How Native Is Cloud NGFW for AWS?

Join us April 21 to learn more about Cloud NGFW for AWS.

When it comes to protecting your workloads in AWS, security teams augment native AWS network security capabilities with next-generation threat protection that prevents exploits, malware, previously unknown threats, and data exfiltration. As security teams are increasingly adopting DevOps principles, they are also looking for a cloud-native experience that handles the delivery of next-generation security and its underlying infrastructure in a fully automated manner.

Meet Cloud NGFW for AWS

We just announced the general availability of Cloud NGFW for AWS, a Palo Alto Networks managed Next-Generation Firewall (NGFW) service that simplifies and strengthens the security of deployments in AWS. Built-in partnership with AWS, Cloud NGFW for AWS provides both best-in-class security and an easy, cloud-native experience. Cloud NGFW offers the following benefits for network security and DevOps teams alike:

• Security breadth and depth: With Cloud NGFW, you can granularly control your AWS Virtual Private Cloud (VPC) traffic with advanced application awareness using Palo Alto Networks’ flagship App-ID and URL filtering techniques. You can then protect your allowed VPC traffic from known and unknown network threats using Palo Alto Networks’ cloud-delivered security services, continuously updated threat prevention signatures, and URL categories, all backed by the threat intelligence of the Unit 42 research team.

• Simplified deployment and Management: You can deploy Cloud NGFW resources in your VPCs in a few minutes using the Cloud NGFW user interface (UI), API, CloudFormation Templates, and Terraform. Cloud NGFW meets unpredictable throughput needs by leveraging the power of AWS Gateway Load Balancer (GWLB), enabling high availability and elastic scaling.  You no longer have the operational overhead of managing the infrastructure, scaling, availability, resiliency, and software/content updates. What’s more, Cloud NGFW natively integrates with AWS Firewall Manager to help you deploy and manage NGFWs across multiple AWS accounts in an AWS Organization. 

• Native AWS experience: Cloud NGFW fits the way you work with AWS. You now have the flexibility to procure the Cloud NGFW service directly in the AWS Marketplace. The service also integrates with AWS IAM and AWS Cloud Formation registry for programmatic access, Amazon CloudWatch, Amazon S3, Amazon Kinesis for logging, AWS Secrets Manager for decryption certificates, and AWS Marketplace for procurement, metering, and billing. You can also track your Cloud NGFW usage through AWS Cost Explorer, Cost and Usage Reports, and AWS Budgets.

Cloud NGFW integrates into the way security teams work with AWS

Cloud NGFW in Action

Setup and deployment is a simple process as shown below and demonstrated in this video walkthrough.

Quick and simple deployment

Cloud NGFW supports a variety of deployment scenarios. You can use AWS gateways such as Internet Gateway, NAT gateway, and Transit gateway in conjunction with NGFW endpoint(s) and VPC routing to support distributed and centralized deployment architectures. Cloud NGFW acts as a bump-in-the-wire in outbound, east-west, and inbound traffic paths in these architectures. The traffic packet headers and payload remain intact, providing complete visibility to the destination (no SNAT/DNAT).

Once set up, Cloud NGFW secures critical traffic within your AWS environment.

Proactive Defense-in-Depth and Breadth with Cloud NGFW 

Inbound traffic originates outside the AWS region and is destined to resources within your VPC. An attacker generally starts gaining an initial foothold in your AWS network by using your Ingress traffic path to constantly scan for new and unknown vulnerabilities to exploit. As soon as a new path for a breach hits the media, such as the recent Log4j vulnerability, attackers start weaponizing exploits to go after those vulnerabilities and can inject malware into your environment in just a few minutes. However, the speed of vulnerability patch management across all workloads in your environment may be on the order of days. 

To meet these challenges, Cloud NGFW provides an additional layer of defense by inspecting all ingress traffic to your VPCs. The Cloud NGFW service blocks the delivery of malware payloads that can otherwise exploit unpatched or unknown vulnerabilities in your workloads. Additionally, Cloud NGFW traffic logs provide deep visibility and context of VPC traffic (such as country, URL category, App-ID, application functions, filename, and file type) to your SIEM, CSPM, and CWP tools. This added visibility further helps identify, isolate and remediate compromised or unpatched workloads. 

After gaining an initial foothold, the attacker’s objectives may require East-West lateral movement within your AWS environment. East-West traffic includes VPC-to-VPC traffic, such as traffic between source and destination workloads in two different VPCs. The same goes for inter-subnet traffic (traffic between workloads in two different subnets within the same VPC) and the traffic between the VPC and your on-prem environments. With Cloud NGFW, you can secure the east-west traffic and prevent lateral propagation of the attacks. For example, an attacker could use the compromised workload(s) permissions or use stolen API credentials to escalate privileges in your AWS environment. However, if your workload, subnet, or VPC has limited application access defined in Cloud NGFW, the attacker’s ability to propagate is significantly reduced. 

Cloud NGFW enforces zero-trust principles by restricting east-west traffic to only an allowed set of applications. For example, you can just allow SQL calls between application tier VPC/subnets and database tier VPC/subnets in your environment. If the permitted applications in your East-West environment are transferring files, Cloud NGFW further reduces the attack surface by allowing you to limit the file types allowed. Cloud NGFW also blocks threats and malware on the allowed East-West connections by using its threat prevention profiles. Cloud NGFW even provides internal reconnaissance protection to defend against port scans and host sweeps.

Cloud NGFW in action with App-ID, Advanced URL Filtering, and Threat Prevention

The attacker may then act on the objectives by installing ransomware or performing data exfiltration using your VPC outbound traffic. That’s why safeguarding outbound traffic is critical. Cloud NGFW protects VPC outbound traffic by ensuring workloads in application VPCs only connect to permitted services and allowed URL categories. This prevents data exfiltration of sensitive information and enforces command-and-control (C2) protections. Additionally, Cloud NGFW security profiles prevent malware and vulnerabilities from entering the VPC in the return traffic.

For example, you can use Cloud NGFW to protect your VPC workloads accessing the Internet for Linux updates. Cloud NGFW ensures traffic is only sent to restricted destinations like canonical.com or ubuntu.com and uses specific applications like apt-get or yum-update. The service also ensures there are no threats hidden in these transactions. Suppose the workloads in your VPC are using GitHub for software updates. Cloud NGFW provides granular controls to reduce your attack surface by allowing your development environment to perform GitHub uploads and downloads but restricts your production environment just to perform GitHub downloads. Cloud NGFW further reduces the attack surface by allowing you to limit the file types you can upload or download from these environments and block any threats in the content.

Get a Head Start with Cloud NGFW and Find More Resources

Cloud NGFW for AWS is a regional service. Currently, it is available in US East (N. Virginia) and US West (California) regions. To learn more, visit the documentation and FAQ pages. To get hands-on experience with this, please subscribe via the AWS Marketplace page. Do also consider attending our April 21 event: Cloud NGFW: Best-in-Class Security Made Easy on AWS. In this event, you will learn how we’re addressing the current challenges of cloud-native security and get insights from leaders at AWS and Palo Alto Networks.