Navigating the Cloud: Evolution and Security of Hybrid Applications with Cloud Firewall

What is Cloud Firewall?

The evolution of Cloud Firewall (CFW) or Firewall as a Service (FWaaS) is a direct outcome of the widespread adoption of cloud technologies and the migration or development of applications in the cloud. Traditionally, on-premise firewall appliances were designed to secure outbound traffic at Layers 3 and 4 (L3/L4) of OSI model, safeguarding corporate assets from potential security threats. However, the landscape of work and security underwent significant changes, particularly with the rise of remote work, a trend that saw rapid acceleration due to the COVID-19 pandemic. This shift necessitated a reevaluation of security strategies by teams to address both existing and emerging threats.

Initially, the strategy involved backhauling the traffic from the remote workforce back to the corporate office's security infrastructure. This approach, however, quickly proved to be inadequate in meeting the security and performance needs of a growing remote workforce. In response, security teams began to adopt Virtual Firewalls and deployed them in the cloud as an alternative to traditional on-premise physical Firewall solutions, gradually moving their entire security stack to the cloud. This move was aimed at eliminating the need for traffic backhauling and marked the inception of Cloud Firewalls. Although this was a significant step towards enhancing performance, it fell short of addressing the nuanced security requirements spurred by the rapid proliferation and adoption of SaaS applications.

The next evolutionary step for security teams was to adopt a Cloud Firewall capable of understanding the context at Layer 7 (OSI model) of application traffic, thereby enabling the application of more granular and relevant controls. The transition to cloud and, by extension, Hybrid Applications, has been a key enabler for businesses. Nevertheless, this transition also introduces its own set of challenges, underscoring the need for a more sophisticated and adaptable Cloud Firewall solution like Netskope's, with the support for Hybrid Applications. This approach not only enhances security but also aligns with the dynamic nature of modern business applications and their deployment across both cloud and on-premise environments.

What Exactly are Hybrid Applications, and What Ensures Their Security?

Within the realm of Cloud Firewalls, Hybrid Applications are identified as those utilizing both HTTP(S) and non-web protocols. For instance, for Microsoft Teams to function correctly, you need to allow TCP ports 80 and 443 and UDP ports 3478 through 3481 from the client machines to the internet. The TCP ports are used to connect to web-based content such as SharePoint Online, Exchange Online, and the Teams Chat services. Plug-ins and connectors also connect over these TCP ports. UDP ports however, are used for media such as audio and video, to ensure they flow correctly. (see more details here) 

These applications are critically important and introduce distinct security challenges because they function across several layers of the OSI model (L3/L4 and L7). They may utilize various ports and URL destinations, and can be based on TCP and/or UDP protocols. Effective security for these applications requires a platform capable of deep inspection into the transactions to grasp the context fully and implement the necessary security measures. Netskope has been at the forefront of addressing these challenges. Originally starting as a Cloud Access Security Broker (CASB) in 2012, Netskope has consistently been recognized as a leader in the Gartner Magic Quadrant, demonstrating its prowess in context and application awareness. Ever Since, Netskope has been extending this expertise across its Secure Access Service Edge (SASE) offerings, leading the industry in both the SASE and Security Service Edge (SSE) markets.

The proliferation of Hybrid Applications is on the rise, with Microsoft Teams, Zoom, and Google Chat being notable examples (you can view the full list of applications supported by Netskope in a living document, here). Netskope addresses the security needs of these applications through a dual-engine approach: the Next-Gen Secure Web Gateway (NG-SWG) for web traffic and the Cloud Firewall (CFW) for non-web traffic. Despite the bifurcation in traffic management, Netskope ensures a unified approach towards Real-Time Protection policies, logging, and reporting, treating the application as a singular entity for comprehensive security coverage.

Challenges, Traffic Flow, and Management of Hybrid Applications

Challenges

Before Hybrid Applications were introduced, securing an application with a hybrid nature presented numerous challenges for administrators. They had to undertake thorough initial research to identify the various ports and protocols the application used for external communication which is especially a daunting task given the hybrid nature of them operating at different layers of the OSI model (L3/L4 and L7). This information then had to be accurately entered into a Real-Time Protection policy to permit those communications. Furthermore, administrators were required to implement a policy that blocked all non-web traffic, positioning it at the very end to act as a catch all. 

The task didn't stop there, security teams and administrators were also tasked with continuously monitoring application updates and changes to ensure that the initially created and enforced policies remained applicable and effective. This is a very common practice among SaaS providers, who may alter the range of ports and protocols used for external communication due to various factors such as M&A, development of new product features, or phasing out certain functionalities. The launch of Hybrid Applications streamlines these challenges, enabling administrators to easily build a Real-Time Protection policy by selecting the Hybrid Application they wish to permit. Behind the scenes, Netskope takes care of gathering, managing and updating the necessary combinations of ports and protocols associated with the applications. 

Let us have a look at how easily this can be achieved for two of the most commonly used Hybrid Applications, Zoom (is supported today) and Cisco Webex (will soon be) as examples.  

Zoom:

Cisco Webex:

Traffic Flow

When traffic arrives at Netskope Security Cloud, it is subjected to a Single Pass Multi Action (SPMA) process. This SPMA technology enables Netskope to efficiently apply a wide array of security policies through various engines, minimizing any latency. The traffic is then divided according to its web and non-web components. Subsequently, these segregated traffic streams are directed to their respective engines for thorough policy evaluation and enforcement (see Figure 1).  

Figure 1. Traffic Flow

Management

Following the traffic segregation, the web portion of the traffic will be directed to the NG-SWG engine for policy evaluation and enforcement. At the same time, the non-web portion of the traffic (L3/L4 components) will be directed to CFW for policy evaluation and enforcement.

For instance let’s take Microsoft Teams as an example:

1. Administrator configures a Real-time Protection policy to take an action for certain activities for Microsoft Teams which is considered Hybrid (has both L3/L4 and L7 components)
2. User traffic navigates to the Netskope Security Cloud via the selected traffic steering method (e.g., NS Client, IPSec, GRE).

• The NG-SWG engine receives the web component of this traffic.
• The CFW engine receives the non-web (L3/L4) component of this traffic.

3. The pre-configured policy undergoes evaluation and enforcement, adhering to its priority order.
4. The process concludes once the traffic has been thoroughly assessed and the policy applied.

Other Considerations

Following is the rule order of general, custom and predefined application definitions and policies:

• Firewall policies – evaluated and enforced based on a top down, first match logic, with a default implicit deny policy built in.
• Cloud Apps – Netskope finds the most specific application first then matches it by the policy ordered list.
• Firewall Apps and Hybrid Apps – Netskope picks the app that matches first in the policies, i.e. the app matches by the policy ordered list.
  • Place policies targeting Hybrid Applications lower than those that match on the first packet, e.g. policies for Cloud Apps. This prevents unnecessary traffic passage and focuses scrutiny on a smaller set of traffic flows.
  • For policies that include Hybrid Applications in a higher priority, combine them with other criterias (e.g. users, specific desitnation IP addresses, etc.) to limit their application to fewer sessions or traffic flows.
• If the app matches both Cloud and Firewall apps as described above (i.e. there is overlap), Netskope uses policy ordering to determine a priority.
• Activities within a real-time protection policy will take effect if it was configured using Cloud App Access. However, if the policy was configured using Firewall since the activities are not yet supported today, it will cause the policy engine to ignore the policy entirely and skip over it. (more activities to be supported in the near future)
• Action configured for real-time protection policy using Cloud App Access will take effect. However, any action other than Allow/Block will be treated as Allow if the App is configured using Firewall within a real-time protection policy today. (more actions to be supported in the near future)
• Today there is no indicator identifying if an application is considered hybrid when configuring a real-time policies for Apps using either Firewall or Cloud App Access
• Threat and DLP profiles of the real-time policy today have no effect on CFW policies (to be supported in the near future)

Next Steps

Netskope Cloud Firewall enables consolidation, less complexity, and lower cost of operations by delivering firewall services and DNS security from a SASE architecture. It secures outbound traffic across all ports and protocols for users and offices. Policy controls include application and port/protocol, plus user-IDs, group-IDs, fully qualified domains and wildcards as destinations. Netskope's underlying architecture is uniquely positioned to address use cases requiring application awareness and a lot more across the portfolio. Join us at Netskope, where advanced security meets unparalleled simplicity and efficiency. Dive deeper into the capabilities of Netskope Cloud Firewall and explore how it can transform your security posture. 

To learn more about Netskope Cloud Firewall and how to configure it, start with our documentation here: https://docs.netskope.com/en/netskope-help/data-security/netskope-cloud-firewall/