party firewall. Do you need it or can something else do the same job with easier management and at a lower cost?
And if it makes sense not to use one then spend the money you’ve saved on some Horlicks to help the board nod off.
Of course, some companies do need more than this and for larger organisations, it makes sense to have one for the central management alone. You should always speak to your security team or hosting provider before making a decision around how you protect your infrastructure.