A software firewall is a firewall in a software form factor rather than a physical appliance, which can be deployed on servers or virtual machines to secure cloud environments.
*Note: The term “software firewall” should not be confused with the term “firewall software,” which describes the operating system running a next-generation firewall (NGFW).
Software firewalls are designed to protect data, workloads and applications in environments wherein it is difficult or impossible to deploy physical firewalls, including:
Software firewalls embody the same firewall technology as hardware firewalls (also known as next-generation firewalls or NGFWs). Software firewalls offer multiple deployment options to match the needs of hybrid/multi-cloud environments and modern cloud applications. They can be deployed into any virtualized network or cloud environment.
Figure 1: Software firewalls in hybrid/multi-cloud security
The most important difference between a hardware and software firewall is the form factor, but there are several others worth noting, summarized in Figure 2.
Both software and hardware firewalls play critical roles in network security. Therefore, software firewalls are not better than hardware firewalls or vice versa. Rather, each are appropriate for different situations.
Figure 2: Differences between software firewalls and hardware firewalls
Parameters | Software firewall | Hardware firewall |
---|---|---|
Form factors |
|
|
Deployment options |
|
|
Complexity |
|
|
Software firewalls typically fall into one of three categories:
Each type offers specific features for different environments and purposes. However, every software firewall monitors and protects east-west, incoming and outgoing network traffic. A software firewall blocks suspicious activity and preventing exfiltration.
A virtual firewall protects a range of environments, including:
Virtual firewalls can inspect and control north-south perimeter traffic in public cloud environments and segment east-west traffic inside data centers and branches. Virtual firewalls offer advanced threat prevention measures via microsegmentation.
In public clouds, virtual firewalls add protections to the native safeguards cloud service providers (CSPs) offer. They also safeguard critical network connections to cloud applications. In these situations, cloud-based firewalls typically act as guest virtual machines. Some can provide visibility across multiple CSP deployments.
Higher-end virtual firewalls can offer the following benefits:
Container firewalls behave similarly to virtual firewalls but are purpose-built for Kubernetes environments. Container firewalls help network security teams safeguard developers with deep security integration into Kubernetes orchestration. This is important because container workloads embedded in Kubernetes environments can be difficult to secure with traditional firewalls.
Software firewalls are also available as a managed service, similar to many other software-as-a-service (SaaS) offerings. Some managed service firewall offerings provide a flexible way to deploy application-level (Layer 7) security without the need for management oversight. As managed services, some of these firewalls can also be quickly scaled up and down.
In the world of virtualized, decentralized environments, many network security challenges arise that cannot be solved with solutions applied to a traditional data center.
The concept of a traditional security perimeter separating the inside and outside of the network has been challenged for some time. With the proliferation of hybrid/multi-cloud strategies, today’s modern architectures make it even harder to define a perimeter. Additionally, much of the architecture consists of clouds run by service providers. This results in constant movement of information across the network and the internet.
40% of businesses have already suffered at least one cloud-based data breach, a remarkable percentage given the short duration of the cloud era. The victims of these successful attacks are not just cloud novices but established enterprises with considerable investment and expertise in network security.
Shifting to cloud-first strategies has profound implications for security, starting with application development. Security is not always top of mind for cloud developers. Their mandate is to develop and release as quickly as possible. In fact, 14% of cloud developers report that application security as a top priority, while two–thirds routinely leave known vulnerabilities and exploits in their code. Plus, the development group is often tempted into thinking the native security provided by cloud service providers is “good enough.”
Network security often arrives late in the development lifecycle, limiting the range of available options. Furthermore, when the network security team recommends a security solution such as as an NGFW, they bear the burden of proof to show their recommendations will not slow the business down or delay time to value.
One particularly disruptive change in development methodologies is the use of vendor-specific orchestration services like AWS Elastic Beanstalk, Azure App Service, and Google App Engine. With these tools, developers simply upload application code, and the orchestration service automatically handles deployment. While this level of automation greatly simplifies life for the developer, it also compounds the problems of network security in hybrid/multi-cloud architectures.
Data centers are evolving into private clouds in which local applications are hosted on virtual machines, not directly on physical servers. Other applications run on public clouds in virtualized environments, often using containers and Kubernetes orchestration. In this model, interconnections dominate the architecture, making the attack surface larger and more difficult to define.
Figure 3: Firewall security in traditional data center architecture
Securing hybrid/multi-cloud architectures poses challenges that traditional security solutions are not designed to overcome. The physical firewall is a critical security tool for many network applications. However, it is not always the only choice when it comes to modern hybrid/multi-cloud infrastructures and cloud-native development methods.
It’s well established that the perimeter of hybrid/multi-cloud environments is not well defined. Software firewalls make it easier to define the perimeter and desired enforcement points.
For example: a user can microsegment a database and establish a policy which only allows the back end of a particular application to communicate with it. This enables protection from inbound threats coming from the outside world. Threats designed to infiltrate applications, steal sensitive data, or encrypt data are blocked.
Modern applications today routinely access third-party code or open-source code. This requires reaching out to repositories like GitHub for third-party software updates. Updates can be misdirected to a command and control server.
Software firewalls offer outbound protection. This ensures only necessary repositories are accessed. Outbound protection also ensures that only approved URLs are accessed, prevented unauthorized access to URLs which are malicious or infected with malware.
In the cloud, applications don't work in a silo. Rather, they communicate through APIs and network communications. Applications also talk to users inside and outside of the cloud as well. This is generally to ensure users can access and use those applications.
If the protection surface is infiltrated, software firewalls prevent lateral movement within the cloud. This includes cloud to cloud or VCP. As a result, threats are extremely limited in their ability to move or pursue other resources within a cloud.
Software firewall don’t require traveling to a physical location, rearranging cables, or interacting with a CLI. In fact, deployment, scaling, and policy changes are typically automated. Staff do not have to invest hours doing routine manual operations.