IaaSsecurity

3rd Party Firewalls in the iland Secure Cloud

ByNovember 9, 2017
Cloud firewallOne of the main barriers to adoption for public clouds over the past few years has been that of security. Fears of hacking and data theft have been heightened by cases in the media.

Many customers thought that cloud would automatically take care of security regarding attacks from the internet, and there have been great advances to allay these fears. However, for many public cloud providers not all bases are covered out of the box, and adding in security features can add significant cost and complexity to the solution.

Here at iland, we have provided many of the security features that an enterprise customer requires, and have been used to within their own on-premises environments.

  • Comprehensive firewalling capabilities at the edge
  • Best of breed security within the cloud environment (anti-virus/anti-malware, intrusion detection, web reputation, file integrity monitoring, log inspection)
  • Encryption at the datastore level along with optional VM encryption
All the functionality of the VMware NSX Edge virtual appliance has been integrated into the iland Secure Cloud Console, and for most customers this provides all of the functionality they need.

However, some customers prefer to use the same firewall technology that they have been using on-premises, be that in the form of a physical or virtual firewall appliance. Also, the appliance may provide different or additional functionality that they need.

One of the differentiators of iland is being able to offer the capability for both physical and virtual appliances. While not very cloudy in nature, physical appliances can be accommodated by co-location, and iland will take care of the cross-connection into the iland cloud environment.

Our standard offering is to use the VMware NSX Edge virtual appliance, but other options exist which will be discussed later.
Standard with VMWare with NSX Edge
  • Supports up to 9 VXLAN-backed networks attached to the Edge
  • Uses standard RFC1918 address structures for networks
  • Route between networks and Internet using the Edge
  • Provides:
    • DNAT, SNAT, 5-tuple Firewall
    • SSL Client VPN, IPsec Site-to-Site VPN
    • Simple Load Balancing (IP hash, round robin)
This standard architecture can be augmented by adding in 3rd party virtual firewall appliances, as shown below. The firewall appliance runs like any other virtual machine in the cloud. Examples of 3rd party firewalls used recently include:
  • Cisco
  • Kemp
  • Checkpoint
  • Watchguard
  • Palo Alto
  • Fortinet
Third party virtual firewall appliance with NSX Edge 3rd party firewall basics:
  • Deployed within vCloud as a normal VM/vApp
  • Will support up to 9 VXLAN-backed internal networks
  • vShield Edge configured mostly in a passthrough mode
  • Customer manages 3rd party firewall to provide required services
  • Requires NATing from vShield Edge to 3rd party firewall. This can result in double-NATing to applications, and IPsec VPNs from the 3rd party firewall will dislike being NATed
Due to the NAT issues discussed above, iland normally prefers to adopt the next option, where the virtual appliance is attached directly to the internet via a block of public IP addresses in a small subnet.

For this use case:
  • VLAN-backed networks attached to the 3rd party firewall appliance, with one external to the Internet. Can support VLAN trunking.
  • Public IP address block as required (/28 for example)
  • Use standard RFC1918 address structures for networks
  • Route between networks and Internet using 3rd party firewall
  • Functionality determined by 3rd party CLI or web UI
  • No integration with iland console for firewall functionality
  • Appears as a VM to manage in the iland console
Finally, as discussed earlier, iland can offer co-location of physical networking appliances:
This last option is similar to the virtual appliance example. Here are a few of the basics features:
  • Can support many VLAN-backed attached to the 3rd party firewall (not limited by VM constraints)
  • Use standard RFC1918 address structures for networks
  • Route between networks and Internet using 3rd party firewall
  • Functionality determined by 3rd party CLI or Web UI
  • No integration with iland console for firewall functionality
In all cases, these 3rd party appliances can be integrated into management tools that the customer may already be running in the iland cloud, or on-premises.

While iland supports a large range of virtual networking appliances, and are not limited to firewalls (we also support load balancers, web application firewalls, WAN optimizers, etc), we do not tend to resell licenses for these appliances (with the exception of the Cisco ASAv), and so customers will usually bring their own licenses, and can upload virtual appliances through OVF/OVA.
Richard Stinton

Richard Stinton

Richard is an Enterprise Solutions Architect for the iland EMEA business and has over 30 years’ experience in the IT industry, most recently in the Cloud space with iland, Microsoft Azure and VMware. Starting out in Engineering CAD/CAM and GIS systems with McDonnell Douglas and EDS, he moved to mainstream IT and Systems/Service Management with HP, BMC Software and Mercury Interactive, before joining VMware in its early days. Richard has a breadth of experience having worked in customer support, sales, partner management and product marketing. In his current role as EMEA solutions architect, Richard works with customers to implement and optimise cloud technologies.