Jump to Content
Security & Identity

Google Cloud Firewall capabilities to enhance your security posture and simplify configuration

February 8, 2023
https://storage.googleapis.com/gweb-cloudblog-publish/images/security_2022_ItgTGtc.max-2500x2500.jpg
Tracy Jiang

Product Manager

Faye Feng

Product Manager

Hear monthly from our Cloud CISO in your inbox

Get the latest on security from Cloud CISO Phil Venables.

Subscribe

Google Cloud Firewall is a scalable, built-in service with advanced protection capabilities that helps enhance and simplify security posture, and implement zero trust networking, for cloud workloads. Its fully-distributed architecture provides micro-segmentation and granular control independent of network structure. 

Our unique architectural approach offers several advantages over the network instance approach, including a simplified network architecture since policies follow the workload, more precision with policy enforcement using Identity & Access Management (IAM)-governed tags, lower operating costs due to a cloud service approach, and customized protection for your Google Cloud workloads with threat intelligence integration. 

We announced several significant enhancements and expansions to our Cloud Firewall offering at Google Cloud Next in October 2022, available in two new tiers: Essentials, the foundational set of capabilities, and Standard, which expands rule capabilities. These features can now be activated through the Cloud Console, Command Line Interface, and API. 

In Standard we introduced: 

In Essentials we introduced:

Cloud Firewall Standard

Cloud Firewall Standard capabilities can enhance your network security posture while simplifying policy configuration and maintenance. The new Standard tier offers an expanded set of source and destination objects for rules that are dynamic, built-in, and automatically updated by Google for powerful, scalable protection. 

Google Cloud Threat Intelligence 

Drive better threat prevention with high quality, out-of-the-box address lists, curated, built, and maintained by Google Cloud Threat Intelligence researchers, based on Google’s collective insight and investigations into Internet-based threats. These regularly updated lists are available as source and destination objects that can be used in our network security products, which today include Cloud Firewall and Cloud Armor

This allows the firewall, for example, to block traffic from known malicious IPs and TOR exit nodes, or allow traffic from other sources such as search engines, public clouds, and upstream providers (such as third-party CDN services). We are continually updating our threat intelligence, and have plans to add more types of IP lists over time.

Domain Name (FQDN) based objects 

With Domain Name (FQDN) based objects, Google Cloud takes care of knowing the exact IP(s) for the FQDN in firewall rules. These objects can be used in rules to allow or block traffic based on FQDN instead of IP addresses, which helps provide advanced protection against attacks in situations where the IP addresses change regularly, for example DNS spoofing or traffic that’s routed through load balancers. 

Geo-location based objects 

IP address blocks are constantly changing hands around the globe, in and out of companies, ISPs, and countries.  The introduction of geo-location based objects can further simplify firewall management by enabling rules to be written for designated countries without needing to specify individual IP addresses or ranges. Google builds and auto-updates these lists for you, helping to  reduce effort and cost. This can help simplify geo-filtering and geo-fencing, and explicitly allows for a region-based, zero trust posture (such as “block all traffic except from a given country”).

Cloud Firewall Essentials

Cloud Firewall Essentials includes a foundational set of capabilities for our scalable firewall service, including true east-west and north-south micro-segmentation, and granular control of firewall policies applied at each workload. These features can help customers more easily achieve a zero trust networking posture for workloads in their Google Cloud environment. Such a secure posture can, by default, deny traffic to and from workloads by the network infrastructure – even intra-subnet – and only connections that have been explicitly allowed by policy can be forwarded.

“Zero trust networking for workloads in the cloud is a complex use case that has been underserved. Microsegmentation addresses a pain point in that use case through East-West visibility and enforcement. The Google Cloud Firewall product portfolio solves that pain point with its agentless microsegmentation. And the least-privilege, self-service model is valuable because it enables DevOps teams to move faster."Chris Rodriguez, research director in IDC's Security and Trust research practice.

Global and regional network firewall policies

Previously, we introduced hierarchical firewall policies at the organization and folder levels. Now we are introducing a new policy structure, Network Firewall Policies, which comes in two types: global network firewall policies and regional network firewall policies. These capabilities create a policy construct that acts as a container for firewall rules. The same network firewall policy can be associated with more than one VPC network, and global network firewall policies automatically apply globally, to match the default global nature of our VPCs. This new structure improves upon the previous VPC firewall rules structure

“Google Cloud Firewall Essentials and Cloud Firewall Standard provide the necessary capabilities for that additional layer of inherent security required to keep cloud workloads from being exfiltrated and exploited. Having regional and global visibility keeps an organization agile for paradigm shifts from threats. As organizations become “more” cloud-first with microservice and edge compute, Google Cloud Firewall Essentials and Cloud Firewall Standard will be a critical component.”Alim H. Ali, director of Data Technology Architecture at Accenture’s Cloud First practice.

IAM-governed tags

Tags are a new type of resource management tag with enhanced security properties that can be applied to various Google Cloud resources, including virtual machine (VM) instances. 

The network firewall policy structures are built to easily integrate with tags as their mechanism for micro-segmentation. Unlike network tags, these new tags are IAM-governed (strictly controlled by IAM permissions), which can help you set up secure firewall controls without the risk of violation by unauthorized personnel. Tags allow users to define their network firewall policies in terms of logical groupings and delegate the management of those groups within their organization with fine-grained authorization controls.

For more details, please see our deep dive blog covering the new best practice of using global and regional network firewall policies with tags, including transition guidance from the previous approach of combining Service Account and network tags. 

Address groups

Creating multiple rules that reference the same set of source or destination IPs is a common task, either to allow access to different ports or different subsets of destination hosts. Currently this requires users to separately maintain these IP range sets in each rule that references them, and manually copy and sync the firewall rules when the IPs change. This process is tedious, error-prone, and can result in having to maintain multiple similar rules.

To address this, we introduced address groups, a collection of IPs or IP range sets. With address groups, you can maintain your own address group at either project or organization level, reuse the same object in multiple different firewall rules, and use it in the new network firewall policies. 

With this enhancement, not only can it be faster and easier to create new rules, but it also helps ensure that the rules stay in sync with one another, and that you can update the IPs for all the rules that call the address group object with a single change to the address group. Furthermore, you can add automation to the Cloud Firewall API to add and remove IP addresses in address groups dynamically when changes occur in the environment without having to change the actual firewall rules, supporting an infrastructure-as-code approach.

Cloud Firewall Essentials and Standard summarized

https://storage.googleapis.com/gweb-cloudblog-publish/images/Firewall_capabilities_1.max-2000x2000.jpg

Features in Cloud Firewall Essentials are available at no additional cost, while features in Cloud Firewall Standard are billed based on the amount of data in gigabytes evaluated by the firewall rules that include these objects. 

Take the next steps 

With Cloud Firewall, you can move toward a zero trust network posture for cloud workloads using a scalable, cloud-first, stateful inspection firewall service that includes advanced protection capabilities. With a fully distributed architecture, Cloud Firewall can enable micro-segmentation through granular controls that are enforced at the VM level with IAM-governed tags. This provides pervasive policy coverage that automatically applies to workloads independent of their network architecture. IAM-governed tags combined with expanded objects for rules included in Cloud Firewall Standard helps enable least-privilege, self-service operations. 

To learn more, check out the documentation here to activate the features in your cloud environment.

Posted in