Checkpoint firewalls vs. Azure Network Security Groups (NSGs)
This post compares Azure Network Security Groups (NSGs) and
virtual firewall appliances, specifically Checkpoints.
Azure Network Security Groups
Azure Network Security Groups, are the built-in firewalling
mechanism in Azure, they allow you to control traffic to your virtual network
(VNET) that contains your IaaS VMs (and potentially PaaS infrastructure such as
App Service Environments – ASEs).
Network Security Rules are like firewall rule, they consist
of
- A name for the rule
- A description
- The direction of the rule e.g. Inbound if it applies to traffic coming into the VNET/subnet or Outbound if it applies to traffic leaving a VNET/subnet
- An action, allow or deny.
- Source address range
- Source port
- Destination address range
- Destination port
The network security rules are then grouped together into
NSGs. These NSGs are in turn either applied at the subnet level or to
individual Network Interfaces (NICs) associated with VMs.
Even if you have not created any NSGs there are some default
built-in system rules, these essentially block all inbound traffic (except from
the Azure load balancer), allow all traffic within a VNET and all outbound
traffic.
Checkpoint firewall architecture on Azure
Checkpoint firewalls on Azure are virtual machines running
the Checkpoint software. However, to make use of Checkpoints you need a number
of other Azure services in place. If you also want high-availability then you
need a few more.
·
Azure VMs (the Checkpoints are deployed from the
Azure Marketplace) – two if you want high availability
·
Azure Load Balancer (if you’re deploying them in
a high availability configuration), with NAT rules
·
Azure Route Tables to direct traffic through the
Checkpoints
·
An Azure AD Application and Service Principal –
which is used by the Check to modify the Load Balancer configuration to direct
traffic to the correct Checkpoint in the event the primary fails, modify the
cluster public IP association and route tables.
Comparison
NSG
|
Checkpoints
|
|
Complexity
|
Low complexity – simply define rules in the portal, via the Azure
PowerShell module or ARM templates.
|
High – the checkpoints depend on a number of other Azure services. When
there are issues it can be difficult to reason about where the problem lies.
|
Cost
|
Low cost – there is not additional cost to using NSGs
|
High cost – you pay for the VMs, Checkpoint licensing (including for
any blades that you need), Azure Load Balancer, Storage used by the
Checkpoint VMs and Public IPs.
|
Management overhead
|
Low
There is no infrastructure to manage
|
High
You have to manage the VMs, update/patch the Checkpoint software,
route tables and load balancer.
If you have a lot of VNETs and/or on-premise ranges, managing the
Route Tables (and static routes on the Checkpoints can be a headache).
|
Scalability
|
Relatively easy to scale
You don’t need to worry about scaling – the only limits you have are
around the number of NSGs and rules per NSGs. The only problem is that you
can easily hit those limits if you have to implement a default deny rule on
outbound traffic and then whitelist Azure IP address ranges [**more on why
this is required]
|
Difficult to scale
You are limited to two Checkpoints per cluster. In addition, the
Checkpoints are in an active-passive configuration so only one can handle
traffic the other is sitting idle burning cash.
Furthermore, since you cannot scale out this means the best you can
do is scale up.
On the plus side you don’t need to worry about limits on the number
of rules so you can easily whitelist the Azure IP ranges.
|
Features
|
NSGs are currently limited to traditional firewall rules. If you want
other capabilities such as Web Application Firewall (WAF), you would need to
use the WAF capabilities of the Azure Load Balancer.
|
You can use all the features (blades) that Checkpoints provide such
as WAF, IPS etc.
|
Automation
|
NSGs are highly automatable you can automate the management of such
rules via PowerShell and/or ARM templates.
|
Automating Checkpoint deployments is far more complex since it
involves VMs, Load Balancer and Route tables.
Furthermore, when it comes to implementing the rules – as far as I am
aware there is no API or PowerShell module for Checkpoints. The closest thing
available is a command line tool is dbedit.
|
High Availability
|
Comes for free with NSGs – it’s a distributed service.
|
HA is far more complex with Checkpoints – and complex systems are
harder to make highly available.
The Route Tables and static routes on the Checkpoints can make this a
fragile solution.
|
Disaster Recovery
|
Microsoft are effectively responsible for this.
That said you can keep NSGs rules stored in your version control
system so should you make a mistake it should be easy to rollback (and
identify the breaking change as well as have an audit chain of what was
changed)
|
There is no DR solution – as while your Checkpoint management servers
hold (most of the configuration so you can redeploy the config), in a DR
situation if you lose a Checkpoint VM you have to rebuild it and reconfigure
the cluster which requires a lot of manual effort (you can automate some of this
at least on the Azure side but not everything).
|
It should be noted that there have been a number of announcements at Ignite 2017 that will simplify NSG rules such as Application Groups, Service Tags and Augmented Rules.
The two most common reasons I hear why an organisation wants
to use Checkpoints (or another virtual firewall appliance for that matter) in
place of NSGs are:
Skills: we already use Checkpoints on-premise so it’s easier to manage those from a skills perspective
The way that Checkpoints work in Azure today I think this is
a fallacy. While yes it’s true your network, security (or whichever team
manages your firewalls on-premise) will be familiar with how to configure rules
on Checkpoints there are some fundamental differences, namely they are unlikely
to be familiar with:
- Azure AD Applications
- Azure Load Balancer
- Azure Route Tables
- Managing VMs on Azure
Security/features are better with Checkpoints
This is mostly true in the sense that you can bolt on WAF or
IDS/IPS capabilities to a Checkpoint and manage this through a “single pane of
glass”. NSGs are (currently – I think this will change) more rudimentary in
comparison.
That said you are in a sense increasing your attack surface
as you must manage the Checkpoint VMs. In addition, because Checkpoints on
Azure have so many moving parts in my view it’s far easier to make mistakes and
create a vulnerability/security risk. Such as misconfigure your Route Table
such that traffic is not filtered by your Checkpoints. In addition, you also must
safe guard the Azure AD application credentials (which are stored in cleartext
on the Checkpoints) as it is used to modify the route tables, load balancer,
public IP associations.
NSGs are hard to troubleshoot as it’s provided as a service
Since Checkpoint rules are typically managed through a
management server from a GUI it is believed this makes it easier to
troubleshoot issues. This is true in that it’s easier to capture traffic going
through the firewall and determine if the firewall is accepting or denying
traffic. However, things are not so simple in the real world – if you have
issues with return traffic e.g. route tables it becomes far more complex. You
can’t easily troubleshoot as you normally would have by installing the Network
Watcher on the Checkpoints because they are third party appliances.
NSGs used to be hard to troubleshoot, but now you can setup
NSG logs to be stored in Azure Storage, look at the effective security rules
applied to NICs to determine if traffic is allowed, use Network Watcher to
capture traffic.
I can’t meet audit requirements with NSG
Before the advent of NSG logs and Network Watcher this used
to be true but not anymore – with these solutions you can retain NSG logs for
audit purposes and to meet other requirements (such as feeding them into a SIEM
or IDS/IPS).
You can also export logs (yes this does require more work
than it would have with Checkpoints) to your SIEM or log analytics tool, for
example NSG logs / Network Watcher data can be fed into Splunk.
Summary
This is not to say that Checkpoints on Azure are not a good
solution – what I am saying is that you need to understand the trade-offs that
you are making in using either NSGs or a virtual firewall appliance such as a
Checkpoint.
The idea of perimeter security is slowly giving way to other
more modern approaches that involves applying network security not just at your
network edge but network security policies that apply at the node (e.g. server,
container etc). level. Similar to network security policies available in the
containerisation world. In fact, in the cloud this model is makes far more
sense than the old perimeter security model.
Comments
Post a Comment