About Halo Workload Firewalls
What Halo Workload Firewalls Do
CloudPassage Halo automatically deploys, updates, and monitors host-based Windows or Linux firewalls for your cloud server hosts. Host-based firewalls can provide more protection for your cloud servers or workloads than traditional perimeter firewalls, because they can be tailored to the exact purpose of each type of workload that you use. With Halo, you can design policies to facilitate inter-communication among the different categories of servers in your cloud, while simultaneously preventing malicious agents from gaining access.
Halo workload firewalls also deploy themselves automatically and elastically, as your cloud-server population dynamically grows and shrinks. No hosts are left uncovered and vulnerable to attack.
Halo firewall policies are also intelligent; they allow you to specify more than just IP addresses and ranges when defining the allowable sources or destinations of connections. For example:
- Because cloud providers typically assign arbitrary IP addresses to individual workloads in the cloud, firewall implementation can involve tedious tracking of lists of host addresses. But with Halo these workloads are in named server groups, so you can define high-level firewall policy rules using those group names as connection sources or destinations. Halo then uses those rules to create individual host-based firewall rules, taking care of tracking the IP addresses for you.
- To support the Halo multi-factor network authentication feature, Halo allows you to create firewall policy rules that specify usernames as sources of inbound connections. When such a user authenticates, Halo temporarily updates the appropriate firewall rule, using that user's IP address as the connection source and allowing access.
Setting Up Your Halo Firewalls
You start your Halo workload firewall deployment with a firewall policy—a template listing connection rules for inbound and outbound communication for a given kind of server. You create those rules in the Halo portal using a convenient form, and then save them as a policy.
You then assign the firewall policy to a group of like-purpose servers, such as a web server group, or a database server group.
After that, Halo takes over—it installs individual firewalls based on your policy on all of the servers in the policy's server group. Furthermore, Halo automatically updates all servers with any updates or changes you later make to that policy, or any changes to any of the servers' IP addresses. Halo also automatically deploys new firewalls to any servers that are added to the group in the future, such as through cloning or re-activation.
Once your initial firewall setup is complete, you can track the state of all your firewalls at once from the Halo portal. Update your firewall policies anytime, and Halo will deploy the updates. Set up alerts so that you are notified if any firewall is tampered with.
Note: Halo firewalls currently implement only Internet Protocol version 4 (IPv4) chains in iptables, and IPv4 rules in Wiindows firewall. The newer IPv6 protocol is not yet supported; any IPv6 chains or rules are ignored by Halo.
If IPv6 is by default running on your workloads and you do not need it, CloudPassage recommends that you disable it, to avoid leaving your workloads without protection against IPv6 connections.
// <![CDATA[ var pdfTitle="Workload Firewall Management"; var pdfURL="http://www.cloudpassage.com/document_images/firewall/firewall_management.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>