What Is a Container Firewall?
A container firewall is a software version of a next-generation firewall, purpose-built for Kubernetes environments.
Container workloads embedded in Kubernetes environments can be difficult to secure with traditional firewalls. Container firewalls help network security teams safeguard developers with deep security integration into Kubernetes orchestration, preventing modern application attacks and data exfiltration.
How Container Firewalls Work
Comprehensive network security for cloud-native environments requires network anomaly detection, microsegmentation, and firewall protection. Container firewalls enable network security teams to gain full application (Layer-7) visibility into Kubernetes environments and dynamically scale network security without compromising DevOps agility.
Container firewalls typically identify both the application and the content within a connection, providing full content inspection as opposed to Layer-3/Layer-4 access control of traditional firewalls. Further controls and analysis are often delivered through advanced cloud-based security services, such as URL filtering, threat prevention, malware protection, and DNS security.
Container firewalls are generally built to ensure a frictionless CI/CD pipeline deployment while delivering unparalleled runtime network protection through unified management across all firewalls. They can be deployed using DevOps-friendly tools including Helm charts and Terraform templates and allow for the easy creation of context-aware firewall rules.
Conventional next-generation firewalls (NGFWs) can only be deployed at the edge of a Kubernetes environment and cannot determine the specific application where traffic originates. To overcome this challenge, container firewalls move security into the Kubernetes environment, giving them precise visibility into and control over container traffic.
Security Risks of Container Applications
Containers are subject to the same network-based attacks that plague legacy workloads.
Containers are an innovative way to deploy applications, but they do not fundamentally alter the threat landscape from the application’s point of view. Whether hosted on bare-metal servers, virtual machines, or containers, applications run on the same network stack and protocols and therefore face the same threats, for example, ransomware, cryptojacking, and botnets.
Containers lack protection against unpatched and unknown vulnerabilities.
Application/host vulnerabilities are not always known. In some cases, they are discovered after years of existence. Additionally, when a vulnerability is identified and a patch is made available, it can take weeks or even months to patch hundreds of applications spread across the deployment. While agent-based security products help to identify and patch known vulnerabilities at the time of deployment, applications are helpless against unknown and unpatched vulnerabilities.
Fragmented responsibility compromises security.
Often, network security teams are not equipped with the right tools and expertise to secure containers without impacting CI/CD speed and agility. As a result, DevOps teams are expected to secure the container infrastructure while network security teams do the rest.
This fragmented approach to security creates gaps in the overall security posture, which attackers can exploit to laterally propagate threats in the environment, escalating the rapid spread of infections.
Benefits of Container Firewalls
Layer 7 Visibility and Enforcement
Container firewalls provide Layer 7 visibility and context into Kubernetes environments by letting users ingest and use namespaces to create security policies governing pod-to-pod, pod-to-cluster, or pod-to-extranet traffic. They also integrate security capabilities directly into the container environment, overcoming the limitations of traditional firewalls to protect against known and unknown threats. As a result, security teams have full traffic visibility, including the elusive source IP of outbound traffic.
Dynamically Scalable Network Security and DevOps Speed & Agility
Container firewalls make use of native Kubernetes orchestration, so DevOps teams can use tools and processes they are already familiar with such as Helm charts, YAML files and Terraform templates. This allows for deployment to be directly integrated into the CI/CD development process for frictionless deployments.
Container firewalls easily auto-scale for developer needs. When infrastructure grows, traffic increases, or firewall needs expand, organizations can spin up more dataplane pods to scale firewall deployments without compromising DevOps speed.
Protection for Containerized Apps Deployed Anywhere
High-end container firewalls are commonly supported on a variety of platforms including Google Kubernetes Engine, Azure Kubernetes Service, Amazon Elastic Kubernetes Service, RedHat OpenShift and Tanzu. This gives organizations the full flexibility of using the platform of their choice while reaping the benefits of container firewalls.
Container Security Challenges that Create the Need for Container Firewalls
Both physical and virtual NGFWs play an indispensable role in securing on-premises and cloud deployments. However, cloud-native environments pose unique challenges that these kinds of firewall NGFWs were not designed to handle, especially when it comes to looking inside the Kubernetes environment.
In Kubernetes, applications (or namespaces) run on pods (collections of containers). Pods run on nodes, either physical or virtual machines. Developers rarely have to deal with nodes explicitly, but nodes impact how firewalls operate.
Because of network address translation (NAT), all outgoing traffic carries the node IP address as the source, which means the node IP addresses are unavailable. As a result, firewalls sitting outside the Kubernetes cluster are blind to the actual source of the traffic. For effective security in a container environment, you must know the true source address before NAT. For that reason, the firewall must move inside the kubernetes cluster for maximum effectiveness.
Container Firewall Use Cases
As more organizations embrace containerization for applications, the need for effective security measures has become increasingly important. Container firewalls are a powerful tool for providing an additional layer of protection and enabling more granular control over network traffic between containers and the outside world.
Typical container firewall use cases include:
Stop Lateral Movement of Threats
Container firewalls prevent lateral movement of threats from an infected workload to other workloads within the node.
Guard Against Malicious Downloads
Container firewalls limit allowable access to outside repositories to prevent malicious downloads. In this case, the CI tool can only request specifically allowed information such as Name—all other requests are blocked.
Prevent Data Exfiltration
Even if attackers succeed in penetrating perimeter defenses and installing malicious collection tools, container firewalls prevent attackers from communicating, effectively thwarting attempts at data exfiltration.
Support Regulatory Compliance
Container firewalls inspect traffic between the web server and the database hosting the sensitive information. This ensures adherence to regulatory compliance standards such as HIPAA and PCI.
