Does your organisation still have a physical (or virtual!) appliance for a firewall? Its days may be numbered. Developments in cloud solutions are creating an upward trend toward cloud-based security services. Cloud firewall deployments are becoming the norm in many enterprises. Firewall as a Service (FWaaS), otherwise known as ‘Cloud Firewalls’, has surfaced as a standalone product and a key element of the overarching Secure Access Service Edge (SASE) architecture. FWaaS is helping meet enterprise security requirements and improve network connectivity and end-user response times.
Here we help build your understanding of what FWaaS is, why companies are considering it as part of their security strategy, and why it is an integral part of the SASE architecture.
What is FWaaS?
Much like a fire-proof wall prevents flames from travelling through a building, network firewalls prevent unauthorised access to, or through, an organisation’s network. They act as an inspection gateway, stopping malicious data from entering or exiting the secured network.
Firewalls have been an essential element of network security since their invention in late 1980, just before the launch of the web browser in August 1991. The rest, they say, is history. As companies move their applications and data to the cloud and people work remotely, firewalls continue to evolve.
FWaaS is the latest version of the Next Generation Firewall (NGFW). It operates the same way as an ordinary hardware-based firewall; however, instead of installing a firewall appliance on a physical server, it puts the same capability to the cloud. FWaaS provides a centrally managed exit point for all staff’s internet access (e.g., corporate headquarters, remote and branch offices, mobile users) without backhauling the traffic through the corporate data centre. It leads to end-user performance improvement, reduced network and link costs, and removal of the DC bottleneck. As a result, FWaaS permits the data centre firewall to focus on its primary role – protecting the corporate servers and data.
As a corporation no longer manages the infrastructure or software patching, security staff can focus more on performing a role that creates real business value – protecting the corporate data. By centralising administration, a consistent security policy can apply across all staff traffic.
How Does FWaaS Work?
Firewalls enforce rules developed by the organisation’s IT administrators that ‘gate’ what staff can access (e.g., Web sites/categories, IP addresses). When prohibited behaviour is detected, users are blocked and alerted accordingly. As mentioned above, this is very similar to a legacy on-premises firewall; however, it is conducted “in the cloud” using an FWaaS provider.
Installing the firewall is comparatively easy, often only involving changing a company’s router settings. As soon as the network links to the FWaaS provider, network traffic travels through the provider instead of the company’s firewall.
Why do companies need FWaaS?
With more companies adopting the cloud, and an increase in remote workers, network complexity is intensifying. As a result, the network permitter has changed. Where corporate data was previously on-premise, data is now in “the cloud”. A centralised firewall introduces latency due to backhauling data to the central corporate firewall, which may require high network bandwidth to improve performance, which in turn flows on to needing a larger firewall to accommodate the extra traffic flowing.
FWaaS addresses these inhibitors by providing dedicated, corporate-controlled security services located close to the end-users and the data they seek to access. Shorter paths mean lower latency and better response times. Corporate security is enhanced with a firewall to user access and lets the data centre firewall focus on its original function of protecting the corporate data centre.
IT teams can now build customised cloud-friendly security models protected by enterprise-grade firewalls as a vital part of a cloud strategy.
FWaaS is the answer for companies looking for enterprise-level network security solutions but is still in the early stages of deployment. In September 2019, Gartner estimated that less than 5% of distributed companies deploying cloud-firewalls took advantage of FWaaS. However, as the benefits become more widely known, the number will likely quadruple to 20% by 2024(1).
Here are some of the reasons an increasing number of companies are leaning towards FWaaS:
Simpler architecture – FWaaS manages corporate user traffic by leaving the current data centre based physical firewall to handle only data centre related traffic, thus simplifying the firewalls’ configurations by dedicating them to specific tasks.
Scalability – FWaaS scales “on-demand” compared to the physical firewall, requiring life cycle management and capacity planning. When additional throughput is needed, it can be enabled within hours or days at incremental pricing with no disruption to service.
Unified Security Policy – FWaaS provides a single egress point for all staff, whereby enforcing a standard policy without addressing the potential multiple egress points that may exist today.
Easy to install and manage – Companies can easily integrate FWaaS into their existing IT infrastructure – no complex implementation.
Easier maintenance – FWaaS firewalls are always current, so there are no risks of late or missed software updates. IT staff have more time to plan the infrastructure’s future needs rather than on routine maintenance.
Complete network visibility – Together, FWaaS and SD-WAN can implement a single logical managed platform. Companies have full visibility and control over their user internet and WAN traffic from one centralised location. In turn, companies can get consistent delivery of critical security information (e.g., data breach).
Cost-effective: Business units can configure and manage FWaaS remotely. Thus, eliminating the need to purchase, license, install, maintain, and update hardware and software. Simply put, FWaaS is ideal for businesses of all sizes as it can reduce costs significantly while maintaining the safety of all their data.
Challenges of FWaaS
The following are challenges (not disadvantages!) companies may face when they adopt FWaaS :
- Resistance to Adoption: Enterprise businesses may be hesitant to move a critical function like security into the cloud. They may be willing to forego all the cost savings and operational conveniences of FWaaS and continue to stay with legacy firewall appliances.
- Concerns about Network Latency: As mentioned above, integrating SD-WAN and other cloud services with FWaaS makes it a more attractive solution for enterprises. While doing this, FWaaS providers need to guarantee a network latency comparable to or better than that of legacy firewalls.
- Data Centre Traffic: Corporate servers in data centres have different access requirements linking inbound connections. FWaaS are maturing in this space, but it’s not there yet. Currently, the data centre still needs its own firewall/internet service. We expect this limitation to reduce over time. Telstra has released their Secure Edge product, which addresses these constraints.
FWaaS & SD-WAN
FWaaS provides several benefits as a standalone solution; however, when it converges with other technologies such as Software-Defined Wide Area Networking (SD-WAN), companies can restructure their network and route it directly to its destination without sacrificing security and visibility. FWaaS and SD-WAN can significantly enhance performance and serviceability and reduce the dependency on the corporate WAN. Together, FWaaS and SD-WAN are essential components of the emerging cloud-based networking architecture known as Secure Access Service Edge (SASE).
FWaaS & SASE
When aligning to the SASE framework, FWaaS connects with other cloud-based security components to develop an architecture that provides inline protection and access control at the network edge. SASE is becoming the framework for securing organisations. SD-WAN’s capabilities address connectivity constraints, restricting heavy end-user access by creating a reliable firewall connection for office, branch, remote and mobile locations.
Together with FWaaS and SD-WAN, the SASE framework incorporates Cloud Access Security Brokers (CASE), Secure Web Gateways (SWG), and Zero Trust Network Access (ZTNA) to defend the network from potential threats.
Making the Switch to Firewall as a Service (FWaaS)
Is your organisation ready to adopt FWaaS? The answer is ultimately dependant on where your company’s network strategy is going. An SD-WAN strategy aligns with cloud-based FWaaS. SD-WAN with FWaaS will reduce the load and complexity on the centralised corporate firewall whilst providing a better end-user experience to corporate users due to better egress pathing.
Companies with a complex firewall deployment will still need to maintain an on-premises firewall; however, Telstra’s Secure Edge FWaaS is a new option that places the firewall on the edge of your existing MPLS network. This solution provides a Next-Gen Firewall which protects both corporate users and the systems in the data centre.
FWaaS, either cloud-based or Telstra’s network-based solution, should be considered when you review your network or firewall strategy.
Oreta partners with vendors to offer customers cloud-based FWaaS solutions that have Next-Gen functionality. Our strategic partners include Palo Alto Networks, Checkpoint and Cisco. With our advisory, delivery and managed service capabilities, we can ensure that our customers benefit from a SASE or FWaaS solutions. Contact us today for a non-obligatory conversation about your company’s security requirements.
- Top 4 firewall-as-a-service security features and benefits (techtarget.com)
SASE – It’s revolutionising network and security architecture. It’s shaking up how we connect. But what exactly is all the talk about? What does it mean for your organisation? Is your organisation sassy enough to conquer a SASE makeover?
- The future of our network and security infrastructures being cloud-centric is imminent.
- SASE has several advantages over traditional architectures, not the least of which include greater scalability and flexibility for your organisation
- Now is the perfect time to assess where on the SASE journey your organisation is at and what this means for your existing networking infrastructure.
What’s sassy about SASE?
Disruptive and transformational are just a few words that come to mind. Gartner defines SASE – pronounced “sassy” and shortened for ‘Secure Access Service Edge’ – as ‘an emerging cybersecurity concept combining comprehensive WAN capabilities with comprehensive network security functions…to support the dynamic secure access needs of digital enterprises’.
Unlike the legacy WAN, SASE shifts the focus from a network where each branch connects to a central office to access data and security services to the concept where an entity (e.g. user, group of people (branch), a single device, IoT system or edge computing location) is connected directly from the edge to cloud-based services bypassing the need for a centralised WAN.
SASE has several advantages over traditional architectures, not the least of which include greater scalability and flexibility for your organisation, potentially reduced network costs, and better performance for the end-user. SASE done right will open the door to enhanced security features, moving the management of your security to a cloud access security broker (CASB) whilst:
- protecting your users, regardless of where the device or user is located, from threats through secure web gateways (SWG) and remote browser isolation,
- securing your applications and data through zero-trust network access (ZTNA), firewall as a service (FWaaS) and protecting your web API’s (WAAPaaS).
Why is it the trend?
The era of centralised network and security architectures is fading. Today’s enterprises are hyper-distributed. More and more businesses are moving to a Software-as-a-Service (SaaS), cloud-based services and edge compute platforms, where there is an increased reliance on SDWAN connectivity, and remote user access is the new normal. As a result, the traditional reliance on enterprise data centres for routing and security is becoming obsolete.
We are at the forefront of a new transformation. We are shifting from relying on location as the core of networking and security to the end-user. With 2020 being a tumultuous year, with a massive exodus of users working from home, the need for such change has never been so evident. Whilst 81% of the population is now working from home, Gartner has predicted post-COVID that 41% of employees will remain working from home. The question is – is your security prepared for this – are you getting sassy with SASE?
The future of our network and security infrastructures being cloud-centric is imminent. Users need to have more confidence in a consistent and secure experience everywhere, anywhere.
If you are ready to get sassy with SASE, now is the perfect time to assess where on the SASE journey your organisation is at and what this means for your existing networking infrastructure.
Are you the sassy-type?
Ask yourself – Are you ready to revolutionise your network? Are you willing to embrace disruption to stay relevant? If so, you are ready to get sassy with SASE.
Enterprises of all sizes are discovering their reasons for needing to transform to SASE, including;
- Corporate services are changing to cloud-based providers
- The move from centralised MPLS networks to the Internet at the edge
- More user traffic from branches directed to public clouds, detouring the data centre
- The need to protect remote users as they perform work outside of the enterprise network and on their own devices
- Consolidating network and security
- Optimising cloud-based applications that are being accessed from the edge
If you tick any of the boxes above your organisation is also ready to embrace the change.
Get your SASE-on?
Adopting SASE should be part of your organisation’s IT journey. It is not something that has to be deployed all in one go. The goal is to ensure that you integrate it seamlessly, and you provide an optimal experience for the user.
The first step should be to identify the journey and the different phases within. Determine what is already in place and are already performing well, and what needs transforming.
Once you have done this, you will need to consider how to;
- Position the adoption of SASE as a digital business enabler to ensure speed and agility.
- Change focus from managing security boxes to delivering policy-based security services.
- Engage with network architects to discover your SASE capabilities. Use SD-WAN, and MPLS offload projects to evaluate integrated network security services.
- Identify ways to reduce the complexity on your network security
To help your organisation map out its journey to SASE contact Oreta today.
Securing important resources and applications is now vital, particularly with the continued rise in cyberattacks. But, how can you manage critical new levels of security without interruptions to your business operations, creating havoc with your employees and defiling your current defenses? More and more enterprises are leveraging Zero Trust to enhance their security posture, shift their reliance from infrastructure to the cloud, and have greater access control through granular policy enforcement. So what is ZTNA and how does it differ from the traditional VPN?
What is ZTNA?
ZTNA stands for Zero Trust Network Access, a type of security model that provides secure remote access to applications and services regardless of where they are hosted. The model considers all traffic as hostile. In the context of remote user access, the model does not trust any user until verification of their identities is complete. A software-defined perimeter (SDP) between users and applications completes the ZNTA model. SDP will consider the correct user credentials and multiple contextual factors before it grants a user access.
With COVID-19, the mobile workforce has grown exponentially, which will remain that way for the foreseeable future. Remote workers are working from insecure networks or using their own devices, making them more vulnerable to cyberattacks. A CAIC report indicates that between January and June 2020, 67% of cyber breaches were the result of compromised or stolen credentials. Statistics such as these show the growing importance of adopting security models like ZTNA to protect corporate application and data.
How is ZTNA different to VPN?
ZTNA and VPN serve a similar purpose of providing secure remote access. However, there are critical differences between the two types of technologies.
1. Network Access vs Identity-based and Application access
Most VPN solutions use IP-based access control (i.e. source, destination IP address and protocol) to create access policies. An issue with these solutions is that the IP address does not provide much information about a user and frequently changes, making it difficult to tell all the users apart and track them, and often requires complex configuration such as separate IP allocation for different user groups. Access policies based on protocols also provides minimal granularity with regards to what applications users can access as many modern applications share the same sets of protocols and ports.
On the other hand, ZTNA uses SDP to control access based on the user’s identity and application. ZTNA enables the development of more granular policies and gives users access only to sanctioned applications. Furthermore, the level of access provided depends on a risk assessment of contextual information, such as a device’s security posture and location.
2. Appliance-based v Cloud-delivered
Another common issue coming from an appliance-based solution like VPN is scalability and management overheads.
Typically, datacentres and head offices often require the deployment of VPN appliances. Users connect their VPN clients to the applicances to access corporate resources. Users may need to switch between VPN connection points, depending on the location of the resources or what the core network needs to support a single VPN entry point for resources across multiple sites. As the underlyinginfrastructure for VPN is often under or over-provisioned, this can result in businesses failing to meet their goals, poor user experience and excessive overheads.
Unlike VPN, ZTNA is not bound by infrastructure or a location. It is a cloud-based service whereby you can have the flexibility of scaling up and down on a needs-by-needs basis. Behind the scene, your service provider will take care of the underlying infrastructure and maintenance. Your IT team will be relieved from capacity planning, hardware/software ordering, deployment and ongoing maintenance.
How does ZTNA relate to SASE?
The SASE architecture aims to address network and security issues relating to the increasing reliance on the Cloud and mobility adoption. SASE enables applications and services to reside in the Cloud and on-prem, and permit users to work anywhere. The two critical elements of SASEtecture are identity-driven and securing all edges, including the mobile workforce. As part of the core features of SASE, ZTNA provides identity-based authentication, context-based access control and secure remote access from a mobile workforce.
Taking you further…
Whether you are looking at a standalone ZTNA solution or a full SASE architecture, you should also consider inspection capability. A ZTNA solution should not just play the role of granting user access, but also continuously monitor user traffic for any abnormal or malicious activity. Another aspect to look at is how well you can integrate your existing solutions and minimise complexity and silos. ZTNA will not cover every security aspect, but it should form part of your collective solutions to achieve better cybersecurity.