Extend Firewalls to Kubernetes

Extend your existing firewall manager and zone-based architecture to Kubernetes

 

Overview

When deploying microservices to an environment that is protected by firewalls, it may become necessary to work within the confines of your IT security architecture. For applications that make or accept connections with the internet, or need to connect to databases, a firewall is typically going to be part of that architecture.

Most security teams are short-staffed and have limited capacity to take on new technologies that understand workload orchestration like Kubernetes. Security controls like firewall rules are based on IP addresses to allow or deny traffic. However, this model begins to break down in the dynamic environment of Kubernetes, where IP addresses are transient, and the static IP approach used in firewalls cannot be applied.

Furthermore, defining a zone-based security architecture in your cluster using a firewall requires routing all service-to-service traffic through the firewall, introducing latency into your application.

Benefits

Enforce zone-based security in Kubernetes

Enables next-generation firewall (NGFW) managers to implement and enforce a zone-based security architecture in Kubernetes

Maintain enterprise security posture

Enables organizations migrating to Kubernetes architectures to maintain their security posture and ensure the successful adoption of the Kubernetes platform throughout the enterprise

Leverage existing infrastructure and processes

Enables enterprise security teams to leverage familiar, existing firewall tools, processes, and architecture, thereby simplifying and facilitating Kubernetes adoption and deployment

Key Features

Firewall Manager Integration

Firewall managers are used by your security team to manage multiple firewalls from a central pane of glass, to secure the network and define access controls.

There are two primary use cases for firewall manager integration:

  • A zone-based architecture must be implemented and enforced within your Kubernetes cluster, and the firewall team must own the implementation and operations.
  • The security team needs to extend advanced NGFW capabilities to your microservices.

Implementing Zone-Based Security using a Firewall Manager

A zone-based security architecture separates your workloads into different “zones” where workloads with different needs and risk levels reside. The firewall then controls the traffic flow between those zones. For example, the demilitarized zone (DMZ) is where internet-facing workloads run. To reduce the risk of exposure, those workloads should not be able to connect directly to confidential data resources. Zone-based architectures are often required for compliance purposes.

Calico Enterprise integrates with Fortinet FortiGuard and Palo Alto Panorama to extend those firewall managers to Kubernetes. The firewall manager can be used to create a zone-based architecture for your Kubernetes cluster, and Calico Enterprise will read those firewall rules and translate them into Kubernetes security policies that control traffic between your microservices. The firewall manager can be used to explicitly define which microservices are allowed to traverse zones, providing the network security team the controls they need to maintain compliance.

While a zone-based architecture can be created in Calico Enterprise without the use of a firewall manager, security teams are often short-staffed, do not have the capacity to take on another tool, and would prefer to use the firewall managers they use for the rest of the data center.

Extending Next-Generation Firewall Rules to Kubernetes

Next-generation firewalls provide advanced security features such as live threat feeds, intrusion detection, and tools used by the security operations center (SOC) to identify and resolve security incidents. Tigera has partnered with Fortinet to offer four integrations that extend their NGFW platform to your microservices running on Kubernetes.

  • FortiManager Calico Kubernetes Controller: Manage Calico Enterprise and Calico Cloud security policies directly from the FortiManager platform.
  • FortiGate Calico Kubernetes Controller: Calico Enterprise and Calico Cloud dynamically populate source IPs from your microservices to FortiManager address object groups. FortiGate NGFWs can then control egress from your microservices to destinations outside the cluster.
  • FortiGuard Threat Feed Integration: Calico Enterprise and Calico Cloud ingest threat data from the real-time threat intelligence database from FortiGuard Labs, and block any malicious traffic to or from identified endpoints.
  • Calico FortiSIEM Plugin: Calico Enterprise and Calico Cloud append FortiSIEM telemetry with Kubernetes-specific context that provides deeper visibility for security operations teams to respond to security incidents identified within your microservices.

Universal Firewall Integration

Calico Enterprise and Calico Cloud provide universal firewall integration through the Calico Egress Gateway. The Calico Egress Gateway assigns a fixed IP address to any Kubernetes namespace (Egress IP Namespace). In Calico Enterprise and Calico Cloud, all traffic leaving the cluster from that namespace will undergo secure network address translation (SNAT). You can now use the fixed egress IP as the application identity for your microservice and open firewall rules based on that IP. As your microservices scale up and back, you can run as many replicas as needed without the need to open an additional firewall rule per replica.

How It Works

 

Resources

Blog

Learn More

Free eBook

Learn More

Documentation

Learn More