You have been deploying NGFWs as appliances to protect your computers, systems and the network. You might have been using physical and virtual versions of these firewalls in most cases and deployed on premises or cloud. However, you were to support these during the entire life-cycle of these appliances.If you had distributed networks spread over distributed locations then you needed dedicated appliances that have to be sized and upgraded to accommodate your business growth. You had been doing the upgradation or patching of those yourself and you had to do 'policy management' for each devices.
Now a days, most security vendors have come up a new and revolutionary way of delivering firewall and other network security capabilities as a cloud service, viz., Firewall as a service (FWaaS).
-
What is a FWaaS?
FWaaS is a new type of a next-generation firewall. It truly removes the physical appliance from the equation. It provides you important network security features such as URL Filtering, IPS, Access Management, Analytics, Managed Detection and Response, DNS Security, ATP, etc and make them available EVERYWHERE. In essence, your entire organization is connected to a single, logical GLOBAL firewall with a unified application-aware security policy. FWaaS has been highlighted as an emerging infrastructure protection technology with a high impact benefit rating.
You can now enforce comprehensive security policies and threat prevention on both WAN and Internet-bound traffic, across all users and applications of your company.
Being it based in cloud, FWaaS offers you a ONE BIG advantage that it has the ability to scale nearly 'instantaneously' to suit an expanding network. Therefore, it can be molded according to the size, configuration, demand, and unique security needs of your network.
If you are not yet clear of what is a FWaaS, then kindly note that it is not about simply using virtualizing your NGFW appliances. In fact, it enables you to ELIMINATE all your firewall appliances and simplifies your IT infrastructure. When you use the 'Centralized Management' console, it enables you to eliminate all the challenges regarding -- Controlling the changes, patch management, coordinating outage windows, policy management, etc. It delivers consistent policies across your entire organization whenever your users connect.
-
There Is A Profound Logic!
When all of your major software applications resided in your corporate data-center, then you had deployed your NGFW at your data-center. All you needed was to backhaul all your internet traffic (HQ, Branches, etc) to your NGFW at your data-center, so that things could be filtered out.
The same arrangement and approach also served you well, when the majority of your employees or users were found in your corporate or regional offices. You would do the same, i.e., to backhaul all the traffic to your NGFW at your data-center. Right?
But last few years have changed the scenario entirely. Now a large number of your applications such as Microsoft Office 365, Salesforce, and many other applications have already gone to cloud. Now your employees and users are working from remote branches or from their homes. They have moved off the corporate network and began connecting from everywhere. All this has made traditional approaches to networking and security, including the NGFW, insufficient. Because NGFWs, just like other appliances, were never designed with the cloud in mind.
Like a large number of companies, you might had already found out that -- because many of your applications and data were now being run and managed on third-party infrastructure, YOU no longer have any VISIBILITY into, or control over, your entire networks.
You might have also found that -- since your company and cloud providers share MUTUAL RESPONSIBILITY for ensuring security in cloud environments, your company need to realize that it couldn’t just depend on the cloud providers to oversee all your security. You would have to find a way to do that yourselves.
As I mentioned above, so many of cloud applications, such as Salesforce, Microsoft Office 365, etc. were designed to be accessed directly from cloud via the internet. Therefore, internet traffic must be routed locally to deliver a fast user experience. That's why, Routing traffic back to NGFWs in corporate data centers to egress to the internet no longer makes sense.
Additionally, applying traditional security approaches to local branches (with local ISP) means that your organization would need to replicate your entire corporate 'Security stack' at every branch-location too. This requires deploying NGFWs or stacks of security appliances in every branch office, an option that is simply not viable in terms of the cost and complexity of deploying and managing them all. Irony is that your company would still be forced to backhaul all the traffic to your corporate data-center....resulting unnecessary LATENCY at all levels.
As stated earlier, NGFWs were never designed to support cloud applications. Most NGFWs are easily overwhelmed by cloud apps because they cannot scale to support the high volume of long-lived connections the apps create.
They also cannot natively handle SSL-encrypted traffic. This has become increasingly important with the exponential growth in encrypted traffic during the past several years. To execute SSL inspection, NGFWs must bolt-on proxy capabilities that execute SSL inspection in software, rather than at the chip level. This has a significant impact on performance and results in a negative user experience.
Unfortunately, NGFWs were architected more than a decade ago and were not designed to support cloud applications or the dynamic requirements of the cloud-first enterprise. And, their virtual firewall counterparts have many of the same limitations and challenges as traditional NGFW appliances.
It makes sense that as applications are moving to the cloud, your firewalls move to the cloud as well.
-
How does a FWaaS work?
First, a FWaaS is still a Next Generation Firewall.
It still filters the network traffic to safeguard your organisation from inside and outside threats. All features of a stateful firewall are still available to you, e.g.,
-
Packet Filtering
-
Network Monitoring
-
IPSec
-
SSL VPN support
-
IP Mapping, etc.
However, FWaaS also has deeper 'Content Inspection' capabilities that include the ability to identify malware attacks and other threats.
FWaaS is positioned between your network and the internet. As traffic attempts to enter your network, the FWaaS solution inspects it to detect and address threats. The inspection analyzes the information contained in the header of each data packet, gathering insight into where the packet came from and other behaviors that may signal if it is malicious.
There is one more feature of FWaaS, which is profound...A FWaaS can look at the data within the packet.
I have seen most NGFWs struggling with Deep Packet Inspection (DPI), because this consumes so much of processing power of the Firewall appliance. I have seen a large number of network admins switching this feature off, to improve the performance of their network and reduce the latency.
Since FWaaS are cloud-based, the bandwidth and 'processing power' is not an issue. You have now ability to go for DPI at full-scale. This kind of deep packet inspection (DPI) can alert your security team about the dangers with innocent-looking information in their headers. If some malicious packets are observed, you would be allowed to mitigate them in time.
With some FWaaS offerings, you also can get machine-learning (ML) tools that can identify novel, zero-day threats that have never been encountered before. This is done by analyzing how the data packets behave and looking for anomalous and potentially dangerous behavior.
-
Thinking in terms of Technical Benefits of FWaaS
From the perspective of comparing FWaaS with next-gen firewalls (NGFW) directly, you gain the following benefits:
1. Proxy-based Architecture
This design dynamically inspects traffic for all your users, all applications, all devices, and all locations. It natively inspects SSL/TLS traffic—at scale—to detect malware hidden in encrypted traffic. And it enables granular firewall policies spanning multiple-layers based on network app, cloud app, domain name (FQDN), and URL. A proxy-based architecture is required to stop today's advanced threats.
2. Cloud IPS
A cloud-based intrusion prevention system (IPS) delivers always-on threat protection and coverage, regardless of connection type or location. It inspects all user traffic on- and off-network, even hard-to-inspect SSL traffic, to restore full visibility into user, app, and internet connections.
3. DNS Security and Control
As the first line of defense, a cloud-based firewall protects your users from reaching malicious domains. It optimizes DNS resolution to provide a better user experience and cloud application performance, which is especially critical for CDN-based apps. And it provides granular controls to detect and prevent 'DNS tunneling.'
4. Visibility and Simplified Management
A cloud-based firewall delivers you a real-time visibility, control, and immediate policy enforcement across the platform. It connects your entire organization to a single, logical global FWaaS with a unified application-aware security policy.
It logs every session in detail, and uses advanced analytics to correlate events and provide insight into threats and vulnerabilities for all users, applications, and locations from a single console.
5. Elasticity
Delivered as a cloud service, FWaaS removes all appliance capacity concerns, and eliminates the hassle associated with upgrading multiple firewalls.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
_________
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM