2

I'm trying to understand the value of stateless firewalls in public cloud platforms like Network Access Control Lists (NACL) in Amazon Web Services (AWS). I think I know a few ways I can use them, but I'm not sure about the actual value in terms of security.

AWS already has security groups - which are stateful - with which I can restrict what source CIDR can access what port in a compute instance. I know NACL can be used to secure an entire subnet. Apart from sheer convenience, is there any other valid use case for stateless firewalls in cloud platforms that can't be achieved with stateful firewalls like Security Groups.

This question arose because I found that Google Cloud Platform and Azure Cloud don't seem to have stateless firewall services. GCP has cloud armor security policies which look similar to AWS NACL but they seem to apply only to HTTP load balancers.

eternaltyro
  • 817
  • 7
  • 16
  • 1
    Stateful services typically require more processing power - which for cloud service providers results in higher costs. Not sure if it adds up, but a stateless firewall might be beneficial to do the gross filtering - and then stateful inspection for the 'finetuning' or application lvl inspection. – Stef Heylen Sep 24 '18 at 11:01
  • your second point makes sense. But merely as a user, what advantages do I gain relying on stateless firewalls as opposed to using stateful ones, apart from convenience? – eternaltyro Sep 24 '18 at 12:24

2 Answers2

1

Stateful firewalls are generally pointless in front of public-facing servers, as you are accepting all incoming connections from every address on whatever port. This can be accomplished with a stateless packet filter.

Stateful firewalls are also generally the first component to fall over during a DDoS attack, even before the servers or network links run out of resources.

Finally, stateful firewalls require nasty and brittle “state synchronization” and clustering mechanisms to be highly available. These generally don’t work correctly when needed, and are seldom tested correctly by stateful firewall customers.

In short: cloud providers provide the tools to run high volume public facing Internet services. Stateless packet filters are a critical piece of that puzzle, as stateful firewalls are only useful in low-volume scenarios without multiple network paths.

Evidence: Microsoft, Google, Amazon, Cloudflare etc. do not use stateful firewalls in front of their own public-facing high volume web services. They use router ACLs which are implemented in silicon.

rmalayter
  • 211
  • 1
  • 4
  • Interesting. When I read your rationale it makes sense. Do you have a link to back up your claims in the "Evidence" section? – eternaltyro Oct 02 '18 at 05:43
  • @eternaltyro using ACLs instead of stateful firewalls is pretty common knowledge in the Datacenter networking community. I added one link for Google and will add others as they are encountered – rmalayter Oct 02 '18 at 11:33
0

Think of the NACL functionality just like you think about ACLs on network equipment. You can use them where you don't have a firewall inline but still want to make sure that only specific traffic can flow to a specific subnet regardless of the compute instances that pop up there. In practice I don't see much use for it today since is becomes unmanageable once you want more than a few specific rules or want to create a more complex policy.

This provides a pretty good comparison

Igliv
  • 361
  • 1
  • 10