Tools & Techniques - Cloud Firewalls (DigitalOcean)

My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices. I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent.

They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc. 

Initial Impressions - Pros, Cons and Limitations

Pros

  • No Cost (free!!) - Cloud Firewalls are available at no additional cost.
  • Availability - Cloud Firewalls are available in ever region DigitalOcean operate.
  • Flexibility & Granularity - Rules can span droplets in any region and can be applied by droplet name or tags meaning there is real scope and potential for developing granular, role base policies. 

Limitations

  • There are some limitations. There is a 50 rule limit (outgoing and incoming) per firewall, each firewall can only support 10 droplets and there is a 5 tag limit per firewall.

Cons

  • Each new rule, irrespective of service or protocol,defaults to ALL IPv4 and IPv6...
  • You don't appear to be able to render logs for monitoring or troubleshooting.

Conclusions
If you employ DigitalOcean's VPS servers either to support your org's mission or your own research and endeavours it's worth considering their Cloud Firewall services as a centralised alternative to host-based firewalls. If it suites your purposes you can trivially collapse rules into role-based firewalls and apply these accordingly. If your Devs use VPS for testing and development this might provide you with some additional control or assurances around how exposed this is. 

Popular posts from this blog

PCI-DSS: Your CDE may be getting bigger

WAR GAMES - Simulating Security Incidents