Firewall as a Service Comes of Age
In a 2016 Hype Cycle for Infrastructure Protection report, Gartner Analyst Jeremy D’Hoinne initiated the emerging category of Firewall as a Service (FWaaS). FWaaS is a cloud-based architecture that eliminates the need to deploy firewalls on-premises, mainly in remote branches, in order to provide site-to-site connectivity and secure Internet access.
Cato Networks is a pioneer of a new architecture that provides FWaaS as part of a broader WAN transformation platform. The Cato Cloud converges WAN Optimization, SD-WAN, a global SLA-backed backbone and network security (FWaaS) – into a single cloud service. The convergence of security and networking domains accelerates the hard and soft benefits organizations can extract from their WAN transformation through gradual deployment. These include: MPLS cost reduction through augmentation and replacement, improved global latency and network performance, branch appliances footprint reduction, and the extension of the WAN to cloud datacenters and mobile users.
Palo Alto Networks has recently announced a new FWaaS offering: GlobalProtect Cloud Service. This is the first time an established firewall vendor that had built its business on selling appliances is offering its core platform as a cloud service. It is a significant validation of the evolution network security must and will take. As Palo Alto notes in its product announcement, a FWaaS solution alleviates the cost, complexity and risk associated with deploying and maintaining appliances.
There are scarce details on the underlying architecture of the new offering. Simply sticking appliances into a “cloud”, isn’t sufficient to effectively deliver a FWaaS in a way that is affordable and scalable. Using appliances in the cloud shifts the burden from the customer to the cloud provider, and the customer will ultimately have to pay the price for that overhead. Furthermore, the single tenant design of network security appliances, makes it difficult to support a large number of tenants in a scalable way.
This is why Cato chose to develop its converged cloud service from scratch. We do not use third party appliances in our service: no firewalls, no routers and no WAN optimizers. We have built a completely new software stack that is designed for the cloud – multi tenant, globally distributed, and with redundancy and scalability built-in by design.
As noted earlier, we view Firewall as a Service as a pillar of a broader platform that simplifies and streamlines IT by eliminating multiple point solutions and service providers. Palo Alto Networks uses a firewall in the cloud, and customers must procure reliable global WAN connectivity. Ultimately, the primary use case for Palo Alto’s new service is a secure web gateway and not a full blown replacement of edge firewalls. For example, when WAN security and connectivity is required.
Overall, Cato is thrilled to see the industry following the path we blazed towards the cloudification of both networking and security functions. The race to maximize customer value delivery is on.