This post compares Azure Network Security Groups (NSGs) and virtual firewall appliances, specifically Checkpoints.
Azure Network Security Groups
Azure Network Security Groups, are the built-in firewalling mechanism in Azure, they allow you to control traffic to your virtual network (VNET) that contains your IaaS VMs (and potentially PaaS infrastructure such as App Service Environments – ASEs).
Network Security Rules are like firewall rule, they consist of
- A name for the rule
- A description
- The direction of the rule e.g. Inbound if it applies to traffic coming into the VNET/subnet or Outbound if it applies to traffic leaving a VNET/subnet
- An action, allow or deny.
- Source address range
- Source port
- Destination address range
- Destination port
The network security rules are then grouped together into NSGs. These NSGs are in turn either applied at the subnet level or to individual Network Interfaces (NICs) associated with VMs.
Even if you have not created any NSGs there are some default built-in system rules, these essentially block all inbound traffic (except from the Azure load balancer), allow all traffic within a VNET and all outbound traffic.
Checkpoint firewall architecture on Azure
Checkpoint firewalls on Azure are virtual machines running the Checkpoint software. However, to make use of Checkpoints you need a number of other Azure services in place. If you also want high-availability then you need a few more.
- Azure VMs (the Checkpoints are deployed from the Azure Marketplace) – two if you want high availability
- Azure Load Balancer (if you’re deploying them in a high availability configuration), with NAT rules
- Azure Route Tables to direct traffic through the Checkpoints
- An Azure AD Application and Service Principal – which is used by the Check to modify the Load Balancer configuration to direct traffic to the correct Checkpoint in the event the primary fails, modify the cluster public IP association and route tables.
|Complexity||Low complexity – simply define rules in the portal, via the Azure PowerShell module or ARM templates.||High – the checkpoints depend on a number of other Azure services. When there are issues it can be difficult to reason about where the problem lies.|
|Cost||Low cost – there is not additional cost to using NSGs||High cost – you pay for the VMs, Checkpoint licensing (including for any blades that you need), Azure Load Balancer, Storage used by the Checkpoint VMs and Public IPs.|
There is no infrastructure to manage
You have to manage the VMs, update/patch the Checkpoint software, route tables and load balancer.
If you have a lot of VNETs and/or on-premise ranges, managing the Route Tables (and static routes on the Checkpoints can be a headache).
|Scalability||Relatively easy to scale
You don’t need to worry about scaling – the only limits you have are around the number of NSGs and rules per NSGs. The only problem is that you can easily hit those limits if you have to implement a default deny rule on outbound traffic and then whitelist Azure IP address ranges [**more on why this is required]
|Difficult to scale
You are limited to two Checkpoints per cluster. In addition, the Checkpoints are in an active-passive configuration so only one can handle traffic the other is sitting idle burning cash.
Furthermore, since you cannot scale out this means the best you can do is scale up.
On the plus side you don’t need to worry about limits on the number of rules so you can easily whitelist the Azure IP ranges.
|Features||NSGs are currently limited to traditional firewall rules. If you want other capabilities such as Web Application Firewall (WAF), you would need to use the WAF capabilities of the Azure Load Balancer.||You can use all the features (blades) that Checkpoints provide such as WAF, IPS etc.|
|Automation||NSGs are highly automatable you can automate the management of such rules via PowerShell and/or ARM templates.||Automating Checkpoint deployments is far more complex since it involves VMs, Load Balancer and Route tables.
Furthermore, when it comes to implementing the rules – as far as I am aware there is no API or PowerShell module for Checkpoints. The closest thing available is a command line tool is dbedit.
|High Availability||Comes for free with NSGs – it’s a distributed service.||HA is far more complex with Checkpoints – and complex systems are harder to make highly available.
The Route Tables and static routes on the Checkpoints can make this a fragile solution.
|Disaster Recovery||Microsoft are effectively responsible for this.
That said you can keep NSGs rules stored in your version control system so should you make a mistake it should be easy to rollback (and identify the breaking change as well as have an audit chain of what was changed)
|There is no DR solution – as while your Checkpoint management servers hold (most of the configuration so you can redeploy the config), in a DR situation if you lose a Checkpoint VM you have to rebuild it and reconfigure the cluster which requires a lot of manual effort (you can automate some of this at least on the Azure side but not everything).|
It should be noted that there have been a number of announcements at Ignite 2017 that will simplify NSG rules such as Application Groups, Service Tags and Augmented Rules.
The two most common reasons I hear why an organisation wants to use Checkpoints (or another virtual firewall appliance for that matter) in place of NSGs are:
Skills: we already use Checkpoints on-premise so it’s easier to manage those from a skills perspective
The way that Checkpoints work in Azure today I think this is a fallacy. While yes it’s true your network, security (or whichever team manages your firewalls on-premise) will be familiar with how to configure rules on Checkpoints there are some fundamental differences, namely they are unlikely to be familiar with:
- Azure AD Applications
- Azure Load Balancer
- Azure Route Tables
- Managing VMs on Azure
Security/features are better with Checkpoints
This is mostly true in the sense that you can bolt on WAF or IDS/IPS capabilities to a Checkpoint and manage this through a “single pane of glass”. NSGs are (currently – I think this will change) more rudimentary in comparison.
That said you are in a sense increasing your attack surface as you must manage the Checkpoint VMs. In addition, because Checkpoints on Azure have so many moving parts in my view it’s far easier to make mistakes and create a vulnerability/security risk. Such as misconfigure your Route Table such that traffic is not filtered by your Checkpoints. In addition, you also must safe guard the Azure AD application credentials (which are stored in cleartext on the Checkpoints) as it is used to modify the route tables, load balancer, public IP associations.
NSGs are hard to troubleshoot as it’s provided as a service
Since Checkpoint rules are typically managed through a management server from a GUI it is believed this makes it easier to troubleshoot issues. This is true in that it’s easier to capture traffic going through the firewall and determine if the firewall is accepting or denying traffic. However, things are not so simple in the real world – if you have issues with return traffic e.g. route tables it becomes far more complex. You can’t easily troubleshoot as you normally would have by installing the Network Watcher on the Checkpoints because they are third party appliances.
NSGs used to be hard to troubleshoot, but now you can setup NSG logs to be stored in Azure Storage, look at the effective security rules applied to NICs to determine if traffic is allowed, use Network Watcher to capture traffic.
I can’t meet audit requirements with NSG
Before the advent of NSG logs and Network Watcher this used to be true but not anymore – with these solutions you can retain NSG logs for audit purposes and to meet other requirements (such as feeding them into a SIEM or IDS/IPS).
You can also export logs (yes this does require more work than it would have with Checkpoints) to your SIEM or log analytics tool, for example NSG logs / Network Watcher data can be fed into Splunk.
This is not to say that Checkpoints on Azure are not a good solution – what I am saying is that you need to understand the trade-offs that you are making in using either NSGs or a virtual firewall appliance such as a Checkpoint.
The idea of perimeter security is slowly giving way to other more modern approaches that involves applying network security not just at your network edge but network security policies that apply at the node (e.g. server, container etc). level. Similar to network security policies available in the containerisation world. In fact, in the cloud this model is makes far more sense than the old perimeter security model.