Network Security-as-a-Service: beyond the Next Generation Firewall
- July 7, 2016
About 10 years ago, a small startup, Palo Alto Networks, innovated the Next Generation Firewall (NGFW). Existing enterprise firewalls relied on the use of specific ports to apply application security rules. By application, I don’t mean “salesforce.com”. Rather, it is the mostly irrelevant distinction of application protocols such as HTTP, FTP, SSH and the like. Palo Alto created “application awareness”, the ability to detect application-specific streams, regardless of port. This was a critical innovation at a time where vast amounts of traffic moved to the Internet (using ports 80/443), and the ability to apply controls at the port level, was insufficient.
Merely 5 years later, the enterprise infrastructure landscape evolved again with the increased usage of public Cloud applications (SaaS). The “application-aware” next generation firewall was blind to users accessing unauthorized applications (known as “Shadow IT”) and couldn’t enforce granular access control on authorized apps. Furthermore, mobile users directly accessed Cloud applications without going through the firewall at all. A new class of network security products were created: the Cloud Access Security Broker (CASB). Many CASB flavors placed themselves in the Cloud to address the limitations of appliance based firewalls. This was a natural architectural decision, however it deepened the fragmentation of enterprise network security controls.
Cloud and mobility cannot be solved with the current firewall appliance form factor. You simply can’t control a virtual, fluid and dynamic business network with rigid, location bound security controls. For a while we could get away with appliance sprawl and integration of multiple point solutions. We are getting to a point where the care and feeding of a network security infrastructure with equipment upgrades, software updates and patching, and distributed multi-vendor management, is becoming a huge challenge for many businesses.
What is the way forward?
When we think about putting network security in the Cloud, we start with the firewall. Firewalls are complex entities. They play multiple roles in networking, policy enforcement and security. For example, firewalls are commonly used to establish secure site-to-site tunnels between enterprise locations to form the wide area network (WAN). At the same time, they enforce access control policy between these locations. And, they can also detect access to malicious URLs when users access the Internet.
What do we need to place a firewall in the Cloud?
Traffic tunneling: a firewall must be able to see the traffic it needs to control. We need a practical way to get network traffic to the Cloud. This makes sense for traffic that crosses boundaries (such as inter-location and Internet-bound traffic) and can be done in multiple ways including IPSEC and GRE tunnels or a single function tunneling device or client software. Regardless of method, the tunnel enforces no policies and has no business logic, and is therefore not subject to the capacity constraints of firewall appliances.
Wire-speed traffic inspection: next, we need to be able to inspect traffic at wire speed and enforce policies. Various innovations allow us to use software and commodity hardware to perform deep packet inspection while minimizing latency. The use of shared Cloud infrastructure enables us to quickly scale and accommodate increased load.
Once you get the traffic to the Cloud and can inspect it, the benefits of network security as a service are substantial:
No capacity constraints: we can scale the computing power needed to process traffic without being limited to appliance capacity restrictions and equipment upgrades. This is especially problematic with UTM devices. A Cloud-based firewall literally removes the need for sizing of security appliances, a dreaded exercise for every IT manager.
No software maintenance and vulnerability patching: the solution provider is responsible for updating, patching and enhancing the network security software, which frees up customer’s resources. For the solution provider, it is also easier to understand product usage, translate it into new features and seamlessly deploy them.
Easier management with one logical policy: today, we need to maintain a group of rules for each appliance. Anyone who had maintained a firewall, knows that templating rules for consistency is always subject to deviations. With NSaaS we create one logical rule set that defines access control across enterprise resources. We can avoid contradictory rules that could enable access from site A to B in firewall A but block that access in Firewall B.
New Security Capabilities, Same Platform: Since we have visibility to all WAN and Internet traffic, we can rapidly roll out additional capabilities that were previously packaged into standalone products and needed complex deployment projects. For example, we can inspect traffic for phishing attacks, inbound threats, anomalous activity by insiders, sensitive data leakage, command and control communications and more. All it takes, is a deployment of new software capabilities into the NSaaS platform.
Better threat visibility and platform adaptability: NSaaS is multi-tenant by design. By inspecting traffic across multiple networks, it is now possible to detect threats earlier and quickly adapt the Cloud service to protect all customers. Users are no longer dependent on the resources available to upgrade appliances software for better security.
Network Security as a Service promises to transform the network security landscape in 3 key ways:
- Reduce capital expense on security equipment and point solutions that can be folded into a single Network Security platform delivered as a Cloud services.
- Reduce operational expense by offloading resource-intensive activities such as deployment, upgrades, maintenance and distributed management from the IT staff.
- Improve security with an always up-to-date, hardened network security platform.