Migrating to the Cloud? Don't Forget Your Firewalls

On-Demand

Video Transcription

Randy Franklin:
Good day everybody. Randy Franklin Smith here, we’re talking about what it takes to secure network traffic in the cloud today. And I tell you, I thought I was keeping up with cloud developments but in researching for this webinar, I took my conclusion that I just said to the folks at FireMon, “Wow, when you get into the cloud, there are a lot of firewalls.” Now, let’s be clear, today, when we say firewall, we’re basically talking about anything with some kind of ACL, okay?

Randy Franklin:
So that broadens it a good bit, but that’s important to understand because those are all control points on your network. And in the webinars that we do with FireMon we use that same convention on… When we’re doing on-prem topics, because there’s a lot of things out there that aren’t necessarily called a firewall that have an ACL or rules about what traffic can pass. That could be a managed switch. That’s a wireless access point, et cetera.

Randy Franklin:
So speaking of FireMon, let me introduce to you Tim woods and Keith Brennan. They’ll be jumping in occasionally because these guys just totally know the world of firewall management and regardless of the name, rank or serial number of the firewall, their software, their secret sauce is being able to go out there and read every firewall according to our definition on your network, and then pull all that together onto one pane of glass and not just give you visibility, but also allow you to control all of this and express it in terms of policy and intent. So I hope I didn’t mangle my description of what you guys do, but Timo and Keith, I’ll give you a chance just to jump in and say, hello and weigh in on that.

Tim:
Randy, you did a good job on it. There are a number of different discrete control points and I’m excited to talk about that today. Man, as you get into the cloud, the granularity and the number of those control points definitely goes up. So as you’re trying to make sure that your security controls follow your data, it’s definitely a challenge.

Randy Franklin:
Yeah. And then… go ahead Keith.

Keith:
I mean, that is exactly it, right? So instead of managing one or two data centers now we think of it virtually you’re managing six, seven, eight different data centers and an ingress and egress point. So it makes things infinitely more complex.

Randy Franklin:
Yeah. Some stuff does simplify it when you move it to the cloud but my conclusion is that networking does not get simplified and just… Glenn… He makes a good comment here. He says, what you’re calling a firewall, a colleague of mine used to call a policy based traffic forwarding point to make it more general than firewall.

Randy Franklin:
So load balancer or web proxies IPS, et cetera. So I agree with that. Glenn, you’ve nailed exactly what we’re talking about here and folks, please do what Glenn did, share any and all feedback. We want your questions, but also anything else that you’ve got to say, just drop it into the question window. So anyway, thanks for making today’s real training for free possible guys and here’s what we’re going to talk about. First of all, I’m just going to cover kind of a brief overview of the depth and breadth of networking in the cloud and then the risks that come into play. Now you can anticipate some of the risks, but you the big point that I want to make here is yes, we really do still need firewalls in the cloud and all of these control points.

Randy Franklin:
Now I hate to just have a webinar that’s just generic and theoretical and conceptual. So we’re going to take one cloud and dive into the actual components and how they fit together. And we’re going to use the Azure cloud. And so I’m going to show you some virtual networks, some network security groups and other stuff like that. And we’re going to show you how this stuff fits together. Now that being said, that’s just Azure, but there’s nothing or very little in Azure that you won’t see according to different names, basically in the Amazon cloud, the Google cloud and so on. Would you say that’s safe to say Keith, Tim?

Keith:
Yeah, absolutely. Same concepts, just different names.

Tim:
So they, they tend to extend across all the platforms.

Randy Franklin:
Yeah, exactly. So we’ll get into all that then we’ll talk about, well, how do you manage all of this stuff and how do you tie it in to what you already have on-prem and how do we make sure that the overall picture fits what we’re actually trying to do. Right?

Randy Franklin:
All right. So without further ado, let’s jump into this. So think about everything that’s in the cloud, you’ve got virtual machines, you’ve got virtual networks, you’ve got none VM cloud resources. So that might be Platform as a service, it might be application as a Service and so on, but what I mean are storage. So right. You’ve got various types of blob storage, virtual disks in the cloud and then you’ve got all kinds of higher level types of storage, whether it’s dictionary or NoSQL databases. In fact, you also have databases. You can spin up an Azure SQL database or a MySQL database where you have the normal database functionality, but you’re not actually installing and running the software. They do that for you. You’ve got these other things that are just making sense to developers like event pipelines.

Randy Franklin:
Of course, you have hosted applications like CRM and exchange and stuff like that. There’s a huge list of stuff, but here’s the important thing. A lot of the stuff can be connected to virtual networks in the cloud. And that’s the really important thing that I wanted to bring out. The stuff that we’re talking about today is very relevant to virtual machines in the cloud, but that’s not the only way that we use clouds, right? And that is not the only type of cloud workload that our topic of cloud-based firewalls is relevant to. I’m going to give you guys a chance again, to weigh into that but the big thing I want to make here is that this is not just about VMs because there might be people out there saying, well, we hardly use virtual machines in the cloud. All of our use of cloud stuff is hosted applications or application hosting, stuff like that.

Randy Franklin:
Does that make sense to you guys?

Tim:
That totally makes sense. Right. And that’s exactly how I see a lot of organizations embracing those same ideas and attacking them. So-

Keith:
Yeah.

Randy Franklin:
So I guess all of this was just about establishing that there’s a lot of networking going on in the cloud and we need control points because think of all the connectivity, you’ve got network connectivity between virtual machines, you’ve got network connectivity between virtual machines and other cloud resources. So for instance, maybe you’re running an application on a VM that makes use of an Azure SQL database. That’s very common, or you’ve got an application running on a VM that makes use of cloud storage.

Randy Franklin:
Then there’s connectivity between your on-prem network and the cloud. There’s the need to publish virtual machines and cloud resources to the internet. Virtual machines usually need some kind of access to the internet. And then of course, there’s the cloud portal itself where you log on to portal.azure.com. In fact, here is what I’m talking about right there and can make changes. Now we’re not getting into this plane of the cloud, but it’s definitely something that you, you want to pay attention to because if someone can get in here, then all bets are off with regard to all the other firewalls and network control points that you’ve put into place, but that’s a subject for another day. I just thought it deserved honorable mention here.

Randy Franklin:
So what are the risks? Well, let’s start with virtual machines just because a VM is on the cloud. Doesn’t mean it can’t be broken into, and I’m sure that’s an overly simplistic observation for this audience, but what are the potential vectors somebody could come in from the internet and break into that VM potentially depending upon what kind of inbound connectivity is present. Other VMs in the cloud. So other virtual machines that you have under the same subscription or other subscriptions where you’ve connected the virtual networks together, basically there’s a horizontal kill chain, the same horizontal kill chain applies in the cloud as it does in an on-prem network.

Randy Franklin:
Hey, listen, you probably have either a VPN connection or an ExpressRoute connection between your on-prem network and the cloud. And again, I’m using ExpressRoute is a Azure terminology. It’s basically a direct leased line between you and the Azure data center. They have the same thing in AWS under a different name. So a compromised system on your on-prem network could be used to then as a beachhead to compromise stuff up in the cloud. There’s no difference. I mean, the cloud is just an extension of your overall network. You can also connect to business partners. Either business partners connected to your on-prem network, they could potentially… If they get compromised, they could potentially go through your on-prem network connection up to cloud, get into stuff there and so on, but it’s not just limited to virtual machines.

Randy Franklin:
There’s also like we said, other cloud resources like storage and databases, and I get nervous about that stuff a lot, because to a degree we’re kind of backsliding in terms of security. I don’t know if you guys have noticed this, but think about when you spin up a… Well, first of all, when you spin up a Azure virtual machine, it’s not usually a member of your on-prem domain, so it’s not getting group policies. And from your on-prem AD environment, it’s not getting security policies then because of that.

Randy Franklin:
There’s increased reliance back on local accounts with virtual machines, because it’s fairly recently that you’re able to make VMs a member of your Azure active directory. And I don’t see a lot of people doing that yet. And so I used to spend a lot of time preaching about the risks associated with local accounts back in former years but to a large degree, people learned their lesson and stopped using local accounts and concentrated on using active directory accounts. But we’ve kind of backslid with that. I don’t know if folks in the audience have noticed that, but it’s the same way with Azure SQL you have local accounts and the SQL database, you…

Randy Franklin:
When you get into stuff like storage, there’s no user account at all. There’s just keys that are created for accessing Azure storage accounts. And I’m like, Whoa, how’s all of that supposed to be controlled. Of course they have… Azure provides a key vaulting service and they have other stuff like that in AWS. But a lot of that I think is an afterthought. I don’t think people are implementing it off the bat and especially developers. They’re interested in getting their stuff working. So I think there’s a whole backsliding in terms of compliance and security best practice, and we’re going to be learning the same lessons over again there.

Randy Franklin:
All right. So how does this tie into what I’m talking about with cloud network risks? Just that this stuff can be hacked… Just because it’s in the cloud, doesn’t mean it’s protected and the network control plane is obviously a really important part of this. In fact, here’s a great example. If you have an Azure storage account that supports a cloud-based workload, why should that Azure storage account be accessible from the internet at all? Right? If it’s only accessed by other VMs or hosted applications that are running up in the cloud, then that would be the first way to protect it. Is there a way to set up a policy with Microsoft that says this storage account can only be accessed from these few components that are also running up in the cloud.

Randy Franklin:
And that way, if we’re worried about the security of that storage key, we don’t have to worry as much. Right? Well, it becomes a part of our defense in depth, right? And so, yes, the answer is with the stuff that we show you today. Yes, you can do that. You could say, look, this storage account should only be accessible to this virtual machine or this set of virtual machines or this.net application or PHP application that’s being hosted on the platform in the cloud.

Randy Franklin:
And basically what we’re doing there is creating a firewall. Let’s see here, then there’s compromise… It goes the opposite direction too, right? Once you’ve set up a VPN or ExpressRoute between the cloud and you, then that means if a virtual machine in the cloud is hacked, there is a possible route of… Maybe we’ll call the vertical kill chain to go down into your on-prem network because we’re all in a hybrid environment, and by the way, it’s not limited to just layer two layer three network connections like VPNs or ExpressRoute connections, direct connections. There are so many cloud application gateways deployed on internal networks with no network controls around them. And so we are totally trusting the cloud vendor who produces the code for that application gateway to do their job right. And if they don’t… If they’re compromised, well now the bad guy has a just complete unfettered, wormhole right into your network.

Randy Franklin:
So Tim, I said that before, but let me just say it again, that when I talk about Azure, this is just the particular example of a cloud that I’m using today. I don’t like to be completely generic. I like to use an actual example and I can’t cover every cloud today. So the one I picked is Azure. So whatever I say is possible on Azure, it’s a fair bet that the same issues apply the same types of products or services or features are largely available in AWS or Google. All right?

Tim:
Yeah. I mean, that’s actually correct. If I could interject here for a second on that one too. I said across all the platforms I’ve dealt with, it’s same problems, just different nomenclature and in incidents of security the problems are often magnified too, even though they’re same problems it’s… the AWS may handle for instance, storage a little bit more poorly than Microsoft Azure does, but nonetheless, the problem is still all exists across the board. It’s just the different magnitudes to paint on the platform.

Randy Franklin:
Yeah. Thank you. So let’s see here, let’s move on now and speaking of which, let’s get into Azure networking and let’s take one cloud and let’s get down to the actual components. So we’re using Azure and it starts with virtual networks and virtual machines.

Randy Franklin:
I find this is the easiest way to enter into an overview or, or introduction to networking in the cloud. And it’s easy because both of these things are completely analogous to the physical world. Moreover, most of us are familiar to a degree anyway, with virtualization. And so you have the same thing on a hypervisor. Whether you’re using VMware or hyper V, you create virtual machines and you create virtual networks. And in Azure, that’s what you got. Anytime you create a virtual machine in Azure, even if it’s an isolated virtual machine and is only… You only access it from the internet, it is nevertheless connected technically to a Azure virtual network.

Randy Franklin:
You may hardly be aware of it if you’re just starting to play with VMs in the cloud, because you immediately, or by default even get an IP address, a public internet IP address for that virtual machine. So it kind of gives you the impression that that VM is just plugged in directly to the internet, but technically it’s connected to a virtual network and the only IP address that that VM is actually aware of, is its local IP address. And so when we set up a virtual network, we have to specify a network space. So maybe something like 10.42.2.0, And that would be a sub-net mask of 255.255.255 or in CIDR format, just the /24 for those three eight bit octets or whatever they’re called. Okay. And then that VM then just has a local IP address on that network.

Randy Franklin:
Now you also create something automatically by default in Azure called a public IP address, which means public IP address. And it also allows you to specify some port mappings, which get translated technically into a network security group. And so what you’re really doing is saying, okay, the gateway that this virtual network has to the internet gets this public IP address and when an inbound connection hits it, it’s going to translate reverse NAT all of those connections, inbound to the virtual network interface card that VM uses to connect to the virtual network subject to whatever the rules in the network security group policy that’s attached to that VM. So we’re going to get into all those things. I’ve named a couple of other things here, like a network security group as we go along. And I guess that’s the third Azure object I should acknowledge here on this diagram is that the VM itself isn’t connected really directly to the network.

Randy Franklin:
It has, of course, a virtual network interface card. It can have multiple NICs, each one connected to a different or the same virtual network. Okay. And it’s actually that you associate the public IP address to that NIC, but the important thing… You know what, let me just show this to you really quick. I can’t dive down into the details on everything that we covered today, but let’s at least for the benefit of this. So I’ve got a virtual machine, app server one, and let’s see, you’ll notice that… Where’s our virtual network interface card. There we go. Networking.

Randy Franklin:
So app server one has one network interface card, which is app server 1215. I believe that 1215 are the last four digits of the Mac address of that network card that NIC and that NIC is connected to this virtual network. So here’s my Azure virtual network (V-Net). I named it based upon its address space. V-Net 10.42.2. You can name it, anything you want to, and it’s connected to the default sub-net. So you also have subnets in Azure and there’s a public IP address associated with this NIC, the public IP address is named app server one IP, again that’s my name. And this NIC has this IP address, 10.42.2.4

Randy Franklin:
Does it really have that IP address? Yes. Later on when I RDP into the server and we do an IP config, you’ll see that it has one NIC. And that’s the IP address? How does it get that IP address? Does Microsoft reach in to that VM via remote PowerShell or something or hyper V tools to configure that? No, it uses DHCP. So by default, when you connect a VM to a virtual network… DHCP is enabled and the Azure cloud keeps track of what IP address. You’ve assigned to each NIC and uses DHCP to configure that IP address. Now, the fact that we’ve associated this public IP address to the NIC and we’ll look at that real quick. There’s not much to say about it. A virtual, I mean a public…

Randy Franklin:
IP address is simply an IP address and whatever it’s associated to. In this case, it’s associated to a Nick, and there’s really nothing else to say about the public IP address object in Azure. You might be saying, why doesn’t this object have an actual IP address? Why isn’t it displayed right now? That’s because the VM, that it’s connected to isn’t booted up right now. So, I wanted to show you that, because these IP addresses are not static unless you spring for that. So we’ll start up that VM and we’ll connect to it later. But once it starts up, you’ll see that the IP addresses are signed.

Randy Franklin:
So it’ll take a little while for that to happen. Okay. So far so good. Now, with the Azure Virtual Network, it’s just like a physical land back on your on-prem network. You can have multiple subnets, and by the fault, all those subnets in a given virtual network are routed to each other. You don’t have to set anything up to do that. It just happens. So, can you restrict communication between different subnets? Yes, you absolutely can, but you know what, in Azure, there’s not really much need to use different subnets because you usually, the only reason you’d want to do that is for security purposes to create different zones and limit traffic. But they have a really neat way of doing that with NSG, network security groups which I’ll talk about later. Be that as it may though, there’s always at least one sub-net on a virtual network.

Randy Franklin:
And the next question might be, well, I know I can have multiple virtual networks. What do we have to do to communicate from one VM, from one virtual network to another? Do we have to set up a virtual router or something? No, it’s super easy. All you have to do is peer them. And it’s a two way set up. You go to, if you have virtual network one and virtual network two, you go to number one and say, peer this with number two. And then you go over to number two and peer it in the opposite direction. And as long as these are all, they don’t even have to be in the same subscription. At least in Azure, you do need to be part of the same Active Directory tenant, basically the same instance of Azure Active Directory. Then you can peer any virtual network on the planet, even across regions.

Randy Franklin:
And it’s basically like setting up a router between those two virtual networks. What else do I need to say here? What if you have virtual networks that are under different Azure Active directories? Or what if you want to connect a virtual network to a completely different company? As far as I know, that is even possible with, well, yeah, it’s certainly possible with virtual network gateways. And in this case, you set up, is this is basically a VPN server? It’s like running a RS, but you don’t have to actually install a virtual network, you don’t have to configure RS, you don’t have to patch the system. It’s all hosted in the cloud. It’s all configured via the portal in Azure or PowerShell. And so, you can connect even virtual networks that are under completely different Active Directory tenants. Or of course you could set up something else called a virtual network appliance to connect them. We’ll talk about that as well.

Randy Franklin:
So, I think it’s safe to say at this point, you can connect anything to anything. In fact, you could connect a virtual network and Azure to a virtual network or whatever it’s called over in AWS. It’s just a matter of setting up a site-to-site VPN connection. So you can connect anything to anything. How do you connect Azure resources? How do you connect to Azure resources from outside of Azure? So, so far we’ve basically been limiting our discussion to connecting between all things Azure, but what about getting to something in Azure from the outside world? Well, first of all from the internet, there’s at least three different ways. There’s really more, but these are the three principle ways. Number one; we showed you already, you can assign a public IP address to a specific Nick on a virtual network. Remember, the Virtual Machine, the copy of Windows or Linux running inside that VM is not aware of that IP address.

Randy Franklin:
Doesn’t see it, all it’s aware of, is its local IP address on the local VM, but Reverse NAT is happening. You can also set up an Azure Load Balancer. So again, this would just be like spending up your own load balancer on a on-prem network. But in this case, you’re not even spinning up a VM in Azure, you’re spinning up an instance of Azure Load Balancer. We’ll drill down into that, but that can load balance incoming connections to either Azure Virtual Machines or other Azure resources, or even to stuff outside of Azure too. By the way, then you also have application gateway. This is specifically for HTTP, HTTPS traffic and allows you to do more sophisticated publishing of resources. But in all cases, these things get the same type of object that I will show you here in Azure. And that is a public IP address.

Randy Franklin:
Do you see that? It’s now been assigned an actual IP address. So this is an internet IP address and it is associated to the Nick of app server one, because app server one is now allocated and booted up. All right. But we would use the same object, a public IP address and assign it to associate it, it should say, to a load balancer on application gateway. Or, also, to something else in Azure called a virtual network gateway. So this is primarily for enabling access into an Azure network from your on-prem network. It’s called a virtual network gateway. I think it would be easier if we just looked at it as a VPN server, but that’s basically what it is, that say site-to-site. It can also be point to site VPN server, and you can use just about any VPN device or appliance or server on your on-prem network to establish a VPN link or tunnel up to Azure.

Randy Franklin:
And you know what’s interesting? By the way, just to reinforce what I was saying, that I don’t know if you’ve noticed this Keith, but when you go into the instructions for setting up a site-to-site VPN from an Azure virtual network gateway to your local network, they have instructions for Cisco and I think Juniper and another one. They don’t have any instructions for Torus, which is, what I of course going to use being primarily a Microsoft guy. I had to go Google and I think it was a third party article that explained how to do that. It’s really simple, but I just thought that was ironic.

Tim:
Yeah, that really truly is. And I think what it is, is Microsoft trying a little bit to pretend like security’s involved by matching security specific vendors as they do this. But, as with the cloud, it lends itself towards openness and availability. And that’s one of the things that I think they were trying to hide a little bit. And when you talk about VPN connections, to other sites, yeah. We’re going to these specified security vendors, but at the end of the day, they forgot themselves, why that is I don’t know.

Randy Franklin:
Probably because nobody uses RS, except for me. At any rate, you use that virtual network to set up a site to site VPN, or if you can afford it, you can also get a leased route. So, Microsoft works with several different networking telecom vendors that will get you a direct connection. That’s private, right from your data center to their data center. But in either case, you use this object in Azure called a virtual network gateway.

Randy Franklin:
Okay. So here’s the breakdown on the public IP address. I think I’ve basically showed you that already. Our virtual network is 10 to 42. Too, here’s the public IP address we were assigned when that public IP address object demanded it. And then it was associated to this particular Nick on the VM. And it automatically, by the fall, I guess you could say, is going to do inbound, Reverse NAT on any port, except as defined by the network security group that you assigned to that particular Nick. And this gets done automatically when you’re spinning up a virtual machine, it says, do you want to give it a public IP address? And then it says, well, what ports do you want to enable? But what it’s done under the covers, is it’s just created something called a network security group and said, deny all, except allow whatever you specified. And one of the things you usually specify when you’re just starting off is 3389, so that you can RDP into that VM.

Randy Franklin:
Now, how do you connect to Azure resources from outside Azure, beyond the simple things that I just showed you, which is a public IP address? You also referenced or referred to load balancer and application gateway in passing. Here’s some graphics to help you understand that a little bit more. So an Azure Load Balancer, it’s just an instance of the service, and it works like any other load balancer. It, it functions at the TCP and UDP level. So when somebody out here on the internet comes in and says, “Hey, I want to connect,” and it just uses the public IP address of the load balancer, “I want to connect to port 80 on your IP address, my IP address is this, I’m coming from this port.” Then it says, ” huh okay, we haven’t seen that before, let’s create a session and keep that in our head. And, Hmm, what’s the next downstream destination in line for a connection, according to my load balancing rules”.

Randy Franklin:
And then we’ll just pick the next downstream destination. Now, why do I use that generically? Is it usually a VM in Azure? Yeah, it probably is, but it could literally be anything else. You just give it a set of IP addresses and that could be a VM skill set. It could be other stuff in Azure that aren’t strictly VMs, but still need a load balancer in front of them. Or, this could be stuff somewhere else on the internet, some other cloud or whatever. It would pass the traffic right back out onto the internet and round-robin or whatever use, whatever other algorithms it does to load balance those connections. But it’s strictly doing it at the TCP slash UDP level, whatever level that is an OSI. I can’t remember the moment.

Randy Franklin:
And that’s great for any application that you need load balancing for basically, and a session based. But about load balancing web applications? There’s something that’s really better and higher level, more sophisticated that’s available. And that’s an application gateway. To me, it ought to be named web application because this only works for HTTP and HTTPS, alright? But this is like a reverse proxy server, essentially. And it allows you to, it will parse the URL and you can set up rules that say, “Oh, if the URL is referencing an image, then go to this image server pool.” But if it’s asking for a video, then go to this other set of virtual networks, virtual machines. And it can do all that other stuff that you would expect in a web application gateway. The other thing that it has in here, is web application firewall capability. So it can look for things like Cross Site Scripting, SQL injection and stuff like that, because it’s actually inspecting the HTTP traffic that’s going through there.

Randy Franklin:
Now, again, both of these are assigned the very same object type in Azure, and that is a public IP address. So then if we take a step back, what’s everything that makes up a virtual network. Here’s all the properties that it has. A virtual network has an address space, and then it has one or more subnets that implement that address space. Each subnet can be assigned a security policy called a network security group, that virtual network may also have virtual machines connected to it via network interface cards. There may be other peered virtual networks. That’s kind of a typo they’re not VMs, peered virtual networks. There may also be something called Service Endpoints. This is a way of connecting non VM Azure resources to this virtual network.

Randy Franklin:
Remember when I was talking about like, you have a virtual, I am sorry you have an Azure storage account, but the data in that storage account need only be accessed by virtual machines or other stuff that you have in Azure? And it would be better for security as if, even if somebody had the storage key, they couldn’t access it from the internet. Okay, that’s how you do it. You set up something called a Service Endpoint on the virtual network that says that this particular storage account is connected to the virtual network, this virtual network, and only this virtual network, and service end points are part of that. You can also connect gateways to this virtual network that allow you to connect to other networks, either by VPN or at the application level.

Randy Franklin:
Let’s see here. Let me just show you a virtual network in Azure real quick. So here’s my resource group called VNets. It’s just built for this project and you can see everything that’s connected to it. I have a stuff associated with that virtual machine app server. So, I have the actual VM itself, I have the disc, I have the network interface card and I have the IP address and I have a network security group. That’s all specific to that one virtual network. I also have Azure SQL server and SQL database. I have a one virtual network, and then I also have a gateway. I have another network security group. I’ve got another public IP address that’s tied to the virtual network gateway. And there’s a connection back to my corporate network on Zdan road.

Randy Franklin:
But here’s the virtual network. And as you can see the properties on my address space, I’ve given it two subnets here, or, I’m sorry, I’ve given it to blocks. And those correspond to two different subnets. We can look at what devices are connected. We can also look at what other virtual networks appeared to it, none at the time, at this time. What other Azure services are connected to it, Microsoft SQL, and specifically to my default subnet. So that’s a virtual network. I just wanted you to actually see an example of it. Well, let’s revisit our risks here before we finish up and think again then, now you’ve seen all these components. Do you see all the different vectors of compromise and risk that are present, going either up into the cloud from the internet, from partner networks, from the on-prem network, or if something in the cloud is compromised, that creates routes of opportunity for the bad guy down into your on-prem network or potentially other cloud networks.

Randy Franklin:
So how are these risks addressed in clouds? And we’ll again, we’ll stick with our example, Azure here. So Azure has network security groups, it has something called Azure firewall. It also supports a feature that allows third parties to implement their firewalls and other network security products called virtual network appliances or network virtual appliances, it’s also called sometimes. And then there’s also, what I would call infrastructure as a service or software as a service firewalls. These are not implemented on VMs that you see, they are just implemented more like software as a service. And so, just some examples, Check Point CloudGuard or the FortiGate Next-Gen firewall for Azure. So, you don’t see these as a VM, you can’t RDP into them or anything like that. They are just there and available, you configure them via the portal.

Randy Franklin:
Let’s talk about network security groups. This is the core security object, network security object you have an Azure. And they don’t cost anything. They’re not a product, they’re just a feature. And they are basically a list of rules that allow or deny traffic, like an ACL on anything else that you would call a firewall. They’re basically firewall rules. But each rule allows you to, of course give it a name, you give it a priority, the priority number means that lower numbers take higher priority, just like priorities of processes and windows, the source or destination. Can that be, are we talking about IP addresses? Yes. Or we’re talking about blocks of IP addresses. One room can have multiple by the way, but we’re also talking about service tags. So you can create a rule that says, these sources can talk to Azure storage, but nothing else on the virtual network can talk to Azure storage.

Randy Franklin:
So basically we get the ability to do micro-segmentation within the Azure virtual network. You can also create something called an Application Security Group. And the most common member of an ASG are Virtual Machines. And so you can then say, “I have an application security group called database servers, I have another one called application servers, I have another one called batch processors,” if you like.

Randy Franklin:
And so, now you can just stop using and thinking about doing segmentation with IP addresses, you can stop using subnet. You can throw everything on one sub-net on one virtual network and then, group your systems together and other Azure resources under application security groups. And so Tim, that’s a good example of getting closer to intent, right? Instead of saying, “okay, I need to make all my application servers start with this IP address range, and then create a rule that allows this IP address range to talk to Azure storage.” I can just say, “I want my application servers to access Azure storage, but nothing else.” That’s getting closer to intent, right Tim?

Tim:
It is. And you know, what’s great about many, many of your examples here, Randy, and some of your hands-on examples here, it really underscores some of the subtle complexities and some of it not so subtle, because things are, things can spin up. Things are dynamic. Things are sometimes they’re, sometimes things are not and they come and go quite quickly. And it’s not always related to an IP address specifically.

Randy Franklin:
Yeah, that’s an awesome point. And so I would encourage you if you’re starting off and getting into Azure, don’t use subnets and do use application security groups instead of IP addresses on these rules here. And you specify the protocol, the port numbers, the direction inbound or outbound, the port range and then of course, do I allow or deny. Now, what can you link a network security group to? You can connect to an NSG to a subnet, so that governs traffic within and into and out of that subnet, but you can also attach them to network interface cards.

Randy Franklin:
And so, then I question the reason for ever using windows firewall in the cloud, if you’re going green field, right? You can do all of this up at the network security group level and with an application security group. So when you spin up an additional virtual machine that should have the same rules, just drop it into that ASG and there’s nothing you need to do with the Windows configuration level with windows firewall. You only have one NSG attack, I should say, with a subnet or a Nick, you just connect one network security group to it. That is it’s complete.

Randy Franklin:
… Disconnect one network security group to it, that is it’s complete security policy, but can you take one network security group and use it over and over again on different NICs and different subnets? Yes, you absolutely can. And so, here’s an example of it right here. We have one virtual network, three subnets, and four virtual machines. You see that there? And we have two network security groups, one NSG, NSG1 is connected here or linked to, I should say, associated with subnet one. And so, that governs traffic within the subnet, and egress and ingress traffic to the subnet. And then, we have some specific rules or policies needed for protecting VM1 and VM3. And so, we implement that in another network security group that’s actually attached to those NICs.

Randy Franklin:
Now, who wins on this NIC? Between NSG1 and NSG2. Well, they both win. So any traffic has to comply with all of the NSG’s, network security group’s attached, but wait, there’s more. And I’m going to be very brief with how I cover these things.

Randy Franklin:
Remember, I was talking about the application gateway. Well, you also have, as part of that, a sub feature called web application firewall, and it’s going to look for attacks that happen inside of HTTP, such as cross-site scripting, SQL injection, stuff like that. You also have something called Azure Firewall. This is in beta right now. And right now, all it does is allow you to put controls over outbound traffic. There’s really not much to Azure Firewall right now. It’s eventually going to give you capabilities that go above and beyond network security groups, but right now, to me, they’re kind of boring, Azure Firewall. And again, Azure Firewall would be something you just configure here in the portal, rather than it’s not any VM that you have to run.

Randy Franklin:
Hey, but what if you’d need more sophisticated intrusion detection? What if you want them to scan outbound data for data loss prevention purposes? What if you want to do network application control? What if you want to detect anomalies in data? Or what if you don’t want to use web application firewall? You want to use any kind of network security product that you’re already familiar with, like one of these up here, Imperva or Fordanet. You know, you already have a big investment in them. You already have a skillset in them. You want to keep using that. So that has been made possible by what are called, well, two different form factors, network virtual appliances and infrastructure as a service.

Randy Franklin:
A network virtual appliance is just a managed VM. So it’s a template VM that comes with one of these products already installed. And so, you just instantiate a new instance of it, and give it its configuration, tell it which virtual networks to connect to. And then you can manage it using the same skillset and management tools that you’re accustomed to, but it’s already up there in the cloud, and it’s less work for you to maintain than you just spinning up a generic VM, and installing this stuff yourself. Plus, some of these are actually normally, for on-prem, are actual physical appliances anyway. So they wouldn’t be available that way, unless they had taken part in this third-party marketplace that Azure’s put together.

Randy Franklin:
But they also have another form factor, which I think you’d call infrastructure as a service or firewall as a service, and these are specific products, they’re of course going to share native or common technology with the classic offering, but like checkpoint cloud guard is a Azure-specific implementation of checkpoint technology that is portal-managed. It’s not running on a VM that you see.

Randy Franklin:
So this point’s built out. Okay. Obviously, Azure is just one cloud. Google, Amazon can do all of this stuff and more for the most part, and I think we can really see, from all of this, that firewalls don’t go away with the cloud. In fact, we have more firewall types than ever. We still have Windows firewall in VMs. We have network security groups that can be associated with NICs or subnets. We have virtual network gateways. We have web application gateways, which include web application firewall. We have network virtual appliances, and we have infrastructure as a service firewalls. How do you keep all this straight, understood, and consistent? And how do we make sure the configuration accurately reflects your intent? And how do we then coordinate this with all of our on-prem stuff?

Randy Franklin:
This is where FireMon comes in. And Tim, do I make you the presenter first?

Tim:
Actually, make Keith the presenter. I’m going to do something a little different today for the audience. I thought I would give them a sneak peek at our tool, and our solution, just kind of give you an idea of kind of what we’re talking about here, and you know, because there are so many different technologies that can happen in the cloud, and as you start talking about the complexities of configurations spanning across your security infrastructure, specifically as it relates to security configurations, security policies, security data controls, things like that.

Tim:
For the benefit of the audience here today, FireMon was created to help give visibility across your security infrastructure, centralized visibility across all of these different data points. Because as your examples pointed out, Randy, there’s a lot of subtle complexities, and not so subtle complexities that take place as you start trying to configure security across the entire infrastructure, across a large number of devices.

Tim:
It’s not just a pure environment. It’s a heterogeneous environment that has a lot of different control points. And so, how do we see a common view? How do I know holistically, at any given point in time, what does my security profile? What’s my security posture actually look like? And so, I invited Keith. Keith is our senior director of field engineering here, and has a lot of deep experience, deep domain experience back in security here. And I was just going to ask him to kind of give the audience a sneak peek of our tool, and point out some high points here.

Tim:
Cool. Thanks, Tim. Yeah. So one of the things that I wanted to point out before I actually go and pin the tool is the reason for our tool. Randy kind of hit it a little bit, Tim definitely hit it in his intro. And that is that, as people go out to the cloud, and they go hybrid cloud, multi-cloud, whatever it may be, all those platforms lend themselves towards operations and availability. Hey, “Let’s be able to spin up workloads quickly. Let’s create a whole new V net for two days, while we handle a heavy load across the network, et cetera.” And so the issue that becomes is really, truly one of visibility. And in particular, from the security practitioner standpoint, the poor people who have to handle your PCI compliance, or NERC CIP, or whatever matters to your environment, the question for them becomes, “Well, great. How would I keep track of that?”

Tim:
I’m going to show some here. I’m going to show the Amazon dashboard, right? Randy was kind enough to show you the Azure dashboard. I’m going to quickly show the AWS dashboard, just to say that, “Hey, now imagine if I was a security practitioner, trying to make sense of what’s going on across my environment, as I’m spanning.” Obviously, I have hyper V running on-prem, maybe there’s some VMware on-prem, and those are my private clouds. I got public, and I have an instance out there, and a large footprint out there in Azure, and maybe I have a dev ops guy who’s really hell-bent on doing some stuff in AWS to manage all that too.

Tim:
So if I have to do that from a security practitioner’s standpoint, and try to make sense of it all, I have a couple options. The first option is open up a tab for each one of my platforms here. In this case, that’d be four platforms. I would have AWS, I would have Azure, I would have VMware’s V-Center, I’d have the hyper V management platform open. I’d have everything open, just so I could kind of piece together the picture, which is impossible. So when you think about each management station that you’re going to talk about, now you’re going to one, two, three, four, five different sections inside each one, to put together the data points you need in order to figure out exactly what’s going on from a security compliance standpoint.

Tim:
So in the end of the day, you need a tool really to put all that together. And that’s what FireMon does. We take information from all those different environments, and whether it’s a true on-prem, whether it’s a private cloud, whether it’s one of the big four in the cloud providers, whatever it may be, and present that information to you in a logical format that’s easy to find. And even for the operations people, this comes handy. You know, “Hey, if I spin something up over here, will it be able to talk with my stuff over, behind this Azure NSG, and this?” Well, yes, it can. And we can show that through network topology. That’s kind of why I brought this up here. Just to give you a quick view of what’s going on in the current state.

Tim:
But again, this takes a fair amount of research. I still have to get everything in. I have to go and actually click on this to look at what’s going to allow these to communicate before I make changes. So one of the things Tim’s going to show you here in a few minutes is the ability to actually not even have to worry about this, why not set something up and let it manage the situation for you, and you just define the intent, and let it go? That’s kind of where we’re going in the future, and Tim’s going to definitely speak to that a bit more.

Tim:
So one of the things FireMon does, obviously, is give you a global view of everything, whether it’s on-prem cloud, et cetera, and we present that to you in several different formats. Of course, there’s the traditional network map which I’m showing right here. It’s kind of just topology view. If you notice right here, I have it set just for my cloud environment. If I actually wanted to go look at my entire enterprise, I could definitely do that, and it would render, again, that same map for me, that same topology view. So I can make sense of it as a whole across the entire environment.

Tim:
But the other things that it can do too, is it can take all that information together, and aggregate it to give you a picture of, say for instance, security and compliance, how am I doing from a risk rating, for scoring, from my client’s standpoint? Am I still PCI-compliant? Have I missed that up big time? Am I compliant with the company’s policies and procedures? All that information we provide you in a view, and give that in a way that everybody from a high level tech to a CSO can understand and make sense of it.

Tim:
And again, how that happens is through data normalization. So again, we take all the different data points, and present them in a common view, so they see everything at once, and do some quick search and some filters. So for instance, here we go, I have a policy from a certain device type, and I kept policies from Amazon device types, Azure and everything else, Azure SD, it’s all presented the exact same way. And that gives the ability for everybody, whether it’s soft guy, the security practitioner, the CIO, to get a picture of what’s going on in the environment, and understand exactly what’s happening, any two points of time across any environment.

Tim:
And that’s the key here. The key here is visibility. Visibility is what prevents the boo-boos. If we go back to the Target breach, that was a function of having multiple environments connected together, and somebody came in through the HVAC system, et cetera, and used that as a point of exploit. So being able to see how everything ties together, to see it in a logical map view, to see it from individual rules, to see it from a risk and compliance standpoint, that really, truly is what saves everybody’s behind, and when also we’re not having a giant fire drill, as we figure out, “Hey, if we’re breached in V, if we’re breached, how the breach happened.” Because for the most part, we can prevent that by looking at the environment as a whole and reacting to it.

Tim:
And that’s why I love that.

Tim:
Tim.

Tim:
I love this part of it, Keith, because this is showing you, even what you have here. If I was looking at my enterprise view or my cloud view here, is I’m looking holistically again. I’m looking, when it says 6.62% unused rules over the last 90 days, that’s talking about for that environment. That’s all the devices that FireMon is monitoring across that devices. That’s a statistic that’s related to all of those security devices, those security enforcement, that part of the security enforcement fabric that FireMon is looking at. And so, but it gives me the ability, very quickly, as Keith pointed out, to drill into a very specific, very discrete component of that security implementation.

Tim:
So I can look at that actual enforcement point rule on a specific device very quickly, when I need to get to some actionable data. So I can take you from the very, very tip top, all the way to the very, very bottom, very quickly, when I’m trying to look at, especially, if I have remediate something, right Keith?

Tim:
Yeah, absolutely right. So if I have a significant issue, like for instance, I have a rule here that is severely violating compliance, one click in, and I could see my list of the rules that are causing significant compliance failures, and start acting on those immediately, just in a single click. Now, I will say this. The one downside to this is doing it this way is reactionary, right? And that is the downside. So what Tim got ready to show you here is how do you even keep from being reactionary, how to stay ahead of the curve, and use intent-based networking, in particular security guard rails in place, to make sure everything’s on the straight and narrow, and make everybody’s life quite a bit easier.

Randy Franklin:
Can I just jump in and just amplify one thing on the previous page real quick, guys?

Tim:
Sure.

Tim:
Yeah.

Randy Franklin:
I just want folks to get something here. We are looking at resources, firewalls, whatever you want to call it in the Azure Cloud, in the Amazon Cloud, and on-prem stuff like NSX manager, perimeter gateways, all in that one list, right?

Tim:
Yeah. Exactly. If you go back to the enterprise view there, and this is a demo environment, or this is a simulated environment. We have actual devices with actual data transfer seen on it, but we use this for the purpose of our own testing, but essentially we support a ton of different technologies, enforcement fabric technologies out there today. And we have partnerships across the globe, but because your infrastructure, as you’re looking, again, as you’re looking, whether it’s private cloud, public cloud, hybrid cloud, the converged data center, on-prem solutions, I want to be able to see all of that in a central pane of glass. I want to get a good feeling. I want to get a good understanding of how my security teams are doing across departments too. That’s the other interesting thing that we haven’t really talked a lot about, is who’s responsible for the configuration of security on those things that are going into the cloud. Who’s responsible.

Tim:
What we’re finding out, it’s not always the traditional IT security teams that we think about, that are managing the firewall in the data center. A lot of time, it’s the application owners or it’s dev ops that’s taking responsibility for the security of the components of the applications that they’re deploying in the cloud. And they may or may not be the best suited to do that. They may, and I’m not saying that they’re not, but I’m not saying that they are either. We are definitely finding some inconsistencies, and we’re finding the probability for error to crop up in these arenas, because what we are seeing is that, and one of the biggest barriers to maintaining good security performance is growing complexity across our security deployments, or across our data deployments.

Tim:
And so, as complexity goes up, the probability of human error, I say this all the time, the probability of human error goes up. The probability of configuration errors grow up, the probability of exposing some data that we didn’t want goes up, or that potential for risk goes up greatly, just because of this inconsistency.

Tim:
At the end of the day, the real question that we’re seeking the answer to is how do we make sure that our security policies, our desired security intent, our desired compliance intent, our desired business intent around those critical resources that we’re deploying in the cloud, whether that’s the databases, the applications, the resources, whatever that is, that data that’s out there, those processes that are running, how do I make sure that my actual implementation of my security is a reflection of my security policies? And that’s really the question that we’re trying to find the answer to.

Tim:
And just to drive that point home a little bit more, Randy noted at the very beginning of his presentation that he’s noticed in the cloud that a lot of people aren’t paying as much attention to securing resources as they do traditionally on-prem. And that’s because, again, when you think about dev ops and people in the cloud, they lean towards availability. Their focus is to make sure people could get to the data, which unfortunately is also the arch enemy of security too. The two that you always fight hand in hand. So the natural inclination of individuals, particularly cloud practitioners, is always going to be towards availability. And so that’s what makes it even more challenging.

Tim:
It is. The speed of business, and it’s commonly what I refer to is the speed of business. The speed of business has accelerated, probably that if I had to put a number on it, probably six to eight X, what I’ll say our ability to secure it is. And it’s due to this wonderful technology that we have at our fingertips today, this rapid acceleration in the ability to deploy applications, and to deploy resources quite dynamically. And unfortunately, our traditional methods for securing access to that information and ensuring security consistency has not developed as rapidly as our ability to deploy has. And that’s where this gap comes in that we talk about. Keith, if you’ll show me, throw me the things, for the audience here, I’m going to spend just five minutes to hit a couple of slides. I want to talk about one thing here.

Tim:
There we go. And there we go. So I’m going to run through these, and Randy, if you want to jump in too, by all means. I mean, the world has changed. I’m going to hit on one point here, because we’ve talked about all of this internet of things. Something that we haven’t really talked about. As I was doing some research as well, I was reading an article here last night. It says, “In the next five years, we will have over 80 billion.” 80 billion is the projection of internet-connected devices, IOT type devices on the internet. So why is that significant? And how does that relate to the cloud? Well, a couple of things here. I mean, we’ve already seen where IOT devices are being used for denial of service and DDOS. We now hear about crypto hacking with IOT devices.

Tim:
I read something about pacemakers being hacked, smart cars being hacked, and all that kind of good stuff, through IOT-type stuff. But what’s interesting about the majority of IOT devices is they’re controlled from where. They’re controlled from the cloud. And so, once somebody penetrates that or gets access to that controller level in the cloud, it’s not just about hacking at the IOS level, or at the operating system of the IOT device, it’s getting access to that cloud environment, which is interesting.

Tim:
So we do have a lot of different forms of clouds, right? Multi, public, private, hybrid. And multicloud is just for using multiple cloud providers. Hybrid is going to be a combination between public and private, but there’s also on-prem. We’ve talked a lot about Azure, but as Keith and Randy both pointed out, there’s a ton of different cloud providers out there, and these are the big ones.

Tim:
There’s a lot more than just this too, but what I see as we’re talking to our customers across the globe, Keith and I both have the privilege of talking to customers across almost every single market vertical, globally, about the challenges that they’re faced with on a day in day out basis, as it relates to securing their infrastructure. And we find that a lot of them use multiple cloud type deployments, and that’s part of their concern too. That’s part of their challenge. And they’re definitely concerned. There’s a realization of what they’re capable of securing, given the capabilities and the resources that they have today, which is really interesting, but we believe that the hybrid world is here to stay.

Tim:
So that it’s not just private cloud, but the on-prem stuff. And so, any security solution that you’re looking at, I would just say to our audience, if you are looking at increasing your security posture, or having a positive impact to your security posture, I would say the solutions that you should be looking at to help you enhance your security posture should be things that focus, not just on the cloud, but should also have that good focus on-prem too, whether that’s a hyper-converged data center, or a modernized data center. The on-prem security piece is not going away anytime soon. But multi-cloud, or a cloud definitely growing, but we’ve got to figure out how, and in my little diagram here, that I was trying to make here was, again, as I was talking, is I have my desired state of my security, and this would be my written security policies.

Tim:
Sometimes, that exists in one person’s head, sometimes that’s actually a formalized document available for everybody to look at, but regardless, I have my desired state that hopefully is documented, application port guide, whatever it happens to be, and then I have what my actual implementation looks like. And that’s where we find the gap exists, that our implementation, our security intent, we’ll call it, our security intent gap doesn’t look like our actual implementation, but that’s what we’re trying to go. We’re trying to achieve security intent where our documented security policies is a reflection of our actual implemented security policy behavior, we’ll call it.

Tim:
I talked about the speed of business. There’s all kinds of reasons why the speed of business, the acceleration of dev ops and all the different things. I think we all realize what’s giving acceleration to the business. And obviously, part of that has to be, or the biggest part of that is to remain competitive in a highly-dynamic marketplace today. If you’re not constantly adjusting, if you’re not constantly trying to outpace your competition today, then you run the risk of becoming irrelevant, and being left behind. And so that’s a problem, but the whole time, we have these rules, we have this adoption, we have this complexity graph that’s growing. And we still have to manage to that too.

Tim:
And this is where we hear our clients tell us that they’re having the most problem, is trying to manage to this complexity gap. The processes that we used in the past are not working. We have all these projects on our plate that we’re trying to get to, and that we’re trying to, as strategic initiatives for our company, from the top down, that are coming down from our CEO or our CISO, and things like that, that we’re trying to achieve. And we’re trying to look at our resources and the technology that we have, what technology do we have to refresh? What technology are we going to have to acquire? Do we have the people necessary to drive that technology to use it effectively? Because …

Tim:
We have the people necessary to drive that technology, to use it effectively, because at the end of the day, you can have the best technology in the world, but if you’re not using it effectively, then you’re not going to get the return on that security investment that you’re looking for. And so we believe the direction is security intent. Where I want to implement a security intent orchestration platform that allows me to take a look at my current controls, understand what my security intent is, translate that security intent into actual rules on an enforcement point somewhere within my infrastructure, the enforcement point fabric doesn’t become any less important. Quite the contrary, it becomes equally important. We just released, for the benefit of the audience here, we just released our annual firewall state of the firewall policy.

Tim:
And I’ll give you just a peek into that, that says 94% of the 300 different companies across a really broad demographic, 94% said that our firewalls are as critical, if not more critical than they’ve ever been in the history of our company, but the problem is being able to put those rules where they need to go to secure those resources and applications. We need to be able to take our security intent and automatically translate that into enforcement rules on our firewall automatically, without human intervention. And then we need to also manage to that so that when it drifts, if something changes, again, we talked about, Randy gave a great example of the dynamics of the cloud. When something changes or something new spins up, how do I make sure that I’m adopting the right security policy when that when that event takes place? Or when that IP address moves or changes or goes somewhere else?

Tim:
How do I make sure that my security controls follow my data? And so we need to be able to constantly real-time monitor and detect for that change. And I need that centralized visibility in order to orchestrate that. And so this new world that we’re living in, we started looking at this, oh my goodness, almost two years ago. And we developed a product called global policy controller. And global policy controller is just that, it is a security intent orchestration platform. It gives you this layer of abstraction designed to ensure that your security controls follow the data, for all those resources, whether they’re in the cloud, whether it’s hybrid cloud, multi-cloud, on-prem, we allow our security teams to collaborate with the lines of business by allowing them to purpose and subscribe. So Randy was talking about some of the defaults in the security groups and things like that.

Tim:
We want to be able to templatize much of the security templates that a business owner, an application owner can subscribe to those security profiles. And I want to get the security teams back into the business of securing assets, and not becoming an enabler and not becoming a blocker, or something slows it down. So faster provisioning, it’s built on top of our security manager platform. And again, for those not familiar with security manager, we’ve been around for almost 14 years. It gives you change to, risk analysis, dynamic compliance, intelligent automation, the ability to search through all of your different security policies to understand what your security policy behavior looks like at any given point in time.

Tim:
And to be able, as Keith was showing you there, to get a holistic view, that you can drill down into the specifics when needed, to get actionable data that you can build remediation control around if needed. And something that we don’t talk a lot about, but I think you’re going to hear a lot more going forward in the future, and that is having an open API. In other words, when I start looking at the security products across my infrastructure, if those products aren’t able to talk to each other and exchange information with one another, it limits my ability to raise my security value as a whole.

Tim:
And so I want to make sure that I’m selecting products that promotes interoperability across those things that I’ve selected, in order for me to gain the most security value across my environment. So at the end of the day, FireMon provides you a continuous security platform. We’re always allowing you to evaluate risk as access is being added across your cloud, you’re multi-clouds, your private clouds, on-prem, every time access is added, we want to make sure that we’re evaluating that access as it relates to risk, as it relates to our compliance profile, and that we have a centralized view across our entire security infrastructure.

Tim:
So I want to give just a couple of minutes here to see if we have any questions. We’ve had a lot of information. That was probably like drinking out of a water hose, but Randy, I’m going to turn it back over to you and Brenda to see if we have any other questions from the audience.

Randy Franklin:
Yeah. First of all, Steven asks, “Is there a difference between the virtual firewall services and features available on these cloud platforms to a physical firewall and tended to create actual segmentation?” Well, what do you guys think about that?

Tim:
Well, I’ll let Keith comment on this too, but I mean, one thing the cloud does do, it gives you the ability to segment quite easily. It’s great for implementing a zero trust strategy or a micro segmentation strategy. A lot of the technologies allow for what we call service insertion points, where we can insert our virtual firewalls, and they became part of that chain, or part of that path whereas the data comes in, it first has to flow through that virtual firewall instance and then back through. And then vice versa if the data is going out, but definitely the cloud lends itself to micro segmentation a lot better than say a physical deployment in a data center.

Tim:
Yeah. And just take that-

Randy Franklin:
Keep going, Keith.

Tim:
Yeah. Just take that a step further. If you’re talking native firewall tools, the cloud platforms, so for instance, NSGs or security groups inside AWS, those tend to be bare bones. Whereas if you’re talking like a virtual firewall from a FortiGate, or a Check Point, or Palo Alto running in your cloud environment, those are almost identical to your on-prem firewalls in terms of capabilities.

Randy Franklin:
Robert would like to know, “how many different firewalls do you support, does FireMon support?”

Tim:
Wow, a lot. So as I said earlier, we’ve been around almost over 14 years, a lot of deep domain expertise in this market. So we support a lot of the legacy firewalls that are still actually in use today. Believe it or not, we come across PIXs quite routinely still that are out there, but all the major firewalls that you would think about from Palo, and from Fortinet, and from Check Point, and from Cisco, and the many different brands and stuff. But then some of them maybe that you don’t think about always, Huawei, Hillstone, AhnLab. Because we are global in nature, we have a global platform of security, and it’s not just firewalls too, I don’t want to give the impression that all we do is manage firewalls, because it’s switches and routers, and load balances, and enforcement points.

Tim:
And then you get into the actual cloud. So you think about AWS, we have device packs for AWS. We have device packs from Google platform, we have the device packs for Azure. And then for IP tables and we start talking about containerization. Most of the containers, whether it’s Docker, or Kubernetes, Rocket, or they’re using CoreOS with IP tables, or whatever it happens to be. We have device packs that implement into security manager that allow us to help you manage that as well. So really, really broad list. If there’s something specifically that you’re looking for, I’d be more than happy to discuss it with anybody in the audience.

Randy Franklin:
“So is FireMon a service?” That question comes from Susan.

Tim:
No, it’s something that you actually… Now we have relationships with service providers where you may or may not know they’re using FireMon to deliver some of the services, that’s the cool thing about having an open API too, is service providers can actually get information out of the tool presented in a custom portal and give that to their customers. The customers don’t even know they’re looking at FireMon data, or give them input. That’s cool, but typically you buy a perpetual license and you own it. And so you would actually deploy that, either in the cloud, the components of FireMon, which I won’t go into. I won’t get it down into the weeds here about the different components, but it virtualizes quite well. And it can scale to incredibly high levels.

Tim:
So we have customers that have as few as a handful of firewalls, five, 10, 15 firewalls. And then we have customers that have thousands upon thousands of firewalls across a global infrastructure. So again, 14 years of service helping customers meet the challenges of their security issues on a day in day out basis.

Randy Franklin:
All right. And let’s see, the next one comes from Rahir, he asks, “Can FireMon help with my migration to the cloud?”

Tim:
That if… Yeah. Keith, I’ll let you go ahead and take that one, but that’s a great question.

Tim:
Yeah. I mean, absolutely right. So FireMon can definitely help from just one level to ensure that the access that you had on-prem is replicated out into the cloud. So you can make sure that the people who needed to touch the data, no matter where they work, can still touch it as you move out. At the same token, while you’re doing this, you’re not granting overly permissive access like most people do, and they move stuff out in the cloud. They say, “Oh, let everybody touch it. Let’s have fun.” In this case, you could mirror the exact access you had with on-prem solution as you move it out into the cloud. And then on top of it, there is kind of just helping you make sense of what’s on-prem from an access control list perspective, to make sure that it is properly duplicated as you move it out to the cloud.

Tim:
Then we even take it a step further with global policy controller, and effectively handled on-prem migration for you. I mean, sorry, the cloud migration for you. So as you move an object out from on-prem, and we know what that object is, and we know what that object’s purpose and intent is, and we see it move out to the cloud, we can just automatically provision that access for you. So there’s three or four different major ways we help with that migration. But at the end of the day, the trick is just making sure that we’re granting the least privileged, the least amount of access necessary to allow people to continue use the service as it moves to the cloud.

Tim:
You bring up a good point there really quick, Keith, is one of the problems that we run into a lot, Randy, that we see happening almost weekly is because of this whole issue with speed of business, is the security that’s being provisioned is allowing way more access than what the needs of the business actually need or dictate. And so you get these overly permissive rules that creep into the policies over time. And unfortunately the intent is to go back and to tighten those later, as we get more information around what are the security specifics, or what are the security needs around the specific business applications?

Tim:
Unfortunately, because of all the different things that the security, it’s not that they don’t know what to do, incredibly smart people, it’s having the time to do it. And so these overly permissive rules creep into these policies over time to honor some of the business needs, and they just kind of take on a life of their own. And in some time or another down the road, it becomes an even bigger problem.

Randy Franklin:
So I love Mark’s question here, “Any ideas on how to get management on board with a solution like yours, comprehensive analysis?”

Tim:
Yeah. I always like to look at the strategic initiatives. Each year companies typically will set out their strategic initiatives of what they want to achieve at the C level. I always loved to make sure that my solution, that what I’m offering is aligned with those strategic initiatives. And in other words, to gain management buy-in, usually those strategic initiatives include technology. Today, whether that’s refreshing technology that a company already owns, or it is acquiring new technology that they don’t have, or it’s updating technology, but you have to look at the technology. So you have to look at the strategic initiatives, look at the technology that you have, or you’re going to acquire. You have to look at the people. Do I have people that are qualified to run that technology, or do I need to get them trained?

Tim:
Do I need to get them? Do I need to acquire? What is necessary in order for me to get the return out of my security investment that I’m putting in that technology? And then were to security actually come from the foundation? Today, love to use GDPR as an example, but GDPR talks about security by design and default. And for those that aren’t familiar with GDPR, it’s the latest regulatory compliance initiative coming over from the EU to protect personal identifiable information of the EU citizens. And so, I mean, it has really, really big teeth, meaning that if you’re found at fault, there’s some incredibly large, significant fines. And I want to understand what my strategic initiatives are at the management level.

Tim:
And then I want to make sure that what I’m offering plays into that. So I would offer to the audience to say, look at what your company’s at the C-level, what are the strategic initiatives? And align your product pitches to that, align your business strategy. There’s a lot of tools out there that can help, FireMon is definitely one of these solutions that you definitely get a return back on your investment very quickly, by giving you that greater visibility. And it’s not just a dollar return, although you get a dollar return on the investment, but the huge dividend, the huge payback, is on the enhancement of your security posture.

Randy Franklin:
Right.

Tim:
So Tim was being very political there and giving the correct answer, but at the end of that day, ROI definitely matters. I was a CSO in a past life, did that. And I know anytime I could come with a tax return on investment, anything regarding security, they almost always accepted it. And that’s one of the things that FireMon is great at. So we had a report commissioned by the Aberdeen group, and they looked at the return on investment of our customers. Some customers, depending upon level of adoption, had a full ROI within their first year, with 50% experiencing ROI within 18 months.

Tim:
So that’s actually a great selling point, because if your bosses, they have to go to the board and ask for money to prove that this has an actual payout while ensuring that you are increasing your security posture, I mean, it’s a win-win for everybody, and stuff like that tends to actually really, truly slide through board meetings fairly easily.

Randy Franklin:
Yeah. And I guess what we’ll do in the follow-up, if it’s okay with you guys, is maybe include some links to some other FireMon videos. Because I think we really demonstrated ROI well in those, in terms of just the sheer number of rules that have to be managed, and figuring out which ones aren’t needed, and how that can speed up the actual performance of your network, right?

Tim:
It can. If you can remove what we call, “the bloat.” There’s always, and I say this a lot too, there’s, there’s an inherent amount of complexity in any good security implementation. That’s not what we take exception with. It’s what we take exception to, is the unnecessary complexity that creeps into our security infrastructures over time, that can just cost us dearly. It costs us in the term of risk. It costs us in the terms of efficiency and productivity of our teams, and not to use the breach word, but the last thing we want to happen is a breach, and we become a headline on the Wall Street Journal. So removing that complexity, reducing that unnecessary complexity across our security infrastructure should be at the top of everybody’s list, if it’s not already a strategic initiative.

Randy Franklin:
All right, super. Let’s see here. Another question is… Trying to comprehend one of them here, “My query is if I want to collect the software as a service application logs in my on-premise SIM, and what would be the process of firewall configuration?” Yeah. That’s a question for another day. Let’s see, I think I had another question from Barry and that is he’s just wondering, “What problems do you hear most from your clients? Because we’re interested in seeing if that corresponds to what we’d be bringing to you as something we need a solution for.” So what problems do you hear most from your clients?

Tim:
I’ll let Keith, he’s hands-on in the field every single day, but what I hear the most is we purchase these different security things in the past, or we’re getting ready to upgrade some of the security things that we have today, whether it’s point solutions or a security management tool, but I don’t have confidence. I don’t know that I’m getting the return back on my security investment. I don’t have visibility to understand, “How do I quantify that I’m actually improving my security posture?” That’s the biggest thing I hear is, yes, we believe that complexity is going up in our environment. Yes, we see the fact that we have more rules than we have people to manage. And that’s affecting us from a security. Yes, we see that people are taking responsibility for their own security in the cloud.

Tim:
And that’s not necessarily something that we want, but we haven’t found a way to prevent it right now, or to actually honor what it is that they need. And so we have all these dynamics that are taking place across the different lines of business and things like that. How do I get my arms back around it? How does security become a collaborative within my environment, as opposed to being a blocker? How do I once again make security an enabler, and make sure that we’re doing the right things to ensure the integrity of our security infrastructure? Whether that’s global in nature or spread out over different cloud environments, how do I ensure consistency of my security configurations? The number one thing I hear is lack of visibility. Lack of visibility and growing complexity, how do I get my arms back around there?

Tim:
I had my best people doing some of the most mundane tasks or most repetitive tasks. I need them to get back into the job of security, not just access control, not just granting access for this or that. And running around trying to honor these change requests that are coming in everyday, sometimes 25, 30, or hundreds of change requests coming in. How do I get back into ensuring that I have a very healthy security posture, that I’m applying the right security hygiene to my security environment?

Tim:
Yeah. And just to take it a step further, and right in line with this webinar today, I have a customer in mind that is a major retailer, a household name for everybody, and they are basically doing a forklift migration of their data centers into Azure, right? So I literally got a call from them. It is the wild, Wild West out here. It helped me see what’s going on. And so we quickly installed, and they had visibility into what was going on. And they’ve already discovered several disasters in the making, and really where the disasters in the making end up impacting them is either through a very poor security posture that leads to a breach, or a failure in compliance. All of a sudden, now they’re being fired by PCI, or something else going on like that. Kim mentioned the word several times, visibility.

Tim:
I’ll also mention it, it is having the first and foremost use cases, knowing exactly what’s going on in your environment, but then there’s a second use case. And Tim hit on this a little bit more, around operational savings around automating mundane processes, letting the system go and handle provisioning of access as deemed appropriate by the organization, et cetera. And there are huge savings to be had there, because I think we all know for the most part, at least some of us do touch into security, that right now there’s negative 10% unemployment in information security. So for every 10 jobs, there’s nine people to fill them. And so that makes, first of all, wages very good for people who are information security practitioners, but also means that there are unfilled positions.

Tim:
So anything you can automate, anything you could do to relieve the burden on individuals is huge from both an economic savings perspective, and also from a security posture perspective.

Tim:
It is. And I’ll say it again. I said it earlier, and I’ll say it again. We have the unique pleasure of working with some of the brightest security minds on the planet. And I learned something, seems like I learn something new every single week, and it’s not that they don’t know what to do, it’s having the tools and the time to do it. Pure and simple.

Randy Franklin:
Good point. And that’s a good place to end on right there. The amount of time that you could save in security expert hours alone by not having to mess with firewall rules, could easily pay for your solution. So there’s your ROI, and that’s our time for today as well. Listen, guys, thank you very much for sponsoring today’s real training for free. And folks, we’ll be back in touch with you again soon. Take care for now. And thanks for spending time with us. Bye-bye.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO