Throw away your firewalls!!

I usually install firewall appliances with UTM (Unified Threat Management) features to protect the network and the information of our customer against virus, malicious websites, spam, attacks, etc. Most of these firewalls are installed in the perimeter of the network and most of them have VPN capabilities as well. Therefore, SSL VPN or IPSec VPN are used to connect to the organization from untrusted networks like coffee shops, airports, hotel, etc. Actually, this is a good way to give to remote users access to internal services.

However, Google wants to break the schemas, architecture and design that we are used to seeing with a new concept called BeyondCorp. They are working with a new approach to enterprise security where everything is untrusted, also called Zero Trust, and where access control are shifted from the perimeter to individual devices and users allowing employees to work securely from any location without the need for a traditional VPN. As a result, employees don’t have to install any VPN client, which is a great benefit, and internal services are no longer internal services but they are accessible from any location, even from Internet.

BeyondCorp components and access flow

 

As we can see, this new approach has many components. As it trusts in individual devices and users instead of networks, there are two important databases, device inventory database and user/group database, where trustworthy users and devices are stored. However, the trust of a user or device can change over the time, for example if the device doesn’t have applied the last OS patch, the device doesn’t have the last antivirus signatures or the certificate is in the blacklist, that device is not trustworthy and it’s moved to untrusted network. All of these tasks are done by the trust inference component, the certificate issuer and the pipeline. On the other hand, the access control engine along with the access proxy provides service-level authorization to enterprise applications on a per-request basis. This new security model also has a Radius component to move users and devices from one VLAN to another inside Google buildings, and a Single Sign-On component for user authentication to all applications.

This new security approach of protecting our corporate security perimeter without firewalls has to publish all our internal services to Internet. As we can see, Google has resources like codereview.corp.google.com domain name registered in public DNS with a CNAME pointing to the access proxy:

DNS Intranet resources

Moma is the Intranet of Google employees and lots of resources are accessible from Internet through the access proxy with BeyondCorp:

MOMA Single Sign-On

From my point of view, firewalls aren’t going to disappear yet but we’ll go to the 4^th generation of firewalls where we’ll configure firewall policies by users and devices easily instead of networks because any location and network will be untrusted. In addition, we’ll have better integration between all IT devices (servers, desktops, BBDD, WiFi, switches, mail, web, firewall, etc) for better security protection such as Fortinet is doing with his Fortinet Security Fabric.

Regards my friends and remember, the world is changing very fast and the IT security as well.