Zscaler Cloud Platform

Why Next-Generation Firewalls Can Never Be Proxies: The Right Architecture Matters

On rare occasions, a company has the vision, tenacity, execution—and a helping of luck—to think differently about a significant challenge and effect change across an industry. Once upon a time, the rise of enterprise apps led to the introduction of the next-generation firewall, which was needed in a time when the traditional castle-and-moat security model still made sense. It was the right idea at the right time, and it changed the face of network security.

Today, we are at a similar inflection point: the massive acceleration in cloud adoption and digital transformation over the past year has obliterated the perimeter, with apps, users, and workloads everywhere. In today’s cloud- and mobile-first world, traditional approaches to network security have become irrelevant, with enterprises looking for a revolutionary change to get better cyberthreat and data protection, not simply incremental advancements. Unlike the evolutionary shift from traditional firewalls to NGFW, it’s time for an architecture that redefines the fabric of the WAN and recognizes how the internet is becoming the new corporate network—and that the center of gravity has shifted from the data center to the cloud. We can’t apply approaches that once worked for the perimeter in today’s world.

And just like those that came before them, legacy vendors are trying to maintain relevance by lifting and shifting their traditional products to the cloud, without any fundamental change in architecture, outside of losing the fans and physical network ports. It’s great to see firewall vendors recognize the importance of a proxy architecture, with some starting to bolt them on for traffic redirection to their “firewalls in the cloud,” negating the core performance and security benefits of a cloud-native, true edge, highly scalable proxy architecture.

When we started our journey to redefine networking and security more than a decade ago, our key insight was the need for a comprehensive, cloud-native architecture built around a true proxy, acting as an exchange between employees, clouds, customers, and partners. When done right, you can inspect all transactions across all traffic, including SSL, at wire speed. Creating a strong door at the edge of your perimeter or data center no longer works—and in this blog series, I’ll share my perspective on why architecture matters for today’s cloud-first, digitally transformed world:

  1. Without proper inspection, you have no security. True proxies like Zscaler’s Zero Trust Exchange offer complete threat and data loss protection by terminating every connection for full inline inspection, including across all SSL/TLS traffic. Unlike approaches that employ proxies as simple traffic forwarders to firewall-based passthrough architectures, our platform applies AI-powered analytics along with threat and data leakage signatures on a packet-by-packet basis until a conclusive verdict can be determined, all at line rate.

    As all firewalls are stream-based, it takes a certain number of packets to enact policy, allowing command-and-control, data, or even malicious payloads to leak through like a sieve before action can be taken. Our true proxy architecture doesn’t allow a single packet to leak through, and further enables our platform to hold and quarantine unknown files for inspection, stopping the barrage of unknown malware released by attackers every day. Without proper inspection, sophisticated attackers can use this “low and slow” packet leakage or lack of patient-zero protection to devastating effects.
     
  2. A true cloud-native architecture, not a lift-and-shift. Unlike architectures based on single-tenant virtual appliances deployed in the public cloud, Zscaler’s cloud-native, multitenant platform was purpose-built to handle billions of transactions, process trillions of signals with AI/ML, inspect an unlimited volume of encrypted traffic, and support the world’s largest enterprises with proven scale, performance, and transparent SLAs you can trust. With virtual firewall approaches, once the limited SSL inspection capacity is reached, customers need to decide between no security or no connection, which could never happen with a true proxy architecture.

    Aligned with the foundation of Gartner’s secure access service edge (SASE) framework, our platform processes all traffic in a single pass across all capabilities, not a daisy chain of proxies for traffic-forwarding, legacy virtual firewall appliances for policy, and yet another proxy for data loss prevention. Complexity is the enemy of good security, and a lack of native integration across different technology stacks inevitably results in poor performance, security, and reliability.

As digital transformation makes traditional network security irrelevant, we will continue to accelerate our pace of innovation in cloud security—all built on a true cloud-native proxy architecture. We welcome new entrants to the proxy revolution as further validation that the cloud—not the network—is the future of digital business. We’ve been here for a while, and know that healthy competition is always good for those we care about most, our customers. We encourage everyone to get more information on our Zero Trust Exchange and why it resulted in Zscaler being the only Leader in the 2020 Gartner Magic Quadrant for Secure Web Gateways.

In my next blogs, I’ll cover why NGFWs, even those in the cloud, can never implement a zero trust architecture, why it takes cloud-hosted virtual firewalls six to nine months to be updated with the latest capabilities, and what a robust cloud-native edge should look like.

The right architecture makes all the difference.

Stay up to date with the latest digital transformation tips and news.

By clicking the submit button, you are agreeing to our privacy policy.