Does your organisation still have a physical (or virtual!) appliance for a firewall? Its days may be numbered. Developments in cloud solutions are creating an upward trend toward cloud-based security services. Cloud firewall deployments are becoming the norm in many enterprises. Firewall as a Service (FWaaS), otherwise known as ‘Cloud Firewalls’, has surfaced as a standalone product and a key element of the overarching Secure Access Service Edge (SASE) architecture. FWaaS is helping meet enterprise security requirements and improve network connectivity and end-user response times.
Here we help build your understanding of what FWaaS is, why companies are considering it as part of their security strategy, and why it is an integral part of the SASE architecture.
What is FWaaS?
Much like a fire-proof wall prevents flames from travelling through a building, network firewalls prevent unauthorised access to, or through, an organisation’s network. They act as an inspection gateway, stopping malicious data from entering or exiting the secured network.
Firewalls have been an essential element of network security since their invention in late 1980, just before the launch of the web browser in August 1991. The rest, they say, is history. As companies move their applications and data to the cloud and people work remotely, firewalls continue to evolve.
FWaaS is the latest version of the Next Generation Firewall (NGFW). It operates the same way as an ordinary hardware-based firewall; however, instead of installing a firewall appliance on a physical server, it puts the same capability to the cloud. FWaaS provides a centrally managed exit point for all staff’s internet access (e.g., corporate headquarters, remote and branch offices, mobile users) without backhauling the traffic through the corporate data centre. It leads to end-user performance improvement, reduced network and link costs, and removal of the DC bottleneck. As a result, FWaaS permits the data centre firewall to focus on its primary role – protecting the corporate servers and data.
As a corporation no longer manages the infrastructure or software patching, security staff can focus more on performing a role that creates real business value – protecting the corporate data. By centralising administration, a consistent security policy can apply across all staff traffic.
How Does FWaaS Work?
Firewalls enforce rules developed by the organisation’s IT administrators that ‘gate’ what staff can access (e.g., Web sites/categories, IP addresses). When prohibited behaviour is detected, users are blocked and alerted accordingly. As mentioned above, this is very similar to a legacy on-premises firewall; however, it is conducted “in the cloud” using an FWaaS provider.
Installing the firewall is comparatively easy, often only involving changing a company’s router settings. As soon as the network links to the FWaaS provider, network traffic travels through the provider instead of the company’s firewall.
Why do companies need FWaaS?
With more companies adopting the cloud, and an increase in remote workers, network complexity is intensifying. As a result, the network permitter has changed. Where corporate data was previously on-premise, data is now in “the cloud”. A centralised firewall introduces latency due to backhauling data to the central corporate firewall, which may require high network bandwidth to improve performance, which in turn flows on to needing a larger firewall to accommodate the extra traffic flowing.
FWaaS addresses these inhibitors by providing dedicated, corporate-controlled security services located close to the end-users and the data they seek to access. Shorter paths mean lower latency and better response times. Corporate security is enhanced with a firewall to user access and lets the data centre firewall focus on its original function of protecting the corporate data centre.
IT teams can now build customised cloud-friendly security models protected by enterprise-grade firewalls as a vital part of a cloud strategy.
FWaaS is the answer for companies looking for enterprise-level network security solutions but is still in the early stages of deployment. In September 2019, Gartner estimated that less than 5% of distributed companies deploying cloud-firewalls took advantage of FWaaS. However, as the benefits become more widely known, the number will likely quadruple to 20% by 2024(1).
Here are some of the reasons an increasing number of companies are leaning towards FWaaS:
Simpler architecture – FWaaS manages corporate user traffic by leaving the current data centre based physical firewall to handle only data centre related traffic, thus simplifying the firewalls’ configurations by dedicating them to specific tasks.
Scalability – FWaaS scales “on-demand” compared to the physical firewall, requiring life cycle management and capacity planning. When additional throughput is needed, it can be enabled within hours or days at incremental pricing with no disruption to service.
Unified Security Policy – FWaaS provides a single egress point for all staff, whereby enforcing a standard policy without addressing the potential multiple egress points that may exist today.
Easy to install and manage – Companies can easily integrate FWaaS into their existing IT infrastructure – no complex implementation.
Easier maintenance – FWaaS firewalls are always current, so there are no risks of late or missed software updates. IT staff have more time to plan the infrastructure’s future needs rather than on routine maintenance.
Complete network visibility – Together, FWaaS and SD-WAN can implement a single logical managed platform. Companies have full visibility and control over their user internet and WAN traffic from one centralised location. In turn, companies can get consistent delivery of critical security information (e.g., data breach).
Cost-effective: Business units can configure and manage FWaaS remotely. Thus, eliminating the need to purchase, license, install, maintain, and update hardware and software. Simply put, FWaaS is ideal for businesses of all sizes as it can reduce costs significantly while maintaining the safety of all their data.
Challenges of FWaaS
The following are challenges (not disadvantages!) companies may face when they adopt FWaaS :
- Resistance to Adoption: Enterprise businesses may be hesitant to move a critical function like security into the cloud. They may be willing to forego all the cost savings and operational conveniences of FWaaS and continue to stay with legacy firewall appliances.
- Concerns about Network Latency: As mentioned above, integrating SD-WAN and other cloud services with FWaaS makes it a more attractive solution for enterprises. While doing this, FWaaS providers need to guarantee a network latency comparable to or better than that of legacy firewalls.
- Data Centre Traffic: Corporate servers in data centres have different access requirements linking inbound connections. FWaaS are maturing in this space, but it’s not there yet. Currently, the data centre still needs its own firewall/internet service. We expect this limitation to reduce over time. Telstra has released their Secure Edge product, which addresses these constraints.
FWaaS & SD-WAN
FWaaS provides several benefits as a standalone solution; however, when it converges with other technologies such as Software-Defined Wide Area Networking (SD-WAN), companies can restructure their network and route it directly to its destination without sacrificing security and visibility. FWaaS and SD-WAN can significantly enhance performance and serviceability and reduce the dependency on the corporate WAN. Together, FWaaS and SD-WAN are essential components of the emerging cloud-based networking architecture known as Secure Access Service Edge (SASE).
FWaaS & SASE
When aligning to the SASE framework, FWaaS connects with other cloud-based security components to develop an architecture that provides inline protection and access control at the network edge. SASE is becoming the framework for securing organisations. SD-WAN’s capabilities address connectivity constraints, restricting heavy end-user access by creating a reliable firewall connection for office, branch, remote and mobile locations.
Together with FWaaS and SD-WAN, the SASE framework incorporates Cloud Access Security Brokers (CASE), Secure Web Gateways (SWG), and Zero Trust Network Access (ZTNA) to defend the network from potential threats.
Making the Switch to Firewall as a Service (FWaaS)
Is your organisation ready to adopt FWaaS? The answer is ultimately dependant on where your company’s network strategy is going. An SD-WAN strategy aligns with cloud-based FWaaS. SD-WAN with FWaaS will reduce the load and complexity on the centralised corporate firewall whilst providing a better end-user experience to corporate users due to better egress pathing.
Companies with a complex firewall deployment will still need to maintain an on-premises firewall; however, Telstra’s Secure Edge FWaaS is a new option that places the firewall on the edge of your existing MPLS network. This solution provides a Next-Gen Firewall which protects both corporate users and the systems in the data centre.
FWaaS, either cloud-based or Telstra’s network-based solution, should be considered when you review your network or firewall strategy.
Oreta partners with vendors to offer customers cloud-based FWaaS solutions that have Next-Gen functionality. Our strategic partners include Palo Alto Networks, Checkpoint and Cisco. With our advisory, delivery and managed service capabilities, we can ensure that our customers benefit from a SASE or FWaaS solutions. Contact us today for a non-obligatory conversation about your company’s security requirements.