Firewalls in the Cloud (Part 1)

by [Published on 26 Feb. 2013 / Last Updated on 20 May 2013]

In this article we'll talk about how the TMG firewall can be used to secure connections in the private cloud Infrastructure as a Service (IaaS) scenario.

If you would like to be notified when Deb Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update Newsletter.

Introduction

Cloud computing! It’s going to save us all. It’s going to remove the drudgery of maintaining our current infrastructures and operations so that we can spend more time making a real difference in our companies. It’s also going to save our companies tons of money, which will enable our employers to pay us more, and it’s going to have 100% up time so that the lights never go out. And, oh yes, it’s going to be so secure that we won’t ever have to worry about security anymore because the cloud service providers will have us covered.

Well, to hear some cloud vendors talk, it’s a miracle drug, but in the real world … maybe not so much. It’s true that the cloud is going to make a lot of things possible that we couldn’t do before, or at least couldn’t do very cost effectively. But cloud computing probably isn’t going to save the world, and it’s definitely not going to be a security panacea. In fact, security in the world of cloud computing is likely to become increasingly complex because there will now be a number of moving parts that are under your control and they’ll be interoperating with those that are not under your control.

The big problem is that, for many of us, those moving parts that are not under your control are going to be connecting to the moving parts that are under your control. This is the hybrid cloud scenario, in which you’re connecting your traditional data center or your company’s private cloud to a cloud service provider’s network.

TMG and other firewalls in a cloudified world

At this point, you might be wondering this: in the brave new world of cloud computing, where do firewalls such as the TMG firewall fit in? In answering that question, the first thing we need to consider would be the different cloud deployment and service models that we have to work with, and we’ll need to think about where the important security zones are.

If you’ve been keeping up with my articles about the cloud over on WindowsNetworking.com and Windowsecurity.com, you might remember that there are three standard service models and essentially three deployment models that are commonly deployed in cloud computing. The service models are:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

And here are the three practical delivery or deployment models:

  • Private Cloud
  • Public Cloud
  • Hybrid Cloud

When considering the role of a firewall like the TMG firewall, you need to think first about where the TMG firewall can be deployed, depending on the mix of service model and deployment model. In this multi-part series, we’ll consider how TMG (and other firewalls) fit into these different models. First, let’s examine what TMG would look like in a Private Cloud/Infrastructure as Service scenario.

The role of the firewall in the IaaS scenario

It’s important to remember that “private cloud” means that the entire cloud infrastructure belongs to your organization and is not shared with any other organization. This is in direct contrast to a public cloud, wherein multiple organizations can share the pooled resources that are provided by the cloud service provider. However, just because the private cloud is dedicated to a single organization, that doesn’t mean there aren’t going to be multiple business units that don’t necessarily want other business units to see their stuff. There’s privacy from the outside world, and then there’s privacy within the organization. Therefore, you still might need to set up security zones or perimeters around some of the business units that used the shared, pooled resources in your private cloud.

Where can you leverage TMG in this scenario? In order to answer that, we have to think about the different approaches we could use to segregate one tenant’s traffic from another’s. In a simple private cloud deployment, you might set up only two networks: one for the cloud infrastructure itself and one for the tenants. Then you would leave it up to the tenants to take care of network security and isolation within that network. That is one option. But as a private cloud operator, you also have the option of providing value added services to the consumers of your cloud service, and one of those value added services might very well be enhanced network security.

Segregation on the tenant network

To accomplish this goal, you could set up several VLANs for the tenant network. You could do this by security level. You might have a lower security VLAN that has no firewalling where all network security is the responsibility of the tenant administrator. Then you could have a medium security VLAN, where you might take advantage of Port ACLs on a virtual switch to help isolate some tenants from one another. Finally, you might have a high security VLAN, where you can combine virtual switch Port ACLs with the TMG firewall to add the highest level of security.

The TMG firewall can be configured to support isolating certain tenants from one another and also securing the incoming connections to the workloads that are running on the tenants in the private cloud infrastructure. In addition, you can secure outbound connections, so that if a tenant on the private cloud infrastructure should be compromised, you would be able to limit the negative effects of that compromised virtual machine by deploying TMG countermeasures.

Securing tenant-to-cloud connections

Another role that the TMG firewall can perform is that of securing the connections between the tenant network and the cloud infrastructure network. The cloud infrastructure network actually hosts a number of traffic profiles, such as Cluster/CSV traffic, storage traffic, Live Migration traffic, and management traffic. All of these traffic profiles must be completely isolated from the tenant traffic, because best practices dictate that tenants must never be able to communicate with the host infrastructure. The reason for this should be clear; if a compromised tenant were able to compromise the cloud infrastructure, then all the tenants in the cloud infrastructure could be affected with potentially catastrophic implications.

You also have to consider Internet access for both the cloud infrastructure and the tenants. Will the cloud infrastructure need access to the Internet? Most organizations will likely have Windows Server Update Services installed on their networks and they will update the cloud infrastructure host servers using that mechanism instead of allowing them access to the Internet. You certainly don’t want administrators to be surfing the Internet from any of the host servers in the cloud infrastructure for obvious security reasons. Therefore, it would be wise to configure the TMG firewall to block all Internet connections from any host server in the private cloud infrastructure.

As for the tenants in the IaaS private cloud infrastructure, this might be another value added service you can provide for them. You might have a tiered “Internet Security” service offering that you can include in the private cloud service menu. This might look something like the following:

  • A “low Internet security” option where you allow tenants to have unlimited access to the Internet.
  • A “medium Internet security” offering where you provide basic web antimalware and URL filtering for the tenants of the cloud infrastructure.
  • A “high Internet security” offering where you provide web antimalware, URL filtering, and white listing for sites that those hosts can reach.

I suppose you could also have another service offering where you would completely block tenants from reaching the Internet.

Placement of the firewall

You also have to consider where you are going to place the TMG firewall or firewalls. You have several options. You could locate the TMG firewall on a server that is not part of the cloud infrastructure, either on a separate cloud infrastructure, or as a dedicated device, or as part of your virtualized data center that is not cloud. Remember that just because you virtualize components of your infrastructure, that does not mean it is a cloud. Yes, it’s a virtualized infrastructure, but it’s not a private cloud unless it supports the five essential characteristics of cloud computer (as defined by the United States National Institute of Standards and Technology). I discussed those five essential characteristics in this article.

Another option is to place the TMG firewall on the cloud infrastructure itself, as a virtual machine or machines running on the private cloud infrastructure. In this case, the TMG firewall could be used to control Internet access and access between virtual machines. This could also be another value added service offering that you could provide to the consumers of your cloud service. You can provide them with a TMG firewall that they can deploy on their tenant networks. This might be useful if you have consumers of your cloud service who would like to control the traffic between virtual machines that are participating in a multi-tier application and the tenant wants to make sure that the connections between the tiers are as secure as possible.

Summary

In this article, the beginning of a multi-part series, we talked about how the TMG firewall can be used to secure connections in the private cloud Infrastructure as a Service (IaaS) scenario. We saw that the TMG firewall can be used in protecting the cloud infrastructure network from the tenants and discussed how the TMG firewall can also be used to isolate the tenants from each other. We also discussed how the TMG firewall can be used to control inbound and outbound Internet access for both the host infrastructure network and the tenants’ network. Finally, we looked at how you could use the TMG firewall as a value add service offering that you can make available to the tenants so that they can have highly secure connections between virtual machines that participate in a multi-tier solution. Next time, in Part 2, we’ll discuss how you can use the TMG firewall to secure a hybrid cloud environment, where you need to connect your private cloud or traditional datacenter to the public cloud. We will examine the security issues that arise in such a scenario and what the TMG firewall can do to help mitigate some of those security concerns that we are likely to encounter. See you then! –Deb.

If you would like to be notified when Deb Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update Newsletter.

Featured Links