Log inSign up

How effective are the Cloud Service Provider (CSP) native cloud firewall offerings?

Mini-Test Overview

Introduction

In today’s cloud-centric environment, businesses often face a critical choice regarding the security of their cloud infrastructure. They can rely on firewalls offered directly by Cloud Service Providers (CSPs) or use independent security vendor firewall offerings typically available through the respective CSP’s marketplace.

Multiple factors influence this decision, including integration, billing convenience, security capabilities, operational needs, and cost. Security effectiveness is a crucial factor in selecting the right firewall solution, as it directly impacts the organization’s ability to protect against cyber threats. This makes objective testing essential to ensure firewalls are protecting as expected.

Background

In April 2024, we published the results of our annual Cloud Network Firewall test. In that test, the AWS Network Firewall exhibited a mere 5.39% Security Effectiveness score, the lowest result in our comparison. At that time, it was also the only CSP native firewall under test. That extremely low Security Effectiveness score was not considered to meet any reasonably acceptable standard, and it was concerning enough that we decided to re evaluate AWS’ offering six months later to see if any improvements might have been made.

For this round, we expanded our testing to include Microsoft Azure Firewall and Google Cloud Platform (GCP) Cloud NGFW. Combined, the “Big Three” now account for two-thirds of the growing cloud market, estimated to have an annualized run rate of a $300-billion market growing at 21% and is expected to “double in size in the next four years.” 1

This testing was conducted as part one of a two-part series examining cloud network firewalls. The firewalls were tested against an array of exploits using Keysight’s CyPerf v5.0 software testing platform, offering an evidence-based look at how well these native solutions withstand real-world security threats. We chose Keysight’s CyPerf testing tool so that enterprises could easily replicate our results. This first phase provides end-users with insights into the effectiveness of CSP native firewall offerings across three CSPs, helping organizations understand each CSP’s security offerings and capabilities. These findings also set the stage for part two, which will feature a series of upcoming tests evaluating cloud network firewall solutions from select industry leading vendors. Together, these two phases will enable organizations to compare firewalls based on tested effectiveness, helping them make well-informed decisions when selecting the most appropriate firewall solution for their cloud environment.

Part 2 testing of third-party vendor cloud network firewall offerings is scheduled for publication in Q1 of 2025.

Key Findings

  • Protection ranged from 0.38% to 50.57% for security effectiveness.
  • Based on the results, Security Effectiveness varies significantly between Amazon, Microsoft, and Google, while remaining low overall.
  • Enterprises may be accepting reduced security effectiveness when choosing a CSP native firewall over a third-party firewall.

Recommendations

  • Organizations using CSP native firewall solutions should scrutinize whether the performance exhibited by these offerings will meet their needs.
  • Customers considering CSP native firewalls should gather as much testing and data as possible on their effectiveness to understand whether the offerings align with their needs.

Test Topology

For this test, we employed 522 attacks (exploits), focusing on exploit types that target servers and are typically relevant to cloud workload deployments.

We used exploits from the last ten years, focusing on attacks with a severity of medium or higher. The attacks used included those targeting enterprise applications that businesses may be running and that could potentially be migrated to a cloud platform. This set included attacks targeting Apache, HPE, Joomla, Cisco, Microsoft, Oracle, PHP, VMware, WordPress, and Zoho ManageEngine.

This part one test was not intended to be a comprehensive security evaluation of the vendor platforms’ full capabilities or overall effectiveness. Instead, it focused on the exploit protection delivered by vendors for the set of vulnerabilities tested. The results of this particular test should not be construed as representative of the overall effectiveness or capabilities of the firewall platforms tested.

The figure below shows the testing topology.

1. Amazon Maintains Cloud Lead as Microsoft Edges Closer

Results & Observations

Results

As can be seen in the table below, AWS only blocked two of the exploits tested; Azure did significantly better (still very low based on industry norms), blocking 126 exploits, and GCP blocked 264 out of 522 exploits.

Exploit Testing AWS
Network Firewall		 Microsoft Azure
Firewall Premium		 Google Cloud
NGFW Enterprise Firewall
Number of Exploits 522 522 522
Number of Blocked Exploits 2 126 264
Number of Missed Exploits 520 396 258
Exploit Block Rate 0.38% 24.14% 50.57%

AWS Network Firewall

  • Usability: It was easy to deploy using the provided instructions and documentation.
  • Protection: AWS uses open-source Suricata rulesets, which allow the admin to view, edit, and add signatures. By default, many of the preconfigured signatures rely on basic regular expressions. As of October 2024, the ruleset contained over 21,500 preconfigured rules.
    • Many of these signatures provide essential protection for home and small office environments but are not designed for cloud or server workloads.
    • Approximately 10% of the rules protect web browsers.
    • Around 17,500 rules monitor outbound connections (post-infection).
    • Only about 4,000 rules focus on inbound traffic.
    • Most signatures do not contain CVE information, making assessing coverage against known vulnerabilities challenging.
  • Security Effectiveness: The block rate was low at 0.38%.
  • Monitoring & Logging: For AWS Network Firewall, multiple steps are required for logging and monitoring:
    • Enable logging (both flow and alert logs)
    • Forward logging output to one or more AWS services (CloudWatch, S3 Storage)
    • Analyze the logs (in JSON format) or export them to multiple formats.

Microsoft Azure Firewall Premium

  • Usability: It was easy to deploy using the provided instructions and documentation.
  • Protection: Microsoft Azure Firewall Premium uses Microsoft’s closed-source signatures. As of October 2024, its ruleset contained over 67,000 rules in over 50 categories.
  • Security Effectiveness: The block rate was 24.14%
  • Monitoring & Logging: Logging configuration in Microsoft Azure Firewall Premium requires multiple steps:
    1. Enable logging.
    2. Logs are forwarded to NetWatcher, which is another service in Azure.
    3. Logs can then be analyzed in multiple formats.

Google Cloud NGFW Enterprise Firewall

  • Usability: It was easy to deploy using the provided instructions and documentation.
  • Protection: Cloud NGFW’s threat detection and prevention capabilities are powered by Palo Alto Networks threat prevention technologies². To help protect your network, Cloud NGFW supports a default set of threat signatures with predefined severity levels. Users can go to the threat vault to view all the threat signatures configured in Cloud NGFW.
  • Security Effectiveness: The block rate was 50.57%.
  • Monitoring & Logging: Validating the blocks was straightforward, as it provides a robust GUI for threat logs and is enabled by default

2. https://cloud.google.com/firewall/docs/about-threats

Summary & Conclusion

Summary

This Cloud Network Firewall (CNFW) mini-test compares native firewall solutions from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), assessing security effectiveness, usability, protection, and monitoring features. The test, using Keysight’s CyPerf v5.0, found that security effectiveness is notably low across these native solutions. This is part one of a two-part test series.

Conclusion

Native firewalls provided by major Cloud Service Providers (AWS, Microsoft Azure, and GCP) generally lack the high level of security effectiveness required to protect against the majority of cyber threats. Despite their ease of integration and deployment, these native solutions do not provide robust protection, with low block rates observed across all providers.

Organizations relying solely on CSP native firewalls are potentially risking inadequate protection, as demonstrated by the low exploit block rates—especially in AWS’s case, where effectiveness was strikingly poor. To ensure sufficient security, businesses should seek comprehensive testing and consider third-party firewall solutions, especially if security is a top priority. The upcoming second phase of testing, focused on third-party firewalls, will further aid organizations in selecting a firewall solution that better aligns with their security requirements.

As a reminder, this mini-test was not designed or intended to measure the overall potential effectiveness of Cloud Service Provider native firewall offerings. This mini-test is intended to provide insight into the high-level relative effectiveness of CSP native firewall solutions using a small subset of exploit samples (using 522 samples vs the 2000+ samples in our more all-inclusive tests). CyberRatings’ full testing programs and resulting reports employ much more.

Special Thanks

We want to thank Keysight for providing their CyPerf technology for this test.

Authors

Thomas Skybakmoen, Tim Otto, Ian Foo