The growing amount of encrypted traffic coupled with the security appliances’ limited processing power is forcing enterprises to reevaluate their branch firewalls. The appliances simply lack the capacity to execute the wide range of security functions, such as next-generation firewall (NGFW) and IPS, needed to protect the branch.
Organizations face a range of architectural choices:
- Wholesale appliance upgrades — Companies can replace their branch office appliances with new ones. It’s an easy approach, but an expensive one.
- Regional security hubs — Rather than upgrading all appliances, organizations can keep existing appliances, but instead send all traffic through a larger firewall situated in a regional hub. Fewer appliances need to be upgraded and maintained, but hubs need to be built out.
- Firewall bursting — Instead of building out a regional hub, firewall bursting leverages the cloud. As branch office appliances reach their limits, traffic gets sent or “bursted” up to a security service in the cloud. With SWGs, firewalls can burst up Internet traffic, but not WAN traffic. With Firewall as a Service (FWaaS), WAN and Internet traffic can sent to the cloud for inspection.
To help navigate those choices, we’ve put together an analysis in the below table. The table compares the approaches across eight dimensions:
- Traffic coverage — The type of traffic that can be inspected, WAN or Internet traffic.
- Deployment — The complexity of adopting the architecture
- Network architecture — The challenge of adapting the network to the approach.
- Advanced security — The strength of the security provided by the architecture
- Future proofing — The architecture’s ability to accommodate business and traffic growth.
- Upgrades — The degree to which the company must invest in upgrading their appliances to accommodate the new architecture.
- Branch firewall elimination — The degree to which the company can eliminate firewall appliances from their branch offices.
For more information about firewall as a service contact us below