Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Uncovering the Truth of Firewalls and Zero Trust

February 23, 2022 - 4 min read

Join us for a webinar as Zscaler experts explore why zero trust is necessary, how firewalls and VPNs are failing, and what it takes to successfully implement zero trust.

Businesses have changed significantly since the introduction of the firewall. Today’s enterprise employees can work anywhere and everywhere—at a home office, in shared workspaces, at branch offices, and beyond—as long as there’s an internet connection and a power source. Users and applications are exposed and cannot be trusted in this distributed workplace. Zero trust is a holistic approach to securing modern organizations, based on least-privileged access and the principle that no user or application should be inherently trusted. Connections are authorized using identity and policy based on business context. Implementing zero trust is essential in order to effectively secure all these users and applications, and security vendors are misleading organizations by claiming to deliver zero trust solutions. In reality, firewalls and other legacy solutions are incapable of delivering zero trust. Join us for a webinar and read on to explore why.

Perimeter models using firewalls and VPNs cannot do zero trust

Hub-and-spoke and castle-and-moat architectures leveraging firewalls and VPNs need to be extended to users outside the defined perimeter to enable remote access to applications, thereby dramatically expanding the attack surface. These large attack surfaces—in a data center, cloud, or branch—get exposed as applications get published on the internet and can be found by users and also by bad actors. These architectures are based on the principle of “verify, then trust'' security, that fully trusts any verified user and allows them access to all applications in the network. It’s an obsolete model that fails to block bad actors that imitate legitimate users and doesn’t effectively secure remote users, data, and cloud-based applications outside the network perimeter. On the contrary, the zero trust model is based on the principle of “never trust, always verify” and least-privileged access, which assumes that no user or application should be inherently trusted. 


Virtual, cloud-based, perimeter models like virtual firewalls cannot do zero trust 

Cloud-based perimeter models like virtual firewalls are no different from their physical hardware counterparts - the location of the firewall moves from the data center to the cloud; but the overall security model remains the same. Operators still need to define perimeter policies, and threats can still move laterally across the organization as virtual firewalls expose IPs on the internet, meaning they can be discovered, attacked, and exploited, and therefore cannot be zero trust. Most virtual solutions are an adaptation of their hardware predecessors that were later adapted to general cloud infrastructure, causing huge performance limitations. Backhauling traffic to security applications hosted in public clouds like GCP or AWS chokes user application performance. This model lacks flexibility to grow and restricts capacity planning for remote and branch users as the application availability is dependent on cloud infrastructure and its availability.


Cloud-based point solutions (CASB, SWG) cannot do zero trust

Most “cloud-based” point solutions started with a specific security feature or capability and then attempted to compete as a platform by adding capabilities to their existing framework, where zero trust is an afterthought. They are immature solutions with no experience in enterprise security and lack the depth and breadth of a comprehensive security platform, including capabilities such as cloud firewall, sandbox, intrusion protection, cloud SWG, ZTNA, browser isolation, dynamic risk assessment, and more. Scalability of point products is dependent on, and at times limited by, the availability of data centers on which these solutions are hosted. 


Zero trust with Zscaler

Unlike network security technologies that leverage firewalls, VPNs, or cloud-based solutions, Zscaler delivers zero trust with its cloud-native platform: the Zscaler Zero Trust Exchange. Built on proxy architecture, the Zero Trust Exchange directly connects users and applications, and never to the corporate network. This architecture makes applications non-routable entities which are invisible to potential attackers, so your resources can’t be discovered on the internet. Operating across 150 data centers worldwide, the Zero Trust Exchange ensures that the service is close to users, co-located with the cloud providers and applications they are accessing. 

Organizations are in need of zero trust but are not aware of the best way to implement it. Tune into our webinar: Why Firewalls Cannot do Zero Trust to understand what zero trust is, and what it isn’t, and best practices for implementation. 

Webinar dates:

  • Americas: Tuesday, March 8, 2022 | 11:00 AM PT | 2:00 PM ET 
  • EMEA: Wednesday, March 9, 2022 | 10:00 AM GMT | 11:00 AM CEST
  • APJ: Wednesday, March 9, 2022 | 10:00 AM IST | 3:30 PM AEDT
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.