Last fall I wrote a piece on how we need to rethink the concept of a perimeter and the use of hardware firewalls in the enterprise, “Farewell, Hardware Firewall?” Manufacturers are responding to pressure from their customers by offering virtual firewalls
Enterprises have shown interest in virtual firewalls because they can reduce administration of security hardware and gain protection for cloud environments such as AWS and Azure. Implementing, patching, updating, shipping, upgrading, and administration of hardware firewalls requires resources and budget.
No one knows this pain more than the thousands of IT security professionals rushing to patch their Cisco ASA’s in the wake of today’s revelation that they contain a high severity bug that will be revealed this Saturday at a conference in Belgium. Incidents like this further encourage companies to outsource the parts of their security infrastructure that make sense.
But despite the fact that virtual and cloud firewalls all offer benefits in terms of hands on management, a lot of people are still not clear on the real differences. Today we’ll highlight those differences and what they mean for your business.
First off, we should make a distinction between two common models of virtual firewalls. In the first model, the hardware firewall, which can be operated on different virtual instances, is relocated to a service provider. The second virtualization model assumes a virtual firewall that is no longer kept on premise, but rather with a cloud provider such as AWS.
If the firewall operation is outsourced to a service provider, its service should be labeled a “managed firewall.” The hardware is physically located at the service provider, which provides a virtual instance of a firewall for the required locations. Because a hardware firewall is still used, the virtual instances not only have to be operated but also maintained and updated. However, the company outsources these tasks to their service provider. Scalability is also transferred to the service provider, which can host a number of clients limited by the capacity of its hardware.
Enterprises that use this kind of managed service should pay attention to the number of locations at which the hosted firewalls are available from the service provider. Generally, the number of covered geographic locations will be limited to a lower single-digit range. Customers must decide if this imposes any limitations on their business, since this means the hardware will be kept, for example, at three or possibly six of the provider’s locations.
In addition, when looking at a Firewall, it is particularly important for many services, that local IP addresses must be available. For example, if a company in Brazil has a branch, customs needs an IP address from Brazil. Companies should check their requirements for local IP addresses when they decide to outsource firewall operations and align their needs with the service provider’s covered locations. Generally, fewer locations also means longer paths, and therefore, low speed.
System complexity makes all the difference
In the second model, a virtual firewall, the hardware is hosted at a cloud provider such as AWS or Azure. Using this service, an Amazon customer can set up a firewall service relatively quickly and pay for it monthly.
As with the hardware firewall, enterprises must check with providers to determine the number of available locations. For example, Amazon offers general availability zones for its services. This means customers within a geographic region such as a city, a country, or even a continent can access availability zones and, if necessary, build on redundant services there. With such an approach, a company can solve any scalability issues in a relatively elegant way.
Amazon offers its virtual firewall service as Infrastructure as a Service (IaaS). The advantages of the virtual firewall are the greater number of data centers and the possibility of rapidly implementing this service.
In addition, the customer has more control over the firewall. However, this control demands more time from the IT department. Configuration, updates, upgrades, and patches are implemented by the customer. The more virtual firewalls are operated, the more resources a company must devote to virtual firewall administration.
If organizations are considering a managed or virtual firewall, they need to seriously consider whether they are willing to take on this level of administration. You will probably need third-party software to administer the service across multiple locations Can policies be updated in real time across all locations so that, if necessary, systems can be patched quickly to close critical security loopholes? Also, logging across multiple locations should not become an administrative challenge. With the AWS-hosted firewall approach, logs can be maintained using an SIEM service such as Splunk, which must be licensed.
Are these limitations acceptable to you?
What can a true cloud firewall do?
Neither a managed firewall service nor a virtual firewall hosted in the cloud offer true cloud benefits, since the number of locations and the administrative requirements limit the positive impact. In contrast to the operation of the firewall in a virtualized environment, for a true cloud-based firewall, the cloud provider is responsible for updates, upgrades, and patches. The task of setting up and maintaining the firewall, including the scalability requirements, becomes responsibility of the cloud provider. Enterprises that consider this approach should carefully review service level agreements, since not only operations but also troubleshooting are the cloud service provider’s responsibility.
A cloud-based approach should no longer include any hardware firewall components, but is established from the ground up as “security as a service.” In this way, the cloud provider will provide a user interface that’s integrated in real time across all locations and users. As a result, the challenge of real-time log correlation is solved, which reduces the complexity of commissioning, continuous operation, and troubleshooting.
The following checklist can help you choose the right firewall approach for your business:
- How much operational complexity are you willing to accept in a firewall solution? What internal resources are available?
- How many locations do you need? How much scalability do the solutions offer, with regard to regional coverage and capacity? It’s advisable to test the performance of a managed service when only a limited number of firewall locations are available.
- Which locations require local IP addresses? How is the solution provider able to meet worldwide coverage?
- How is responsibility for firewall operation regulated in service level agreements?
- Does the service provider comply with data privacy protection?
Companies looking for a firewall solution for locations that don’t require network segmenting should choose a virtual or a cloud-based solution. In locations where organizations can’t maintain their own hardware infrastructure, such as remote branches, a cloud firewall offers the required security with greatly reduced administrative effort. With increasing global distribution and the associated growing number of branches and locations worldwide, a true cloud-based firewall is the appropriate choice.