As virtual machines move to the cloud, preserving the least privilege networking model for the apps that run on them can be a challenge.
VPCs and security groups are effective perimeter controls, but their ability to segment traffic on a per-workload basis is too coarse.
While host firewalls provide additional ability to limit traffic, they’re isolated and require manual rule creation and management.
CNNF for hosts takes a different approach.
Cloud VMs typically run a single app workload, so you can apply the same kind of connectivity learning, modeling, and enforcement Prisma Cloud utilizes for containers to protect hosts.
CNNF for hosts is a distributed layer 3/4 firewall that stresses automated learning and workload awareness to isolate apps in a least privilege connectivity mesh.
CNNF eliminates the need to manually define rules or rely on low level primitives, such as IP addresses and host names.
Instead CNNF takes an app centric view of connectivity.
CNNF for hosts builds on the host runtime defense capabilities in Prisma Cloud to create a connectivity model for each app in your environment - the ports it listens on, the protocols used, and it’s inbound and outbound traffic flows.
These models are app centric, not host centric, meaning that as you scale workloads across VMs, the models are automatically applied, regardless of the cloud provider, region, or VPC the VMs run in.
In addition to showing network topology, Radar employs a data overlay to show vulnerability, compliance, and runtime state.
Easily identify apps impacted by CVEs, insecure configurations, or attacks that have been detected and prevented.
Deploying CNNF for hosts
CNNF for hosts automatically learns normal network activity between apps and displays it in Radar.
In alert mode, anomalous traffic is allowed, but it generates audits.
CNNF for hosts has the same configuration settings as CNNF for containers.
For more information, see Enabling CNNF.
You’ve deployed either a Container Defender or Host Defender to your Linux host.
In order to model all network flows, the app models must be relearned.
CNNF rules let you explicitly whitelist network flows.
Rules can be defined between apps or between apps and external networks where Prisma Cloud is not running.
When external networks are added, connections with them are displayed in Radar.
Adding an external entity drops a node onto the Host Radar canvas.
If during learning, Defenders detects a connection to the external entity, it’s modeled, and an edge is shown on Radar.
If no external network is defined, and a connection is made to an external network during learning, Prisma Cloud can’t model it, and nothing is shown on Radar.
CNNF for hosts lets you create the same types of rules as CNNF for containers, except rules target host apps, not container images.
For more information, see CNNF rules.