Today, enterprise firewall policy model is typically a very simple traffic match criteria with source of traffic, destination of traffic, port/protocol of the traffic and a set of possible actions including permit, deny, etc. This policy model inherently cannot be made aware that the firewall rules are being processed to support private cloud/automation scenarios where hundreds of instances of applications are typically created out of the same application template.
Cloud administrators typically have specific security expectations at the time the template instances are deployed. For instance, administrators want to maintain instance isolation, so that different application components belonging to different instances do not communicate with each other, even though the instances are created by using the same template. Also, administrators may or may not want different application components belonging to the same instance to be able to communicate with each other by default. Specific rules are typically built based on an understanding of the existing default policy.
This fundamental mismatch in the firewall policy model results in rule or dynamic group overload. Every time a new instance of the template is created, automation frameworks create additional dynamic groups and firewall rules. These additional objects and rules create scalability and performance issues for the enterprise firewalls. Also, this mismatch results in rule and dynamic group churn. When every template instantiation results in new rule creation as well as changes to dynamic groups, the management system has to push multiple changes for each instance. This constant churn in the rule tables overwhelms the policy change systems including policy publish and audit systems. Propagating changes to the template rules becomes a challenging task, as the changes have to be implemented on a large number of instance on an instance-by-instance basis.
Another issue is rule management complexity. Firewall operations teams that manage the firewall rules find it challenging to manage and troubleshoot rule tables that grow into tens of thousands of rules. Moreover, as these template instances are deleted, the firewall rules also need to be deleted, which in most cases, is often overlooked by the administrators due to the large number of instances that have to be deleted.