When it comes to the cloud, a decision between using native cloud services and purchasing enterprise-grade solutions needs to be made. In this article, we will be examining the native firewall capabilities in Google Cloud and how Cloud Firewall stacks up to some of the competition.
Earlier this year, in a significant strategic partnership with Palo Alto Networks, Google Cloud unveiled the anticipated preview of Google Cloud Firewall Plus, highlighting their commitment to bolstering cloud security.
Cloud Firewall Essentials
Firewalls on Google Cloud differ from offerings on other public cloud platforms such as Amazon Web Services (AWS) for a few major reasons:
- Firewall policies are applied on the VPC, not associated with individual network interfaces. This means that policies must be scoped properly in order to achieve proper network segmentation.
- Hierarchical firewall policies can also be used, which can enforce firewall rules at the organization and folder levels in the Google Cloud resource hierarchy.
- Firewall policies are global, meaning that they span all regions. This can be useful for defining policies once, and not having to apply to multiple regions as is the case in other cloud providers.
- Firewall policies can target network tags, addresses, or Google Cloud service accounts, allowing for flexibility in how network traffic can be segmented. This feature is critical since firewall policies are applied on a VPC level.
Positioned as Google Cloud’s riposte to contemporary next-generation firewall (NGFW) solutions, Cloud Firewall champions cloud-native advanced threat protection, underpinned by operational simplicity. So far, we have covered the default Cloud Firewall Essentials tier, however Cloud Firewall comes in other tiers – Cloud Firewall Standard, and Cloud Firewall Plus. All of these tiers support global and regional firewall policies, support firewall tags, have stateful inspection capabilities, and have the ability to use address groups.
Cloud Firewall Standard
Cloud Firewall standard introduces three features: fully qualified domain name (FQDN) objects, geo-location filtering, and Google Cloud Threat Intelligence:
- FQDN objects extend the ability of firewall policy rules to filter ingress or egress traffic based on specific domains. This can be extremely useful as it grants the ability to define an allowlist or denylist of specific domains for a Cloud VPC. The rule list has to be very specific however: as of writing this article, FQDN objects don’t support wildcard and top-level root domain names. This may be by design, as wildcard domains are typically against best security practices for egress filtering.
- Geo-location filtering (as you may have guessed) allows the filtering of network traffic based on certain geographic locations and regions. This can be very useful from a compliance perspective if your business does not do business with certain geographic locations.
- Integrating your firewall with Google Cloud Threat Intelligence lets you secure your network by allowing or denying traffic based on Threat Intelligence data. This includes IP lists for TOR exit nodes, malicious IP addresses, search engine crawlers, VPN providers, anonymous proxies, cryptocurrency mining, and even public cloud providers. This threat detection was co-developed with Mandiant and Palo Alto Networks and promises 20x higher efficacy as compared to other cloud providers (per Ixia Breakingpoint benchmarks).
Cloud Firewall Plus
Cloud Firewall Plus introduces intrusion prevention system (IPS) capabilities. Cloud Firewall’s IPS works by setting up application (layer 7) inspection for ingress to and egress workload traffic from virtual machines (VMs) or Google Kubernetes Engine (GKE) clusters in a VPC. This means that the firewall endpoints that are deployed by the IPS scans network packets for configured threat signatures. These threat signatures are provided by Google Cloud in partnership with Palo Alto Networks and can detect spyware, viruses, malicious DNS requests, and vulnerabilities such as buffer overflows, remote code execution, and privilege escalation attempts to exploit systems. Google Cloud Firewall Plus also allows for TLS inspection via integration with Certificate Authority Service.
Note that as of writing this article, this service is in preview and is subject to the Google Cloud Pre-GA Offerings Terms (including being free of cost until it is converted to a paid service). Also note that Google Cloud offers Cloud IDS (Intrusion Detection System) which provides an additional layer of cloud-native security to monitor intra- and inter-VPC communication.
The recent updates in Google Cloud Firewalls has blurred the lines between what is offered natively by Google Cloud and solutions that can be brought into Google Cloud or purchased on the Google Cloud Marketplace. Google Cloud at Next ’23 announced Network Service Integration Manager (NSIM) which simplifies the setup and operation of other next-generation firewalls from partners such as Checkpoint, Cisco, Fortinet, and Palo Alto Networks. In other words, NSIM offers SaaS-like capabilities for customer’s traditional NGFWs.
Conclusion and Attributions
Based on the updates given this year at Next ’23 based around Cloud Firewall Plus and NSIM, these solutions are definitely worth keeping an eye on as we head into 2024. However, seeing as they are Pre-GA, if NGFW solutions need to be deployed to a Google Cloud Network before next year, I would recommend purchasing a solution in the interim or taking advantage of licensing models that are pay as you go while these solutions mature – that way your organization can truly make a switch when the time comes. I would definitely hold off on signing long-term contracts, as the pace of innovation with Google Cloud and their partners are picking up significantly compared to previous years.
HanaByte is a proud Google Cloud and Palo Alto Networks partner that’s happy to help demystify cloud security, including firewalls, for your organization. Special thanks to contributions from Senior Consultants, Patrick Davis (our resident networking/firewall go-to person) and Staff Consultant Noah Coker (one of our Google Cloud experts) on this article.