Enhancing Security with Google Cloud NGFW's Domain Filtering

In today's cloud-centric environment, relying solely on traditional IP-based defenses is inadequate for perimeter protection. As services increasingly utilize shared infrastructures and content delivery networks, the limitations of static IP addresses and fully qualified domain names (FQDNs) become apparent, leading to potential security vulnerabilities.

To address these challenges, Google Cloud has launched domain filtering with wildcard capabilities in its Next Generation Firewall (NGFW) Enterprise. This feature aims to bolster security and provide more granular policy controls.

Importance of Domain and SNI Filtering

The Cloud NGFW's URL filtering service conducts thorough inspections of HTTP payloads, safeguarding workloads from threats originating from both public and internal networks. By elevating security measures to the application layer, it effectively restricts access to harmful domains.

Key benefits include:

• Granular Egress Control: This feature allows precise management of connections based on domain names and SNI information in egress HTTP(S) messages. By inspecting Layer 7 (L7) headers, it provides more refined control compared to traditional filtering methods.
• Access Control Without Decryption: For organizations that avoid full TLS decryption, Cloud NGFW can enforce security policies by managing traffic based on SNI headers during the TLS handshake, ensuring domain-level filtering while preserving end-to-end encryption.
• Reduced Operational Overhead: By implementing domain-based filtering, organizations can minimize the maintenance required to track frequently changing IP addresses and DNS records, focusing instead on stable domain identities.
• Flexible Matching: The service supports matcher strings within URL lists, allowing limited wildcard domains to define criteria for both domains and subdomains, thus simplifying management.
• Improved Security: URL filtering enhances security by defending against sophisticated threats like SNI header spoofing, ensuring that attackers cannot bypass controls by manipulating lower-layer identifiers.

How URL Filtering Works

The URL filtering service operates by inspecting traffic at Layer 7 using a distributed architecture.

To get started with URL filtering, follow these steps:

1. Deploy Cloud NGFW Endpoints: Create and deploy a Cloud NGFW endpoint in a designated zone. Ensure the necessary permissions are in place before deployment. Once deployed, associate it with one or more VPCs.
2. Create Security Profiles and Groups: Develop a URL filtering security profile containing URL filters with matcher strings and corresponding actions (allow or deny). Group these profiles into a security profile group, which will be referenced in firewall policy rules.
3. Policy Enforcement: Enable the service by configuring a hierarchical or global network firewall policy rule using the apply_security_profile_group action, specifying the name of the security profile group.

Next Steps

For detailed instructions on configuring firewall policy rules, refer to the documentation on creating ingress and egress hierarchical and global network firewall policy rules.