Network & Firewall Security for the Modern EnterpriseDecember 17, 2019
Edge computing and the distributed cloud both cracked Gartner’s Top 10 Strategic Technology Trends for 2020, reminding me of a recent discussion on the challenges enterprises face when securing the modern WAN. Traditional firewall security simply can’t keep up with the challenges created by these new network paradigms. As a result, when I discuss firewall security with enterprises today, there are three reoccurring themes: visibility, scalability, and convergence.
Next-Generation Firewall (NGFW) appliances help solve these problems, but deploying multiple appliances adds significant complexity and creates operational and security challenges of its own. Fortunately, when converged with the larger network infrastructure, cloud-based firewalls, or Firewall-as-a-Service (FWaaS), can address these challenges.
So, how exactly can enterprises seamlessly integrate security to their networks without adding unnecessary complexity? Let’s find out.
The Basics of Firewalls
Before we dive into the challenges of appliance-based firewalls and benefits of FWaaS, let’s look at some of the basics of modern firewalls. Traditionally, firewalls were used to block or allow network traffic based on predefined rules. They could effectively block ports, isolate network segments, and enable basic enforcement of security policies. This same basic premise holds true for firewalls today, but the dynamic nature of modern enterprise networks has created a need for more flexible, granular, and intelligent firewall security.
Three Main Types of Firewall Software and Appliances
So, what sort of firewall software and appliances exist to meet these demands? In addition to the software-based endpoint firewalls that can run on network endpoints, there are three main firewall appliance types enterprises can deploy.
Traditional firewalls that block traffic at the protocol, port, or IP address levels.
Like packet-filtering firewalls with the added benefit of analyzing end-to-end traffic flows.
Next-Generation Firewalls (NGFWs)
Offer all the functionality of stateful firewalls plus features such as deep-packet inspection (DPI), Intrusion Detection System/Intrusion Prevention System (IPS/IDS), anti-virus, and website filtering.
Given the sophistication of modern security threats, NGFW appliances are commonplace within modern WANs, and for good reason. They’re able to detect malicious behavior and provide protection legacy firewall security solutions can’t. However, there are still several pain points enterprises face with physical and virtual firewall appliances.
The Shortcomings of Firewall Appliances
The problem with firewall appliances stems from the fact that appliances inherently require distributed deployments across sites. NGFWs are just one of a number of network appliances that enterprises must maintain, and integrating them at scale comes with challenges including:
Blind spots & reduced visibility
Since appliances are tied to a single location, they can only inspect data flows that go through them. This leads to one of two suboptimal outcomes: appliance sprawl or inefficient backhauling to have traffic routed through specific appliances for auditing. Further, since appliances are scattered throughout the network, as opposed to integrated with it, blind spots can become a real challenge.
NGFWs and UTMs have a limited amount of capacity to run engines for anti-malware, IPS, and secure web gateway (SWG). These resource constraints can lead to some functionality being sacrificed, create bottlenecks, or require additional appliances to be deployed.
Silos & disjointed security policies
Multiple appliances and security solutions for cloud, mobile, and on-premises lead to communications silos between teams, limit visibility, and prevent the implementation of consistent security policies across the network.
Complex and resource-intensive maintenance
Maintaining and patching a network of firewall appliances leads to a significant IT workload that doesn’t drive core business forward. Installations, configurations, upgrades, integrations, and patch management take time and divert resources from activities that could add business-specific value.
Integrating Firewall Security: Firewall as a Service and the Secure Access Service Edge
Cato solves this problem by providing FWaaS, with all the functionality of an enterprise-grade application-aware NGFW, as a part of a broader holistic approach to networking and security known as Secure Access Service Edge (SASE). Because Cato’s SASE platform integrates the networking and security functionality that used to require multiple different appliances into a multitenant cloud-native infrastructure, the fundamental problem associated with NGFW appliances goes away. As a result, enterprises can implement network & firewall security that provides:
As all WAN traffic on the Cato Cloud traverses the cloud-native infrastructure, there are no blind spots and no need for backhauling. Multiple security engines and DPI are baked-in to the network.
The Cato Cloud provides the unrestricted scalability of a cloud service to the WAN. Not only does this eliminate capex and ensure security isn’t sacrificed due to limited capacity, it means deployments that may have otherwise taken days or weeks can occur in minutes or hours.
Enterprise-wide policy enforcement
A converged software stack and mobile clients ensure that all users benefit from the same level of security and policies span the entire network.
Simple maintenance and management
Because the entire security stack is integrated into a single solution, maintenance and management are a fraction of what they were with firewall appliances. This leads to reduced costs and more resources to dedicate to business-specific tasks that can positively impact the bottom line.
Cato’s SASE Platform Integrates Networking and Security at Scale
In short, the Cato SASE platform delivers firewall security in a scalable, holistic, and future-proof manner. Not only does the Cato cloud solve the challenge of securing the distributed cloud and edge computing deployments common to the modern digital business, it does so while enabling IT to focus less on busy work and more on core business functions. Case in point: according to Todd Park, Vice President, W&W-AFCO Steel, “Cato firewall is much easier to manage than a traditional firewall and the mobile client was much easier to deploy and configure than our existing approach” after W&W-AFCO Steel replaced Internet-based VPN and firewall appliances with Cato Cloud.
You can learn more about securing modern enterprise networks in our Advanced Security Services whitepaper. Additionally, be sure to subscribe to our blog for the latest on SD-WAN, networking, and IT security. If you’d like to discuss the Cato platform with one of our experts or schedule a demonstration, don’t hesitate to contact us.