Full Report
AWS, Microsoft Azure and Google Cloud Platform each scored 0% security effectiveness in CyberRatings.org’s evaluation of cloud network firewall vendors’ ability to prevent exploits and evasions. The post Independent tests show why orgs should use third-party cloud security services appeared first on CyberScoop.
Analysis Summary
# Best Practices: Cloud Network Firewall Security Effectiveness
## Overview
These practices are derived from recent independent testing findings concerning the security effectiveness of Cloud Network Firewalls, focusing on their ability to block prevalent exploits and defend against modern evasion techniques. The guidelines emphasize selecting proven security solutions over potentially expensive but underperforming native cloud offerings or legacy configurations.
## Key Recommendations
### Immediate Actions
1. **Audit Current Cloud Firewall Deployment:** Immediately identify which cloud network firewall solutions (native or third-party) are currently in use across AWS, Azure, and GCP environments.
2. **Prioritize Exploit Blockage:** Focus on vendors known to have high exploit prevention rates (e.g., Fortinet, Check Point, Palo Alto Networks, Versa Networks, Juniper Networks) for critical ingress/egress points, replacing or augmenting poor performers.
3. **Verify HTTPS/TLS Decryption Capability:** For environments utilizing Microsoft Azure native firewalls, immediately investigate and implement mitigation strategies for encrypted traffic, as native Azure firewalls reportedly fail to inspect HTTPS traffic effectively.
### Short-term Improvements (1-3 months)
1. **Deploy Third-Party Solutions for Critical Assets:** Begin migration planning to deploy third-party cloud network firewalls that achieved 99th percentile or 100% effectiveness scores in recent independent testing for high-value workloads.
2. **Implement Evasion Technique Countermeasures:** Review deployment configurations to ensure support for deep packet inspection and application-layer analysis necessary to counter L3-L7 evasion tactics.
3. **Establish Ongoing Validation Process:** Incorporate regular, independent validation testing protocols (similar in principle to the CyberRatings.org methodology) for all deployed cloud network security controls to ensure performance doesn't degrade.
### Long-term Strategy (3+ months)
1. **Standardize on Proven Security Vendors:** Establish a long-term procurement policy prioritizing vendors demonstrating superior, consistent performance across reproducible security, exploit, and evasion tests, irrespective of initial cost projections.
2. **Develop Cloud Security Effectiveness Benchmarks:** Integrate security effectiveness scoring (based on validated testing criteria) as a mandatory prerequisite for deploying any new cloud security technology or significant configuration change.
3. **Invest in Continuous Training on Evasion:** Create a proactive threat intelligence program focused specifically on emerging application-layer evasion techniques and ensure firewall signature sets are updated (or the compensating control is implemented) in real-time.
## Implementation Guidance
### For Small Organizations
- **Opt for Known Performers:** When selecting a cloud firewall solution, immediately favor vendors that achieved top scores (e.g., Fortinet, Check Point) to minimize the configuration burden and maximize out-of-the-box protection.
- **Avoid Over-reliance on Native Tools:** Do not rely solely on the default, native firewall solution provided by the major cloud providers (AWS, Azure, GCP) without overlaying third-party controls, especially for perimeter defense.
### For Medium Organizations
- **Phased Replacement Strategy:** Develop a phased roadmap to replace underperforming firewalls protecting segmented networks or critical applications with solutions validated for high exploit and evasion defense.
- **Focus on Decryption Readiness:** Ensure that any chosen security inspection layer, particularly for ingress/egress points, supports mandatory TLS/SSL decryption capabilities to enforce security policies on encrypted traffic.
### For Large Enterprises
- **Multi-Vendor Strategy for Resilience:** Maintain a diverse set of best-in-class firewall technologies to prevent a single, widespread vulnerability or configuration incompatibility from compromising the entire environment.
- **Mandate Independent Validation:** Require formal documentation referencing independent, standardized security testing results (not just vendor marketing claims) before approving significant cybersecurity expenditures for network perimeter controls.
## Configuration Examples
*Note: Specific configurations are not detailed in the source, but the required *capabilities* are:
1. **Exploit Defense:** Ensure firewall rule bases and associated signatures are configured for maximum depth, actively matching against publicly known, widely used exploit patterns.
2. **Evasion Defense (L3-L7):** Verify that deep packet inspection (DPI), stateful inspection, and application-aware controls are fully enabled to detect traffic manipulation across network layers, including fragmentation or protocol obfuscation.
3. **Mandatory HTTPS Inspection:** For any firewall stack deployed in front of Microsoft Azure or other environments identified as weak on TLS inspection, configure the system to perform active SSL/TLS decryption and re-encryption for inspection purposes.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Aligns strongly with the **Protect** function (specifically PR.PT: Perimeter Security) by emphasizing the selection of effective foundational defenses.
- **ISO/IEC 27001:** Relates to Control A.13 (Communications Security) and A.14 (System Acquisition, Development, and Maintenance) by demanding robust, proven information system controls.
- **CIS Controls (v8):** Directly maps to **Control 3 (Data Protection)** and **Control 4 (Secure Configuration of Enterprise Assets and Software)** by demanding correct and effective configuration of defensive perimeter technologies.
## Common Pitfalls to Avoid
- **Assuming Cloud Native is Best:** Do not automatically trust that the cloud provider's native firewall offering is adequate, especially when benchmarked against commercial security products; often, performance is significantly weaker.
- **Ignoring Evasion Attacks:** Focusing solely on known exploit signatures is insufficient. Failure to implement controls capable of inspecting encrypted traffic (TLS/SSL) renders primary defenses useless against modern evasion techniques.
- **Vendor Lock-in Based on Cost:** Avoid procurement decisions heavily weighted toward price per megabit/second or initial cloud integration cost if security effectiveness scores are low; the cost of a breach far outweighs initial savings.
- **Inaction on Poor Performance:** If an existing firewall vendor consistently scores very low on exploit prevention (like the 0.59% observed for AWS's solution), immediate remediation action is required, as the product is not fulfilling its core security purpose.
## Resources
- CyberRatings.org Cloud Network Firewall Reports (Consult the latest independent reports for current vendor effectiveness rankings).
- Documentation concerning the SSL/TLS inspection capabilities of your chosen third-party cloud firewall solution.