Oracle Cloud Infrastructure (OCI) enables enterprises to migrate their mission-critical workloads to the cloud while maintaining the same security posture and reducing the overhead to build and operate data center infrastructure without compromising on security.
Recently Oracle has announced a new cloud-native OCI Network firewall built using the Palo Alto Networks firewall technology. In this blog, we will take a quick look at what this technology is, an overview of the OCI Network Firewall, its need, and policies.
Oracle Network Firewall: Overview
Now before we get into what this Oracle Network firewall is, let’s understand what is a firewall!!
What is a firewall?
A firewall is a particular type of network security device or a software program that monitors and filters incoming and outgoing network traffic based on a pre-defined set of security rules. In practice, it acts as a barrier between internal private networks and external sources (such as the public Internet). Also, a firewall acts like a cybersecurity tool that filters network traffic and helps users by blocking malicious software from accessing the Internet on infected computers.
OCI Network Firewall is a cloud-native, managed firewall service that offers machine learning-powered firewall capabilities to protect your OCI workloads, is easy to consume, and is built using Palo Alto Networks next-generation firewall technology (NGFW).
As an OCI native firewall-as-a-service offering, OCI Network Firewall enables users to begin to take advantage of the firewall features without the requirement of configuration and management of additional security infrastructure. The Network Firewall instance is highly scalable with built-in high availability which can be created in a virtual cloud network (VCN) and subnet of choice. It inspects every request including transport layer security (TLS) encrypted traffic that goes through it and enforces an action such as allow, reject, drop, intrusion detection, or prevention based on the user-configured firewall policy rules.
Palo Alto Networks: Next-Generation Firewall
Palo Alto Networks Next-Generation Firewalls (NGFW) provide security teams with complete visibility and control over all networks using powerful traffic identification, malware prevention, and threat intelligence technologies. NGFW grants organizations a variety of advanced security tools and strategies intelligently to checkout which applications, users, and content traversing the network are safe and which are not rather than relying on port and protocol to protect network traffic from malicious threats.
Why OCI Network Firewall?
Now you’ll be thinking why need a network firewall in OCI? So, here are a few reasons:
Adopting a cloud-native managed firewall service eliminates the need to manage any additional third-party security infrastructure. It is built with high availability and on-demand scalability and quickly allows the service and scale security to secure your applications and cloud environment with advanced firewall features.
OCI Network Firewall offers a best-in-class threat engine that helps against known malware, spyware, command-and-control (C2) attacks, and vulnerability exploits once the policies are configured. Network Firewall helps protect cloud deployments with an integrated intrusion detection and prevention solution built with Palo Alto Networks’ threat analysis engine and Unit 42, which is a specialized security research team hired to identify new threat signatures and detection mechanisms.
Customers can use OCI Network Firewall to inspect inbound and outbound HTTP/HTTPS traffic to a specified list of Fully Qualified Domain Names (FQDNs) which also includes wild cards and custom URLs.
OCI Network Firewall can be used to help address compliance requirements and stringent security needs of regulated environments.
OCI Network Firewall’s Flexible Policy Enforcement
With the introduction of the Network firewall’s flexible policy enforcement in OCI, users can easily apply granular security rules on inbound (north-south), outbound, and lateral (east-west) traffic to their application and network workloads. It can be inserted in the traffic path transparently using the virtual cloud network (VCN) routing rules and composed with other network functions such as OCI gateways and VCN subnets for security enforcement in arbitrary network topologies.
Example
Let us look at how a 3-tier e-commerce retailer application can be protected from cyber-attacks using OCI Network Firewall service. The customer has their e-commerce website, shopping cart, and shipping services hosted in Oracle Cloud. When legitimate users interact with the e-commerce site, attackers can conduct malicious interactions pretending to be those legitimate users. In the diagram shown below, the OCI Network Firewall enforcement on the inbound (north-south) traffic through the internet gateway helps in securing the network perimeter and protecting against malicious traffic and malware propagation in real-time when the policies are configured.
The firewall policy enforcement between subnets helps in securing the lateral application tier to database tier communications and blocks threats from moving laterally between different trust domains. For instance, users can enforce policy rules to allow only approved database admins to carry out the SQL transactions against MySQL. Though a lot of stress and emphasis is placed on protecting an application from inbound threats, at the same time it is equally important to monitor and restrict the outbound traffic to avoid data exfiltration.
In the above diagram, the firewall policy enforcement on the outbound traffic leaving through the NAT gateway helps secure against data exfiltration and other malware attacks. Users can configure security rules to allow only outbound traffic to trusted URLs or FQDNs, for example allowing web servers to only reach out to get image updates or allowing connections to a payment gateway URL that is trusted. Lastly, the Network Firewall’s natively integrated metrics and traffic and threat logs enable users to understand the rules and countermeasures triggered by the incoming requests. The logs help users meet their audit and compliance logging requirements.
In conclusion, the flexible and granular OCI Network Firewall policy enforcement helps protects your application workloads and provides a layered defense mechanism against today’s constantly evolving threat landscape.
Related\References
- 1Z0-1072-22 Oracle Cloud Infrastructure 2022 Architect Associate: All You Need To Know About
- Compute In Oracle Cloud (OCI) – VM, BM & Dedicated VM Host
- Networking In Oracle Cloud (OCI): VCN, Subnet, Gateways, Peering, Transit Routing
- Transit Routing: Access To Multiple VCNs From On-Premise
- Networking in Cloud: Who Should Learn & Why
- OCI Network Firewall: Official Oracle Document
Begin Your Cloud Journey
Begin your journey towards becoming a Certified Oracle Cloud Infrastructure Architect and earning a lot more in 2022 by joining our FREE CLASS. You will also know more about the Roles and Responsibilities, Job opportunities for OCI Architects in the market, and what to study Including Hands-On labs you must perform to clear the Oracle Cloud Architect Associate Certification (OCI) certification exam by registering for our FREE Masterclass.
Click on the below image to Register Our FREE Class on Master Oracle Cloud (OCI) and Get a Higher Paying Job!
Leave a Reply