Jump to Content
Security & Identity

How we're advancing intelligent automation in network security

November 18, 2020
https://storage.googleapis.com/gweb-cloudblog-publish/images/Google_Blog_Security-identity.max-2600x2600.jpg
Peter Blum

Group Product Manager, Network Security

Sam Lugani

Group Product Manager, Google

We’re always looking to make advanced security easier for enterprises so they can stay focused on their core business. Already this year, we’ve worked to strengthen DDoS protection, talked about some of the largest attacks we have stopped and made firewall defences more effective. We continue to push our pace of security innovation, and today we’re announcing enhancements to existing protections, as well as new capabilities to help customers protect their users, data, and applications in the cloud. 

1. Using machine learning to detect and block DDoS Attacks with Adaptive Protection

We recently talked about how our infrastructure absorbed a 2.54 Tbps DDoS attack, the culmination of a six-month campaign that utilized multiple methods of attack. Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact.

We recognize the scale of potential DDoS attacks can be daunting. By deploying Google Cloud Armor integrated into our Cloud Load Balancing service—which can scale to absorb massive DDoS attacks—you can protect services deployed in Google Cloud, other clouds, or on-premise from attacks. Cloud Armor, our DDoS and WAF-as-a-service, is built using the same technology and infrastructure that powers Google services.

Today, we are excited to announce Cloud Armor Adaptive Protection—a unique technology that leverages years of experience using machine learning to solve security challenges plus deep experience protecting our own user properties against Layer 7 DDoS attacks. We use multiple machine learning models within Adaptive Protection to analyze security signals for each web service to detect potential attacks against web apps and services. 

This system can detect high volume application layer DDoS attacks against your web apps and services and dramatically accelerate time to mitigation. For example, attackers frequently target a high volume of requests against dynamic pages like search results or reports in web apps in order to exhaust server resources to generate the page. When enabled, we learn from a large number of factors and attributes about the traffic arriving at your services so we know what “normal” looks like. We’ll generate an alert if we believe there is a potential attack, taking into account all of the relevant context for your workload. In other words, where traditional threshold based detection mechanisms could generate a great deal of lower confidence alerts that would require investigation and triage only once an attack has accelerated to the detection threshold, Adaptive Protection produces high confidence signals about a potential attack much earlier, while the attack is still ramping up. 

Adaptive Protection won’t just surface the attack, but will actually provide context on why the system felt it was malicious and then provide a rule to mitigate the attack as well. This protection is woven into our cloud fabric and only alerts the operator for more serious issues with context, an attack signature, and a Cloud Armor rule that they can then deploy in preview or blocking mode. Rather than spending hours analysing traffic logs to triage the ongoing attack, application owners and incident responders will have all of the context they need to make a decision on whether and how to stop the potentially malicious traffic. Cloud Armor Adaptive Protection is going to simplify protection in a big way, and will be rolling out to the public in preview soon.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Adaptive_Protection_suggested_rule.max-1500x1500.jpg
Adaptive Protection suggested rule

2. Better firewall rule management with Firewall Insights 

We have been making a number of investments into our network firewall to provide insights and simplify control that allow easier management of more complex environments. Firewall insights helps you optimize your firewall configurations with a number of detection capabilities, including shadowed rule detection to identify firewall rules that have been accidentally shadowed by conflicting rules with higher priorities. In other words, you can automatically detect rules that can’t be reached during firewall rule evaluation due to overlapping rules with higher priorities. 

This helps detect redundant firewall rules, open ports, and IP ranges and help operators to tighten the security boundary. It will also help surface to admins a sudden hit increases on firewall rules and drill down to the source of the traffic to catch an emerging attack.

Within firewall insights you’ll also see metrics reports showing how often your firewall rules are active, including the last time they were hit. This allows security admins to verify that firewall rules are being used in the intended way, ensuring that firewall rules allow or block their intended connections. These insights can operate at massive volume and help remove human errors around firewall rule configuration or simply highlight rules that are no longer needed as an environment changes over time. Firewall insights will be generally available soon.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Firewall_Insights.max-1300x1300.jpg
Firewall Insights

3. Flexible and scalable controls with Hierarchical Firewall Policies

Firewalls are an integral part of almost any IT security plan. With our native, fully distributed firewall technology, Google Cloud aims to provide the highest performance and scalability for all your enterprise workloads.  

Google Cloud’s hierarchical firewall policies, provide new, flexible levels of control so that you can benefit from centralized control at the organization and folder level, while safely delegating more granular control within a project to the project owner. 

Hierarchical firewalls provide a means to enforce firewall rules at the organization and folder levels in the GCP Resource Hierarchy.  This allows security administrators at different levels in the hierarchy to define and deploy consistent firewall rules across a number of projects so that they are applied to all VMs in currently existing and yet-to-be-created projects. 

Hierarchical firewall policies allow configuring rules at the Organization and Folder levels, in addition to firewall rules at the VPC level. Since leveraging Hierarchical Firewalls  requires fewer firewall rules, managing multiple environments becomes simpler and more effective. Further, being able to manage the most critical firewall rules in one place can help free up project level administrators from having to keep up with changing organization wide policies. Hierarchical firewall policies will be generally available soon.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Hierarchical_firewall_policies.max-1200x1200.jpg
Hierarchical firewall policies

4. New controls for Packet Mirroring 

Google Cloud Packet Mirroring allows you to mirror network traffic from your existing Virtual Private Clouds (VPCs) to third party network inspection services. With this service, you can use those third-party tools to collect and inspect network traffic at scale, providing intrusion detection, application performance monitoring, and better security visibility, helping you with the security and compliance of workloads running in Compute Engine and Google Kubernetes Engine (GKE). 

We are adding new filters to mirror packets that will be generally available soon. With traffic direction control, you can now mirror either the ingress or egress traffic, helping users better manage their traffic volume and reduce costs.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Traffic_Direction.max-900x900.jpg
Traffic Direction: New Ingress & Egress controls for Packet Mirroring

With these enhancements, we are helping Google Cloud customers stay safe when using our network security products. For a hands-on experience on our Network Security portfolio, you can enroll in our network security labs here. You can also learn more about Google Cloud security in the latest installment of Google Cloud Security Talks, live today.

Posted in