Firewall as a Service vs UTM

April 23, 2018

Every organization eventually needs to re-evaluate their existing firewall vendors. This can be a result of a vendor issuing an EoL (End of Life) announcement, budget constraints, product limitations, a pending hardware refresh, or some other unavoidable consideration. In these situations, network managers need to evaluate the state of their vendor’s firewall and the future viability of their security software and hardware.

Many organizations have migrated from traditional firewalls by investing in NGFWs (Next Generation Firewalls).  NGFWs emerged more than a decade ago in response to enterprises that wanted to combine traditional port and protocol filtering with the ability to detect application-layer traffic.  More recently, UTM (Unified Threat Management) firewalls were developed for not only firewall functionality among small and midsize businesses, but also for integrating anti-malware, anti-spam, and content filtering in a single appliance.

However, enterprise networks have evolved with the rise of cloud services and mobile users. UTMs were not designed to secure cloud infrastructure so a new class of network security products were created for cloud security: the Cloud Access Security Broker (CASB).  CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization’s security policies. However, this solution led to the fragmentation of security controls, and mobile users are still not addressed by this solution.  This configuration also led to administration and maintenance issues. Appliances eventually run into capacity constraints and vendor EoL cycles. Appliance sprawl and the high overhead of configuring, patching, and upgrading appliances at each location are constant headaches. Rather than taking a patchwork approach to fixing these issues, Firewall as a Service (FWaaS) offers an alternative, comprehensive solution.

How Firewall as a Service Works

The essence of a FwaaS solution is to provide a full network security stack in the cloud by eliminating the care and maintenance associated with traditional network security appliances. FWaaS solves the issues faced by other security solutions by enforcing a comprehensive security policy on both Internet-bound traffic and users in fixed and mobile locations.  All enterprise traffic is aggregated into the cloud, allowing the entire organization to connect to a single global firewall with a unified, application-aware security policy. FWaaS was recently recognized by Gartner as a high impact, emerging technology in infrastructure protection. It presents a new opportunity to reduce cost and complexity, and provides a better overall security solution for enterprises.  

FWaaS has 4 primary advantages over older solutions:

  • No capacity constraints
  • Always current. No user requirement for software maintenance and vulnerability patching
  • Simplified management
  • Ability to inspect traffic across multiple networks

No Capacity Constraints

Appliances are limited by physical capacity and active services, and typically have an EoL cycle of 3-5 years.  FWaaS is able to scale as needed to process traffic and can seamlessly upgrade with new capabilities and countermeasures without being limited by capacity restrictions and equipment upgrades.

No Software Maintenance and Vulnerability Patching

UTM appliances require periodic maintenance windows resulting in the risk of downtime and the attention of network staff.  In contrast, a FWaaS provider handles all the updating, patching, and enhancing of the network security software.

Simplified Management

Firewall administrators are familiar with the challenges of maintaining consistent security policies across sites.  UTM appliances are no exception, with rules for each appliance requiring diligent maintenance. With FWaaS, one logical rule set is created to define access control across enterprise resources.  A single policy is centrally managed for all sites and mobile users, simplifying WAN security administration. Having a single policy also eliminates contradictory rules that could introduce security holes in the network.

Inspecting Traffic Across Multiple Networks

Utilizing FWaaS provides full visibility to all WAN and Internet traffic. For example, traffic can be inspected for phishing attacks, inbound threats, anomalous activity by insiders, sensitive data leakage, command and control communications, and more.  By inspecting traffic across multiple networks, network administrators can detect threats earlier and quickly adapt their security policies as needed.

Whether deciding to  upgrade existing firewalls, change firewall vendors, or move to FWaaS, it’s important to consider the value of centralizing security policies and network visibility. FWaaS offers advantages over UTM firewalls and leverages advances in software and cloud technologies to deliver a wide range of network security capabilities  wherever businesses need it.

Visit Cato Network’s blog for more information on FWaaS and case studies of companies that have successfully moved beyond appliance based security solutions.

Read more about the best cloud firewall.

Author Image

Dave Greenfield