Firewall Busting: A New Approach to Scaling Firewalls

December 14, 2017

The growing amount of encrypted traffic coupled with the security appliances’ limited processing power is forcing enterprises to reevaluate their branch firewalls. The appliances simply lack the capacity to execute the wide range of security functions, such as next-generation firewall (NGFW) and IPS, needed to protect the branch.

Organizations face a range of architectural choices:

  • Wholesale appliance upgrades — Companies can replace their branch office appliances with new ones. It’s an easy approach, but an expensive one.
  • Regional security hubs — Rather than upgrading all appliances, organizations can keep existing appliances,  but instead send all traffic through a larger firewall situated in a regional hub. Fewer appliances need to be upgraded and maintained, but hubs need to  be built out.
  • Firewall bursting — Instead of building out a regional hub, firewall bursting leverages the cloud. As branch office appliances reach their limits,  traffic gets sent or “bursted” up to a security service in the cloud. With SWGs, firewalls can burst up Internet traffic, but not WAN traffic. With Firewall as a Service (FWaaS), WAN and Internet traffic can sent to the cloud for inspection.

To help navigate those choices, we’ve put together an analysis in the below table. The table compares the approaches across eight dimensions:

  • Traffic coverage — The type of traffic that can be inspected, WAN or Internet traffic.
  • Deployment — The complexity of adopting the architecture
  • Network architecture — The challenge of adapting the network to the approach.
  • Advanced security — The strength of the security provided by the architecture
  • Future proofing — The architecture’s ability to accommodate business and traffic growth.
  • Upgrades — The degree to which the company must invest in upgrading their appliances to accommodate the new architecture.
  • Branch firewall elimination — The degree to which the company can eliminate firewall appliances from their branch offices.

For more information about firewall as a service contact us below

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.