Should Your Private Cloud Use a Single or a Dual Firewall?
— Brought to you by 2X Cloud Computing guest blogger Brien M. Posey —
Many private clouds are constructed in a way that allows clients to connect either locally or from the Internet. In the case of Internet connectivity, the Web Portal and Secure Client Gateway components that are used to facilitate the connection are almost always located behind a perimeter firewall. While the need for an Internet firewall is more or less undisputed, it is important to consider as to whether there might be advantages to implementing other firewalls within the private cloud infrastructure.
In order to answer this question, it is important to consider the nature of the inbound traffic. The Internet has been described as the most hostile environment on earth. The perimeter firewall’s job (at least in this case) is to block every TCP and UDP port except for the ones required for clients to establish connectivity to a Web portal. It is important to remember however, that just because someone connects to a Web portal does not necessarily mean that the person is trustworthy. The user will eventually be authenticated, but there is a point when an unauthenticated user establishes a non authenticated connection to a Web portal server.
Because you do not initially know who it is that has established connectivity or what the person’s intentions are, the Web portal and the Secure Client Gateway components should ideally exist within a DMZ. In other words, these components need to be behind the organization’s perimeter firewall, but there should also ideally be a second firewall that insulates the Web portal and the secure client gateway from the rest of the network. The idea is that if someone with malicious intent connects to your Web portal, you don’t want that person to have the ability to access other resources on your network. A secondary firewall provides a degree of separation between the Web portal and secure client gateway that reside in the DMS and your backend production network.
Using the previously described redundant firewalls should secure the backend network against malicious Internet traffic, but what about Local Area Network security?
Many administrators don’t use any additional firewalls to protect the private cloud against connections originating on the on premise network. After all, connections are established by authenticated users over a trusted network.
The problem with this approach is that it assumes that all users are trustworthy. History has shown that the trustworthiness of employees cannot be guaranteed. Even if all of an organization’s employees are trustworthy however, there is always the possibility that a user’s workstation could become infected with malware that uses the user’s own security permissions to attack the system.
Since these types of situations are not unthinkable, it may be beneficial to place a firewall between the users on the Local Area Network and the publishing agent. Doing so will ensure that user’s computers are not able to communicate with the publishing agent except for through the port that has been designated for client use.
The use of additional firewalls can improve private cloud security. Ultimately however, adding an extra firewall or two will not guarantee a secure network. The only way to ensure good security is to practice defense in depth. Defense in depth involves using a variety of security mechanisms and best practices rather than relying on one single security mechanism such as a firewall.
About Brien M. Posey
Brien Posey is a ten time Microsoft MVP with two decades of IT experience. Prior to becoming a freelance technical writer, Brien served as CIO for a national chain of hospitals and healthcare facilities. He has also worked as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.
Since going freelance in 2001, Brien has become a prolific technical author. He has published many thousands of articles and numerous books on a wide variety of topics (primarily focusing on enterprise networking). In addition to his writing, Brien has provided consulting services to clients and speaks at IT events all over the world.
About 2X Software
2X Software is a global leader in virtual desktop and application delivery, remote access and cloud computing solutions. Thousands of enterprises worldwide trust in the reliability and scalability of 2X products. 2X offers a range of solutions to make every company’s shift to cloud computing simple and affordable.