The old proverb “my home is my castle” no longer applies to enterprise IT. Locating the corporate network at headquarters and securing the data center with a fortified firewall consisting of an assortment of appliances just isn’t viable any more. It made sense back in the day when networks were more manageable and threat vectors were less plentiful and pernicious. But today’s reality is far different. Most fast-growing companies have branch offices sprawled across several continents. Plus, the number of applications to which employees need daily access has multiplied. And, with digital transformation, applications are mostly hosted in the cloud—outside the network perimeter.
Say goodbye to the traditional perimeter
Today, employees can set up shop pretty much anywhere—at a home office, an airport lounge, or a branch office. In many cases, mobility is the rule rather than the exception. And that’s where the problems start. In fact, the security perimeter is breached by every branch office and every laptop used outside the company network, making the network vulnerable to malware.
What’s more, the increased use of cloud apps has obliged companies to provide high-speed internet access at every branch office. Users, particularly with apps like Office 365, will not tolerate the latency that occurs when their traffic is steered through centralized security gateways.
The high cost of Multiprotocol Label Switching (MPLS) is another argument against this kind of traffic detouring, given that Office 365 generates around 40% more traffic than the traditional Office implementation. As a result, a hub-and-spoke infrastructure has given way to local internet breakouts. But protecting such breakouts with hardware-based firewalls in every branch office would be enormously costly and complex. And maintenance on the hardware, such as keeping up with the required upgrades, represents a huge administrative workload.
With software-as-a-service (SaaS) solutions—as well as the dramatic rise in applications moving from the data center to cloud providers such as Azure, Amazon Web Services (AWS), and local service provices—most traffic is destined for the internet. Administrators must rethink how users interact with applications.
Depending on the application, firewall strategies can vary. Let’s take a look at some common approaches.
- Hardware firewalls that stand in front of a server farm: This still makes sense for protecting an in-house data center. These firewalls are administered and maintained on site by specialists. If the number of data centers is limited to two or three locations worldwide, then the expenditure is manageable and calculable, both in terms of costs and maintenance.
- The importance of network segmentation: The recent wave of ransomware, like the headline-grabbing WannaCry attack, has underscored the need for network segmentation. A local, hardware-based firewall is a good choice for this application, too.
- Cloudification and virtualization: As a result of increasing cloud adoption, organizations are demanding greater flexibility from a firewall. There’s also a need to deploy firewalls to protect virtual environments. This can be done by hosting virtual firewalls as an image, an approach taken by AWS. In this case, the firewall supports cloudification. But virtualized firewalls can’t function without hardware—firewalls still need to be deployed in a data center.
- The need for firewall protection of the endpoint infrastructure: Safeguarding desktops, laptops, networked devices like printers, and internet of things (IoT) devices is probably the biggest challenge enterprises face. How can all these devices at different locations be integrated with the idea of a location-based firewall? A hardware-based approach could work, but it would be costly. A better solution for this scenario is a cloud-based firewall.
A real firewall in the cloud
As an organization grows and new locations or subsidiaries sprout in places near and far, the concept of a hardware firewall is unworkable. If the number of local internet junctions is in the hundreds, this approach is simply untenable from a financial and organizational standpoint. In a scenario like this, there’s a need for remote administration and policy updates in real time. As bandwidth requirements increase, the firewall must be flexible enough to grow with them.
What’s the solution? Secure users at every location from a cloud security platform. This relegates multiple functions to the cloud: security intelligence, threat management, policy enforcement, real-time logging, and more.
A cloud-based firewall is also the perfect solution for local internet access because it eliminates the administrative overhead associated with deploying and maintaining hardware locally. The only thing that has to be installed locally is a router that builds a tunnel to the nearest location of the cloud security platform. As a result, each location is protected with a local internet breakout that extends to the cloud security platform, making it possible to define policies for each location via a central management console while also correlating the logs for all locations. Even more security functionality is available through an integrated platform approach—and performance is also addressed. Fortunately, most security vendors already provide web security, URL filtering, advanced threat protection, and cloud sandboxes, as well next-generation firewalls.
The next step in firewall innovation is a next-generation firewall from the cloud, a solution that enables digital transformation of firewall applications in the cloud. When it comes to securing organizations with multiple locations, one thing is pretty obvious: we need to bid the hardware firewall a fond farewell and usher in the era of the cloud firewall.