Edit

Introduction

With cyberattacks becoming more prevalent on a daily basis, it is critical to safeguard your applications and networks on-Prem or in cloud with a security device to protect against attacks that originate from outside trying to breach the perimeter. While offering extensive access control, network firewalls can defend your network and application against dangers such as malware, botnets, and DDoS assaults.

There are two methods for incorporating an advanced firewall into your network: through the use of a physical security device or the use of a software-based firewall. In the classic enterprise model, network traffic is routed through a physical cybersecurity device which is changing with the cloud services and application hosting.

The software-based firewalls, which are gaining popularity due to several advantages like versatility, cost, deployment, configuration and maintenance ease. Additionally, they are quicker to learn. The enterprise cloud firewall market is dominated by two big competitors. These are the Azure and AWS Firewalls.

Let us examine their distinguishing characteristics.

Importance of Attack Surface and Threat Intelligence

Azure Network Firewall

Azure Firewall is a cloud-based, managed security service that secures the resources in your Azure Virtual Network. It comes with high availability and unconstrained cloud scalability built in. You may create, enforce, and log policies for apps and network connections across subscriptions and virtual networks centrally. Azure Firewall assigns your virtual network components a static public IP address, which enables external firewalls to detect traffic coming from your virtual network. For monitoring and analysis, the service is completely integrated with Azure Monitor.

Features

Azure Firewall includes the following capabilities:

Scalability: Azure Firewall can scale up to meet changing network traffic flows, so you don't have to account for peak traffic.

Filtering criteria for application FQDNs: You can specify a list of fully qualified domain names (FQDNs) for outbound HTTP/S traffic, including wild cards. This functionality is self-contained and does not need SSL termination.

Filtering rules for network traffic: Allow or refuse network filtering rules may be created centrally by source and destination IP address, port, and protocol. Azure Firewall is entirely stateful, which enables it to differentiate between legal packets for various sorts of connections. Across numerous accounts and virtual networks, rules are enforced and logged.

FQDN identifiers: FQDN tags make it simple to let traffic from well-known Azure service networks over your firewall. For instance, suppose you wish to enable network traffic from Windows Update to pass through your firewall. You add the Windows Update tag to an application rule. Now, Windows Update network activity can get via your firewall.

Support for outbound SNAT: The IP addresses of all outgoing virtual network traffic are converted to the public IP address of the Azure Firewall (Source Network Address Translation). You can detect and permit traffic to and from remote Internet destinations that originates in your virtual network.

DNAT assistance: Inbound data transmission to your firewall's public Network is converted and redirected to the private IP addresses on your virtual networks using DNS (Destination Network Address Translation).

Logging in Azure Monitor: All events are linked with Azure Monitor, which enables you to store logs in a storage server, stream them to an Event Hub, or transmit them to Log Analytics.

Amazon Web Services Firewall

AWS Network Firewall eases the procedure of implementing critical network security for all your Virtual Private Clouds (VPCs). The service is simple to configure, and scales automatically based on your network activity, so you don't have to worry about building or managing any architecture. The configurable rules engine in AWS Network Firewall enables you to create firewall rules that provide fine-grained control over network traffic, such as limiting outbound Server Message Block (SMB) queries to prevent the spread of harmful behaviour. Additionally, you may import rules defined in commonly used open-source rule formats and allow interfaces with managed intelligence feeds provided by AWS partners. AWS Network Firewall provides a web based Firewall console, enabling you to create policies Network communication rules and then apply them centrally across your VPCs and accounts.

Features

Inspect traffic between VPCs

AWS Network Firewall inspects and assists in controlling traffic across VPCs to conceptually isolate networks running critical applications or line-of-business workloads. AWS Network Firewall's stateful visibility at the network and application levels enables it to provide fine-grained network security controls for VPCs that are linked via AWS Transit Gateway.

Outbound traffic filtration

AWS Network Firewall enables outward traffic filtering by URL/domain name, IP address, and content to prevent data loss, assist in meeting regulatory standards, and block known malware instances. AWS Network Firewall provides hundreds of rules that may be used to block network traffic from known malicious IP addresses or domain names.

Secure AWS Direct Connect and VPN communications

AWS Network Firewall secures AWS Direct Connect and VPN traffic between AWS Direct Connect and client devices and on-premises environments that employ AWS Transit Gateway.

Internet traffic filtering

AWS Network Firewall assists in preventing intrusions by analysing all inbound Internet traffic with capabilities such as Access Controls (ACL) rules, stateful surveillance, protocol recognition, and intrusion prevention.

Pricing

Both AWS and Azure follow a pay-as-you-go model for firewalls. You pay an hourly rate for each firewall endpoint and a data processing fee per gigabyte of data processed by the firewall. The price you pay for AWS services is entirely dependent on the use case and deployment environment. In case of Azure, threat intelligence is provided by the in-house Microsoft Security Threat labs. Additionally, Azure'’s firewall is HIPAA-compliant and an ICSA-certified network firewall.

Final thoughts

Cloud services and infrastructure are becoming critical components of your company’s infrastructure and storage - this calls for secure firewall solutions that prioritise operability and dependability. Firewall services built for Microsoft Azure and Amazon Web Services (AWS) offer this level of security and support to organisations looking to protect their data and apps – particularly those with less sophisticated requirements.

By: Thomas Harpham

Principle Architect | ISSQUARED Networks Architecture

Thomas Harpham earns 30+ years of industry experience in Networking & Security Solutions and extensive consulting experience with many small, medium, and large enterprises. Thomas has worked with various clients across the globe to generate the solutions to meet their requirements that include resiliency and scalability in the networking and security areas of IT, leveraging existing and new tools.

Follow: