Microservices Expo Authors: Flint Brenton, Elizabeth White, Pat Romanski, Gordon Haff, John Katrick

Related Topics: Microservices Expo, Containers Expo Blog, @CloudExpo

Microservices Expo: Blog Feed Post

Challenging the Firewall Data Center Dogma

Do you really need a firewall to secure web and application services?

Do you really need a firewall to secure web and application services? Some organizations would say no based on their experiences while others are sure to quail at the very thought of such an unnatural suggestion.

Firewalls are, in most organizations, the first line of defense for web and application services. This is true whether those services are offered to the public or only to off-site employees via secure remote access. The firewall is, and has been, the primary foundation around which most network security architectures are built.


We’ve spent years designing highly-available, redundant architectures that include the firewall. We’ve deployed them not only at “the edge” but moved them further and further into the data center in architectures that have commonly become known as “firewall sandwiches”. The reasons for this are simple – we want to protect those services that are critical to the business and the primary means by which we accomplish that task is by controlling access to them via often simple but powerful access control.

In later years we’ve come to rely upon additional intrusion detection systems such as IPS (Intrusion Prevention Systems) that are focused on sniffing out (sometimes literally) malicious attacks and attempts to circumvent security policies and stop them.

One of the core attacks against which such solutions protect services is a denial of service.

>Unfortunately, it is increasingly reality that the firewall is neither able to detect or withstand such attacks and ultimately such devices fail – often at a critical moment. The question then is what to do about it. The answer may be to simply remove the firewall from the critical data path for web services./p>


Just about anything is unnatural the first time you try it, but that doesn’t mean it isn’t going to work or that it’s necessarily wrong. One of my favorite fantasy series – David Eddings’ Belgariad – illustrates this concept quite nicely. A couple of armies need to move their ships up an escarpment to cross a particular piece of land to get where they need to be. Now usually fording – historically – involves manhandling ships across land. This is hard and takes a lot of time. No one looked forward to this process. In the story, someone is wise enough to put these extremely large ships on wheels and then leverage the power of entire herds of horses to move them over the land, thus improving performance of the process and saving a whole lot of resources. One of the kings is not all that sure he likes violating a precept that has always been akin to dogma – you ford ships by hand.


enchanters end game King Rhodar put on a perfectly straight face. “I’ll be the first to admit that it’s probably not nearly as good as moving them by hand, Anheg. I’m sure there are some rather profound philosophical reasons for all that sweating and grunting and cursing, but it is faster, wouldn’t you say? And we really ought to move right along with this.”

“It’s unnatural,” Anheg growled, still glaring at the two ships, which were already several hundred yards away.

>Rhodar shrugged. “Anything’s unnatural the first time you try it.”

-- “Enchanter’s End Game”, David Eddings (p 147) >

Needless to say King Anheg eventually gave in and allowed his ships to be moved in this new, unnatural way, finding it to be more efficient and faster and ultimately it kept his men from rebelling against him for making them work so hard.

This same lesson can be applied to removing the firewall from the critical inbound data path of services. Sure, it sounds unnatural and perhaps it is if it’s the first time you’re trying it, but necessity is the mother of invention and seems to also help overcome the feeling that something shouldn’t be done because it hasn’t been done before. If you need convincing as to why you might consider such a tactic, consider a recent survey conducted by Arbor Networks showing an increasing failure rate of firewalls and IPS solutions due to attacks.

“Eighty-six percent of respondents indicated that they or their customers have placed stateful firewall and/or IPS devices in their IDCs. Nearly half of all respondents—a solid majority of those who actually have deployed these devices within their IDCs— experienced stateful firewall and/or IPS failure as a direct result of DDoS attacks during the survey period. Only 14 percent indicated that they follow the IDC BCP of enforcing access policy via stateless ACLs deployed on hardware-based routers/Layer 3 switches capable of handling millions of packets per second.”[emphasis added]


>-- Network Infrastructure Security Report Volume VI, Arbor Networks, Feb 1 2011

That is a lot of failures, especially given that firewalls are a critical data center component and are almost certainly in the path of a business critical web or application service.

But it’s dogma; you simply must have a firewall in front of these services. Or do you?


The reality is that you need firewall functionality – services - but you also need a lot more. You need to control access to services at the network layers but you also need to clip_image002mitigate access and attacks occurring at the application layers. That means packet-based firewalls – even with their “deep packet inspection” capabilities – are not necessarily up to the task of protecting the services they’re supposed to be protecting. The Anonymous attacks taught us that attacks are now not only distributed from a client perspective, they’re also distributed from a service perspective; attacking not only the network but the application layers. That means every device between clients and servers must be capable of handling not only the increase in traffic but somehow detecting and preventing those attacks from successfully achieving their goal: denial of service.

During the anonymous attacks, discussions regarding what to do about traffic overwhelming firewalls resulted in what might be considered an “unnatural” solution: removal of the firewall. That’s because the firewall was actually part of the problem, not the solution, and removing it from the inbound data path resulted in a more streamlined (and efficient) route that enabled continuous availability of services despite ongoing attacks – without compromising security.

Yes, you heard that right. Some organizations are running sans firewall and finding that for inbound web services, at least, the streamlined path is maintaining a positive security posture while ensuring availability and performance. That doesn’t mean they are operating without those security services in place, it just means they’ve found that other components in the inbound data path are capable of providing those basic firewalling services without negatively impacting availability.


It isn’t just attacks that are going to pose problems in the near future for firewalls and IPS components. The increase in attacks and attack surfaces are alarming, yes, but it’s that combined with an increase in traffic in general that’s pushing load on all data center components off the charts. Cisco recently shared the results of its latest Visual Networking Index Forecast:

quote-badge“By 2015, Cisco says that mobile data traffic will grow to 6.3 exabytes of data or about 1 billion gigabytes of data per month. The report indicates that two-thirds of the mobile data traffic on carrier networks in 2015 will come from video services. This trend follows a similar trend in traditional broadband traffic growth.”

>Read more: http://news.cnet.com/8301-30686_3-20030291-266.html#ixzz1CtYWZPAk

Cisco’s report is obviously focused on service providers as they will bear the brunt of the increase in traffic (and in many cases they bear the majority of the impact from denial of service attacks) but that traffic is going somewhere, and somewhere is often your data center, accessing your services, increasing load on your data center infrastructure.

Load testing, to be sure, of an active architecture is important. It’s the only way to really determine what the real capacity for your data center will be and how it will respond under heavy load – and that includes the additional strain resulting from an attack. Cloud-based load testing services are available and can certainly be of assistance in performing such testing on live infrastructure. And yes, it  has to be live or it won’t find all the cracks and fissures in your architecture. It isn’t your lab environment, after all, that’s going to be under attack or stressed out by sudden surges in traffic. Perhaps no problems exist, but you really don’t want to find out there are when the pressure’s on and you have to make the decision in the heat of the moment. Try testing with your firewall, and without (assuming you have solutions capable of providing the security services required in the inbound data path). See if there is an impact (positive or negative) and then you’ll be better able to make a decision in the event it becomes necessary.

Putting firewalls in front of your Internet services has been dogma for a long, long time.  But are they up to the task?  It would appear in many cases they aren’t. When a solid majority of folks have found their sites down due to firewall failure, we may need to rethink the role of a firewall in securing services. That doesn’t mean we’ll come to a different conclusion, especially as only part of the architectural decisions made regarding data center security are dependent on technological considerations; other factors such as risk tolerance by the business are often the driving factor and play a much larger role in such decisions whether IT likes it or not. But it does mean that we should occasionally re-evaluate our data center strategies and consider whether traditional architectural dogma is still appropriate in today’s environment. Especially when that architectural dogma may be part of the problem.

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@MicroservicesExpo Stories
The general concepts of DevOps have played a central role advancing the modern software delivery industry. With the library of DevOps best practices, tips and guides expanding quickly, it can be difficult to track down the best and most accurate resources and information. In order to help the software development community, and to further our own learning, we reached out to leading industry analysts and asked them about an increasingly popular tenet of a DevOps transformation: collaboration.
"We started a Master of Science in business analytics - that's the hot topic. We serve the business community around San Francisco so we educate the working professionals and this is where they all want to be," explained Judy Lee, Associate Professor and Department Chair at Golden Gate University, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
We call it DevOps but much of the time there’s a lot more discussion about the needs and concerns of developers than there is about other groups. There’s a focus on improved and less isolated developer workflows. There are many discussions around collaboration, continuous integration and delivery, issue tracking, source code control, code review, IDEs, and xPaaS – and all the tools that enable those things. Changes in developer practices may come up – such as developers taking ownership of code ...
The dynamic nature of the cloud means that change is a constant when it comes to modern cloud-based infrastructure. Delivering modern applications to end users, therefore, is a constantly shifting challenge. Delivery automation helps IT Ops teams ensure that apps are providing an optimal end user experience over hybrid-cloud and multi-cloud environments, no matter what the current state of the infrastructure is. To employ a delivery automation strategy that reflects your business rules, making r...
Cloud Governance means many things to many people. Heck, just the word cloud means different things depending on who you are talking to. While definitions can vary, controlling access to cloud resources is invariably a central piece of any governance program. Enterprise cloud computing has transformed IT. Cloud computing decreases time-to-market, improves agility by allowing businesses to adapt quickly to changing market demands, and, ultimately, drives down costs.
For over a decade, Application Programming Interface or APIs have been used to exchange data between multiple platforms. From social media to news and media sites, most websites depend on APIs to provide a dynamic and real-time digital experience. APIs have made its way into almost every device and service available today and it continues to spur innovations in every field of technology. There are multiple programming languages used to build and run applications in the online world. And just li...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
How is DevOps going within your organization? If you need some help measuring just how well it is going, we have prepared a list of some key DevOps metrics to track. These metrics can help you understand how your team is doing over time. The word DevOps means different things to different people. Some say it a culture and every vendor in the industry claims that their tools help with DevOps. Depending on how you define DevOps, some of these metrics may matter more or less to you and your team.
"CA has been doing a lot of things in the area of DevOps. Now we have a complete set of tool sets in order to enable customers to go all the way from planning to development to testing down to release into the operations," explained Aruna Ravichandran, Vice President of Global Marketing and Strategy at CA Technologies, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We are an integrator of carrier ethernet and bandwidth to get people to connect to the cloud, to the SaaS providers, and the IaaS providers all on ethernet," explained Paul Mako, CEO & CTO of Massive Networks, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Grape Up leverages Cloud Native technologies and helps companies build software using microservices, and work the DevOps agile way. We've been doing digital innovation for the last 12 years," explained Daniel Heckman, of Grape Up in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Let's do a visualization exercise. Imagine it's December 31, 2018, and you're ringing in the New Year with your friends and family. You think back on everything that you accomplished in the last year: your company's revenue is through the roof thanks to the success of your product, and you were promoted to Lead Developer. 2019 is poised to be an even bigger year for your company because you have the tools and insight to scale as quickly as demand requires. You're a happy human, and it's not just...
The enterprise data storage marketplace is poised to become a battlefield. No longer the quiet backwater of cloud computing services, the focus of this global transition is now going from compute to storage. An overview of recent storage market history is needed to understand why this transition is important. Before 2007 and the birth of the cloud computing market we are witnessing today, the on-premise model hosted in large local data centers dominated enterprise storage. Key marketplace play...
Cavirin Systems has just announced C2, a SaaS offering designed to bring continuous security assessment and remediation to hybrid environments, containers, and data centers. Cavirin C2 is deployed within Amazon Web Services (AWS) and features a flexible licensing model for easy scalability and clear pay-as-you-go pricing. Although native to AWS, it also supports assessment and remediation of virtual or container instances within Microsoft Azure, Google Cloud Platform (GCP), or on-premise. By dr...
With continuous delivery (CD) almost always in the spotlight, continuous integration (CI) is often left out in the cold. Indeed, it's been in use for so long and so widely, we often take the model for granted. So what is CI and how can you make the most of it? This blog is intended to answer those questions. Before we step into examining CI, we need to look back. Software developers often work in small teams and modularity, and need to integrate their changes with the rest of the project code b...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...