Extend Firewalls to Kubernetes

When deploying microservices to an environment that’s protected by firewalls, it may become necessary to work within the confines of your IT security architecture. For applications that make or accept connections with the Internet, or need to connect to databases, a firewall is typically going to be part of that architecture.

Most security teams are short-staffed and have limited capacity to take on new technologies that understand workload orchestration like Kubernetes. Security controls like firewall rules are based on IP addresses to allow or deny traffic. However, this model begins to break down in the dynamic environment of Kubernetes, where IP addresses are transient, and the static IP approach used in firewalls cannot be applied.

Furthermore, defining a zone-based security architecture in your cluster using a firewall requires routing all service-to-service traffic through the firewall, introducing latency into your application.

Firewall Manager Integration

Universal Firewall Integration

Watch Details Video

Firewall Manager Integration

Firewall managers are used by your security team to manage multiple firewalls from a central pane-of-glass, to secure the network and define access controls.

There are two primary use cases for firewall manager integration:

  1. A zone-based architecture must be implemented and enforced within your Kubernetes cluster, and the firewall team must own the implementation and operations
  2. The security team needs to extend advanced Next-Gen firewall capabilities to your microservices

1. Implementing Zone-Based Security using a Firewall Manager

A zone-based security architecture separates your workloads into different “zones” where workloads with different needs and risk levels reside. The firewall then controls the traffic flow between those zones. For example, the demilitarized (DMZ) zone is where Internet-facing workloads run. To reduce the risk of exposure, those workloads should not be able to connect directly to confidential data resources. Zone-based architectures are often required for compliance purposes.

Calico Enterprise integrates with Fortinet FortiGuard and Palo Alto Panorama to extend those firewall managers to Kubernetes. The firewall manager can be used to create a zone-based architecture for your Kubernetes cluster, and Calico Enterprise will read those firewall rules and translate them into Kubernetes security policies that control traffic between your microservices. The firewall manager can be used to explicitly whitelist which microservices are allowed to traverse zones, providing the network security team the controls they need to maintain compliance.

While a zone-based architecture can be created in Calico Enterprise without the use of a firewall manager, the security teams are often short-staffed, do not have the capacity to take on another tool, and would prefer to use the firewall managers they use for the rest of the datacenter.

2. Extending Next-Gen Firewall Capabilities to Kubernetes

Next-generation firewalls provide advanced security features such as live threat feeds, intrusion detection, and tools used by the security operations center to identify and resolve security incidents.

Tigera has partnered with Fortinet to offer four (4) integrations that extend their next-generation firewall platform to your microservices running on Kubernetes.

  • FortiManager Calico Kubernetes Controller: Manage Calico Enterprise and Calico Cloud security policies directly from the FortiManager platform.
  • FortiGate Calico Kubernetes Controller: Calico Enterprise and Calico Cloud dynamically populate source IPs from your microservices to FortiManager address object groups. FortiGate next-generation firewalls (NGFWs) can then control egress from your microservices to destinations outside the cluster.
  • FortiGuard Threat Feed Integration: Calico Enterprise and Calico Cloud ingest threat data from the real-time threat intelligence database from FortiGuard Labs, and block any malicious traffic to or from identified endpoints.
  • Calico FortiSIEM Plugin: Calico Enterprise and Calico Cloud append FortiSIEM telemetry with Kubernetes-specific context that provides deeper visibility for security operations teams to respond to security incidents identified within your microservices.

Universal Firewall Integration

Calico Enterprise and Calico Cloud provide universal firewall integration through the Calico Egress Gateway. The Calico Egress Gateway assigns a fixed IP address to any Kubernetes namespace (Egress IP Namespace). Calico Enterprise and Calico Cloud will SNAT all traffic leaving the cluster from that namespace. You can now use the fixed Egress IP as the application identity for your microservice and open firewall rules based on that IP. As your microservices scale up and back, you can run as many replicas as needed without the need to open an additional firewall rule per replica.

Watch Product Details Video


📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>