Next Generation Firewall vs. Container Firewall

What’s a Container Firewall? And how is it different than a Next Generation Firewall?

By Gary Duan

Containers and microservices are revolutionizing computing. But can firewalls help secure these? Next Generation Firewalls (NGFW) were supposed to handle the latest threats and data center designs, but fall short in the new cloud microservices environments. Here’s a comparison of the next generation firewall vs. container firewall.

Before we get into the features of a next generation firewall vs. container firewall, let’s take a look at the attributes of containers and microservices. Containers are part of a larger trend toward virtualized application workloads. Virtualized workloads, whether they are containers, IoT devices, or serverless computing provide a wealth of declarative meta-data from which security policies and decisions can be derived.

Attributes of Microservices – An Explosion of East-West Traffic

The migration from monolithic applications to container-based microservices brings many benefits but also changes communication patterns. The most significant change from a networking and security view is that there is now an explosion of East-West, or internal, traffic within hosts and between hosts. While each running container can be hardened and expose limited interfaces there are also many more opportunities for attackers to probe and find vulnerabilities.

Containers are designed to be deployed in seconds and an orchestration system can launch new containers on the same hosts or across hosts depending on service demands and host resources available. Each container has its own mapped network interfaces which get assigned and deallocated on the fly.

Security Issues of Container Deployments

With containers being started and stopped constantly, and rapid deployment of updates to applications through a continuous integration and continuous delivery (CI/CD) pipeline, it becomes very difficult to monitor and secure container traffic at the network layer. Traditional firewalls and next generation firewalls are designed mainly to be a gateway for external, or north-south traffic, and can’t protect container traffic.

Not only is it difficult for traditional firewalls to see east-west internal traffic within a host or between hosts, it is also impossible for them to keep up with the constant changes as containers launch and disappear. As one network security architect put it “in a containerized world you can’t be messing with iptables or manually updating firewall rules.”

Why is it important to monitor containers at run-time? One reason is the frequent use of open source software for building container applications. Often, developers may not understand the application vulnerabilities which are introduced with each open source package or library used. And once in production, it is easy to lose track of which containers are vulnerable to new vulnerabilities discovered, often years after they are put into production.

Key Features of a Cloud-Native Container Firewall

So what is a container firewall? A container firewall provides much of the same protections that next generation firewalls provide at the edge, but in a cloud-native environment for all container traffic. This includes east-west, north-south, and container to non-container traffic.

A cloud-native container firewall is able to isolate and protect workloads, application stacks, and services, even as individual containers scale up, down, or across hosts. It must also protect the ingress and egress from external networks and legacy applications much like a traditional gateway firewall does, except with container awareness.

Here are the key features of a Cloud-native Container Firewall

• Intent based intelligence. Understands intent of applications from meta-data and behavioral analysis. Characteristics include:
  • Declarative, automated protection. Discovers application behavior and security requirements and adapts to changes and updates.
  • Whitelist based rules. Assumes a zero-trust model and defines allowed behavior.
  • Application based (Layer 7) policy. Does not use IPtables or only L3/L4 rules.
• Container level protection. Drop suspicious connections or quarantine entire container.
• Integrates with container orchestration. Scales across hosts, clouds and adapts to updates.
• Supports container platforms and run-time engine. Runs seamlessly with system security libraries, overlay networks, and Docker engine.
• Supports common containerized application protocols. Recognize and enforce policy based on popular application protocols such redis, mysql, mongodb.
• Fits into CI/CD processes. Integrate into automated pipelines using REST API to support scripting, Jenkins etc.

A container firewall also includes many next generation firewall features, such as:

• Layer 7 deep packet inspection (DPI). Many microservices communicate over HTTP, and detecting and protecting based on application protocol is critical.
• Threat protection. Protects against internal application level attacks such as DDoS, DNS attacks commonly found in web application firewall (WAF) devices.
• Blacklist rules. Ability to set rules based on IP addresses, ranges, or other L3/L4 policies.

Because a container firewall is meant to primarily protect container traffic, it is not meant to replace the NGFW, IDS/IPS, or WAF at the edge. However, it must protect against common known application attacks which could originate internally.

Key Features of a Next Generation Firewall (NGFW)

Next generation firewalls provide advanced protection for traditional data centers, where traffic from the internet or from untrusted networks need to be secured.

In general, a next generation firewall will include these features:

• L7 Application Awareness. Monitor connections by inspecting the application protocols at network layer 7, in addition to Layers 2-4.
• Threat Detection Through Intrusion Detection/Protection System (IDS/IPS). An IPS system will detect and block known attacks through the use of signatures, behaviors, and other detection techniques.
• Stateful Inspection. Traffic inspection and protection policies are based on the state of connections. An NGFW can enforce stateful inspection policies based on not only L2-4 but also up to Layer 7.
• User-Identity Policies. Access to resources can be controlled by user identity, not just the IP address or type of connection. In a container firewall, a similar capability is to restrict container to container traffic based on behavioral learning.
• Support for Routed and Bridged Modes. Firewalls may be deployed as a bridge (L2) and/or a router (L3) depending on the topology and requirements. Container firewalls are host deployed and operate like a bridge (bump in the wire) to monitor packets and block if enabled.

Chart: NGFW vs Container Firewall Comparison

Continuous Security for Containers

Like any environment, a containerized environment requires a layered security strategy with multiple protection layers. It’s critical to build in security throughout the Build, Ship, and Run cycle. For run-time visibility and protection, a container firewall plays a central role.

A container firewall solution can provide not only network layer inspection and protection but also is in a unique position to monitor host and container processes. Because of its distributed nature, host-based container firewalls provide efficient local monitoring and protection. With its integration with the Docker engine and orchestration and container management tools, a container firewall can also provide host and container process inspection, security auditing and testing, and resource monitoring. Container firewalls often contain the following additional features:

• Host process monitoring and security for privilege escalations, suspicious processes and breakouts
• Vulnerability scanning in registries, hosts, and running containers
• Auditing and compliance with CIS Benchmarks security tests
• Packet capture for forensics and debugging.

Securing container deployments requires some new technologies such as container firewalls as well as traditional solutions such as next generation firewalls. For new virtualized workloads, application intelligence, declarative policies, and integration with cloud-native orchestration tools are required to monitor and secure them.

About the Author: Gary Duan

Gary is the Co-Founder and CTO of NeuVector. He has over 15 years of experience in networking, security, cloud, and data center software. He was the architect of Fortinet’s award winning DPI product and has managed development teams at Fortinet, Cisco and Altigen. His technology expertise includes IDS/IPS, OpenStack, NSX and orchestration systems. He holds several patents in security and data center technology.