IaaS Firewalls – are they the real deal?

Amazon Web Services (AWS) recently announced the availability of their own Network Firewall . The firewall has many capabilities of modern day Next-Gen Firewalls such as Web-filtering, Stateful Firewall, Intrusion Prevention Systems and so on. Added to that is the flexibility that AWS touts for many of its services – high-availability and the ability to scale up on demand. They also claim partnership with many threat feeds providers to provide up to date protection from threats originating elsewhere in the Internet. With the ability to apply policies for traffic entering the Virtual Private Cloud (VPC) or exiting it, the AWS Network Firewall is offering many functionalities that are provided by traditional Firewall vendors such as Palo Alto Networks, Fortinet, Checkpoint and Juniper Networks.

Microsoft Azure has been providing a Network Firewall of its own for at least 2 years now. I did not see IPS listed as one if its feature offerings, but they do offer the flexibility and scale that the IaaS customers have come to expect. Noticeably, Azure’s firewall gets its threat feeds only from Microsoft’s Threat Intelligence and not from any other 3rd party partnership ecosystem, so to speak. Will that be a defining factor in a decision between AWS and Azure? I’d think not – capabilities of native Firewall offerings are not going to tip the scales in either favour when it comes to choosing between IaaS providers.

Where do these firewall offerings from the two dominant IaaS providers leave the traditional vendors? There are a few factors that work for them and few against them. In the corner for:

• The allure of the one-stop shop. A single hand to shake for all things AWS or Azure. There would be no need to interact with yet another vendor for specialised services offered.
• Automation becomes so much easier with the same templates and tools that are used to deploy the rest of the VPC network being used for deploying the firewalls.
• An ever developing ecosystem of services offered by the IaaS behemoths means that there is going to be more that can be achieved by end customers regularly keeping pace with the changing trends of deployments.

What’s not to like about these native offerings?

• The trouble of a single vendor. The flip side of having a single hand to shake/ single neck to choke is of course the helplessness that comes with being dependent on the support, technologies and abilities of that single vendor offering. If there is a capability that is not yet offered, (SSL-Proxy, for example); as a customer, then you have no choice but to wait for your IaaS provider to deem it important enough to offer.
• The reality that is multi-cloud. Most IT organisations have a presence on-premises and in the public cloud. The security posture and policies that are deployed on-prem will need to be replicated in the cloud and having to navigate the policy configuration for a new offering in the public cloud is not trivial. If the same security provider is available in the public cloud marketplace, then it makes sense to stick with the same provider to ensure the policies remain consistent everywhere.
• The problem of the hybrid-cloud. Increasingly, CIOs are moving to a multi-vendor approach for the public cloud as well. This means their data centers are present in AWS and Azure and maybe another. How can the security policies remain consistent when there are already 20 security providers for 20 different requirements on-prem and now, you add on more for the public cloud presence?

Regardless of the uptake in the Firewall offerings from these IaaS providers, the reality is that it rounds out the services offered by them very well. I’d consider it a service that must be provided by the public cloud providers, much like so many others they list. While it may not be a major deciding factor in the choice for deployment, it will make those organisations that are a AWS shop or an Azure shop happier and likely, more secure. For the others, it provides an option where earlier none existed. Will these firewalls push out the older vendors? I don’t think it will make a significant impact immediately. Niche players may find it hard to survive. We may also see a quicker pace of innovation in the firewall market. Like everything else, only time will tell.