What is firewall as a service?
Firewall as a service (FWaaS) refers to a cloud firewall that delivers advanced Layer 7/next-generation firewall (NGFW) capabilities, including access controls, such as URL filtering, advanced threat prevention, intrusion prevention systems (IPS) and DNS security.
The concept of the FWaaS is not about simply virtualizing appliances. FWaaS enables organizations to eliminate firewall appliances and simplify their IT infrastructure. Centralized management from a single console enables organizations to eliminate the challenges of change control, patch management, coordinating outage windows, and policy management associated with NGFW appliances while delivering consistent policies across the organization wherever users connect.
The rise of FWaaS
Backhauling traffic to an NGFW at a corporate or regional data center made sense when applications resided in the corporate data center, and the majority of workers were found in corporate or regional offices. However, applications began moving out of the data center and into the cloud, and organizations had increasing numbers of remote branches and workers. The workforce moved off the corporate network and began connecting from everywhere, making traditional approaches to networking and security, including the NGFW, insufficient. That’s because NGFWs, just like other appliances, were never designed with the cloud in mind.
The trouble with NGFWs
Cloud applications, such as Salesforce and Microsoft Office 365, were designed to be accessed directly via the internet. Therefore, internet traffic must be routed locally to deliver a fast user experience. Routing traffic back to NGFWs in corporate data centers to egress to the internet no longer makes sense.
However, applying traditional security approaches to local internet breakouts means organizations would need to replicate the corporate security stack at every location. This requires deploying NGFWs or stacks of security appliances in every branch office, an option that is simply not viable in terms of the cost and complexity of deploying and managing them all.
As stated earlier, NGFWs were never designed to support cloud applications. NGFWs are easily overwhelmed by cloud apps because they cannot scale to support the high volume of long-lived connections the apps create. They also cannot natively handle SSL-encrypted traffic. This has become increasingly important with the exponential growth in encrypted traffic during the past several years. To execute SSL inspection, NGFWs must bolt-on proxy capabilities that execute SSL inspection in software, rather than at the chip level. This has a significant impact on performance and results in a negative user experience.
Better in the cloud
As organizations embrace a cloud-first approach, they still need to deliver enterprise firewall capabilities across the organization for all users and all locations. Unfortunately, NGFWs were architected more than a decade ago and are not designed to support cloud applications or the dynamic requirements of the cloud-first enterprise. And, their virtual firewall counterparts have many of the same limitations and challenges as traditional NGFW appliances. It makes sense that as applications are moving to the cloud, your firewalls move to the cloud as well.
Cloud FWaaS allows organizations to establish secure local breakouts for all applications without security appliances to buy, deploy, or manage. Security capabilities, including full Layer 7 firewall, are delivered as a cloud service that scales elastically to handle SSL inspection, growing bandwidth and user demands, and cloud application traffic with long-lived connections. Centralized management from a single console enables organizations to deliver identical protection for any user, on any device, wherever they connect—whether they are at the corporate office, visiting a local branch, or working from home.
FWaaS (also known as Cloud Firewall in Zscaler parlance) provides multiple benefits over NGFWs, including:
- Proxy-based architecture—This design dynamically inspects traffic for all users, applications, devices, and locations. It natively inspects SSL/TLS traffic—at scale—to detect malware hidden in encrypted traffic. And it enables granular firewall policies spanning multiple layers based on network app, cloud app, domain name (FQDN), and URL. A proxy-based architecture is required to stop today's advanced threats.
- Cloud IPS—A cloud-based intrusion prevention system (IPS) delivers always-on threat protection and coverage, regardless of connection type or location. It inspects all user traffic on and off-network, even hard-to-inspect SSL traffic, to restore full visibility into user, app, and internet connections.
- DNS security and control—As the first line of defense, a cloud-based firewall protects users from reaching malicious domains. It optimizes DNS resolution to provide a better user experience and cloud application performance, which is especially critical for CDN-based apps. And it provides granular controls to detect and prevent DNS tunneling.
- Visibility and simplified management—A cloud-based firewall delivers real-time visibility, control, and immediate policy enforcement across the platform. It logs every session in detail, and uses advanced analytics to correlate events and provide insight into threats and vulnerabilities for all users, applications, and locations from a single console.
See the difference for yourself
Shouldn’t you be moving your firewalls and security to the cloud? Request a demo to learn how cloud firewall as a service can provide greater security and agility for your organization.