Oracle Cloud Infrastructure Network Firewall 
By: Date: 27/08/2022 Categories: oci,OracleCloud Tags:

OCI Network Firewall is a cloud-native, managed firewall service that is built using Palo Alto Networks’ next-generation firewall technology (NGFW). It offers machine learning-powered firewall capabilities to protect your OCI workloads and is easy to consume on OCI. As an OCI native firewall-as-a-service offering, OCI Network Firewall enables you to begin to take advantage of the firewall features without the need to configure and manage additional security infrastructure. The OCI Network Firewall instance is highly scalable with built-in high availability and can be created in a virtual cloud network (VCN) and subnet of your choice. The firewall inspects every request including transport layer security (TLS) encrypted traffic that goes through it and enforces an action such as allow, reject, drop, intrusion detection, or prevention based on the user configured firewall policy rules. 

As a stateful network firewall, it takes the direction and context of traffic flows into account to enforce stateful filtering rules for both IPv4 and IPv6 traffic. It also supports application layer security features such as custom URL and fully qualified domain name (FQDN) based filtering, enabling you to restrict traffic to a user-specified list of FQDNs and URLs. The integrated intrusion detection (IDS) and prevention solution (IPS), powered by Palo Alto Networks’ threat analysis engine, provides comprehensive threat prevention and helps detect or block known malware, spyware, vulnerability exploits, and command and control (C2) attacks. OCI Network Firewall is natively integrated with OCI platform services such as logging, metrics and provides you the simplicity of an integrated user experience, single vendor, and billing from a single cloud provider.  It allows you to configure and manage your application, networking, and firewall policies in one place through integrated workflows and permission models. 

create network firewall policy

Flexible Policy and Granular Security Enforcement 

With OCI Network Firewall’s flexible policy enforcement, you can easily apply granular security rules on inbound (north-south), outbound, and lateral (east-west) traffic to your application and network workloads. It can be transparently inserted in the traffic path using virtual cloud network (VCN) routing rules and composed with other network functions such as OCI gateways and VCN subnets for security enforcement in arbitrary network topologies.

Let’s walk through a sample 3-tier application of an e-commerce retailer and how it can be protected from cyber-attacks using the Network Firewall service. In this example, the customer has their e-commerce website, shopping cart and shipping services hosted in Oracle Cloud Infrastructure. Just as legitimate users interact with the e-commerce site, attackers can conduct malicious interactions pretending to be legitimate users. In the topology below, the OCI Network Firewall enforcement on the inbound (north-south) traffic through the internet gateway helps secure the network perimeter and protect against malicious traffic and malware propagation in real time once the policies are configured.

Policy Enforcement

The firewall policy enforcement between the subnets secures the lateral (east-west) application tier to database tier communications and blocks threats from moving laterally between different trust domains. For example, you can enforce policy rules to allow only approved database admins to run SQL transactions against MySQL. Though a lot of emphasis is placed on protecting an application from inbound threats, it is equally important to monitor and restrict the outbound traffic to prevent data exfiltration.

In the above topology, the firewall policy enforcement on the outbound traffic leaving through the NAT gateway helps protect against data exfiltration and other malware attacks. You can configure security rules to only allow outbound traffic to trusted URLs or FQDNs, such as allowing web servers to only reach out to get image updates or allowing connections to a trusted payment gateway URL. Lastly, the Network Firewall’s natively integrated metrics and traffic and threat logs enables you to understand the rules and countermeasures triggered by the incoming requests. The logs also help meet your audit and compliance logging requirements. In summary, the flexible and granular OCI Network Firewall policy enforcement helps protects your application workloads and provides a layered defense against today’s constantly evolving threat landscape. 

Log Events Detail

Refer- oracle network firewall