A network firewall protects hosted applications and data in a private cloud. They operate as the core of your network security, act as an access control point of all traffic, and eliminate risks of unknown malicious traffic.
When thinking about which network firewall setup to install, you need to make the following decision:
Do you use a (central) stand-alone firewall between your servers (which host your applications and data) and the internet or do you firewall each server, also known as (distributed) host-based firewalling? Or both?
Stand-alone / conventional firewall setup
A conventional central firewall is, in essence, a router, proxy and gateway system grouped together. It sits in between a trusted inside network, which it protects, and an untrusted outside network, for example – the internet. It cannot protect systems on the inside network from attacks from other inside systems.
Firewalls are designed to only allow traffic which is authorized by a policy set inside the firewall to pass through. Due to the increasing line speeds and the more computation intensive protocols that a firewall must support, central firewalls also tend to become congestion points.
A central hardware firewall is in many cases expensive, especially if you increase the capacity that needs to pass through the firewall. However, firewalls can also be based on software appliances. A benefit of a software firewall is of course that you can even install a free software firewall on a dedicated or virtual server and create a cost-effective firewall.
Distributed host-based firewall setup
The (distributed) host-based firewalls offer filtering of both outside as inside traffic on each host system. That also helps to prevent hacking of internal systems from other internal systems. Typically host-based firewalls are software firewalls.
A host-based firewall is less expensive per unit and can be implemented based on firewalling functionality in the server operating system or based on add-on (software) package. The benefit includes the firewall policy rule-set can be tailored per host server.
Performance of a host-based firewall is easier to manage as it only needs to protect a portion of the total infrastructure.
Evaluating stand-alone and host-based firewalls
The main benefit of a stand-alone firewall setup is ease of central management. Redundancy is needed in case of a central firewall as the whole infrastructure is dependent on it. Price for central firewalls is therefore higher due to the need for high performance and redundancy.
The host-based firewall offers a lot of benefits for keeping servers protected. It provides much improved protection of systems from other systems within the network, for example. It’s also easier to create tailored firewalling per system and to support high capacity. Moreover, with central management tools for distributed firewalls, the benefit of central management applies also to host-based firewalls.
The main takeaway
Overall, if you want to keep your applications and data in your private cloud setup secure, it’s worthwhile incorporating host-based software firewalling on your dedicated and virtual servers as part of your network firewall setup. The ultimate protection would be provided by a combination of both host-based and central network-based solutions (preferably a software-based central firewall). This will offer more cost-effective security, flexibility, and performance.