Summary
Network Firewall as a Service secures traffic into OCI and between VCNs.
Reference
OCI Network Firewall
OCI Network Firewall is a cloud-native firewall powered by industry-leading Palo Alto Networks' next-generation firewall technology.
- Advanced threat prevention to help block malware, spyware, command-and-control (C2) attacks, and vulnerability exploits.
- Adopt without needing additional third-party security infrastructure
- Addresses regulatory requirements with granular security controls
Features are:
- Stateful Rules
- IDS and IPS
- URL and FQDN filtering
- Flexible Policy Enforcement
- Customer applications
OCI Network Firewall Versus Third-Prty Firewall
- OCI Network Firewall
- Oracle-managed FWaaS
- Simple deployment
- Built in HA
- Patch management and maintenance
- Customer still responsible for policy
- Direct integration with OCI (Logging, Vaults, and so on)
- No requirement for specialized third-party skills and expertise
- Thir-Party Firewall
- Flexible deployment options:
- BYOL
- Choose your vendor
- Familiar interface and feature set for existing customers of a third-party vendor
- Support for more advanced features
- Integrate with existing tools
Use Case 1: Perimeter Security
Protect your applications and network agianst known vulnerabilities, until you have time to patch/update
- Enforce allow or deny stateful filtering rules based on 5-tuple information (source and destination IP address (both IPv4 and IPv6), port, and protocol)
- Apply rules in any combination of white/black/grey lists for greater flexibility to help meet business compliance or regulatory goals.
Use Case 2: Intrusion Detection and Prevention
Integrated IDS and IPS solution built with Palo Alto Networks' threat analysis engine and Unit 42 - security research teams that identify new threat signatures and detection mechanisms
- Helps detect (IDS) and block (IPS) known exploits, malware, malicious URLs, spyware, command and control (C2) attacks
Use Case 3: Selective Access to Oracle Services Network (OSN)
OCI Network Firewall can enforce URL inspection rules that grant access ONLY if no threats are detected and to restrict access to specified list of services.
- Protect against outbound data exfiltration - For example, allow Ubuntu servers to only do apt-get to *.canonical.com for updates
Use Case 4: Application Segmentation and Sero-Trust
Implement a secure, zero-trust architecture between trust domains. Block threats from moving laterally (East-West) between trust domains.
- Allow communication from web to app and from app to database, but block web to database communication
- Allow only approved DB admins to run only SQL transactions
Logging, Monitoring, and Analytics
- Network Firewall metrics help monitor the health and performance of firewall policies and resources
- Alarms and Notifications can be configured to notify you when metrics alarm-specified triggers
- Network Firewall logs enable you to understnad what rules and countermeasures are triggered by requests
- Logging Analytics helps analyze patterns, create dashboards, provide topology drill downs, and much more
Flexible Deployment Options
- Centralized deployment
- Network Firewall is deployed in a Hub VCN and connected to spoke VCNs trhough dynamic routing gateway.
- Distributed deployment
- A dedicated Network Firewall is deployed in each VCN.
Demonstration
This demonstration only allows HTTPS traffic from the VCN (10.0.0.0/16) to Orqcle YUM repositories. The route tables for the client subnet and NAT gateway forces all egress to and ingress from the Internet to go through the Network firewall:
- Client Subnet 10.0.0.0/24
- Route table
- 0.0.0.0/0 10.0.1.100 (Network Firewall)
- Firewall Subnet 10.0.1.0/24
- Network Firewall 10.0.1.100
- Network Firewall Policy
- Route Table
- 0.0.0.0/0 NAT Gateway
- NAT Gateway
- Route Table
- 10.0.0.0/16 10.0.1.100 (Network Firewall)
| Source | Destination | Protocol/Port | URL | Action |
|---|---|---|---|---|
| 10.0.0.0.24 | Any | TCP/443 | yum-us-phoenix-1.oracle.com yum-us-phoenix-1.oci.oraclecloud.com |
Allow |
In order to create a Network Firewall, a Network Firewall Policy (NFWP) needs to exist. A dummy NFWP can be created and then replaced after Network Firewall is created. An empty NWFP denies all traffic.
Creating a NFWP:
- Create URL list of permitted URLs
- Create a service for TCP/443
- Create service list for the service
- Create Address List for sources (10.0.0.0/16)
- Create security rule