What is a Cloud Firewall?

Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts to access an organization’s cloud resources have begun showing their age.

The shift to multicloud strategies and the rapid evolution of network-based threats are uncovering weaknesses in cloud firewalls. Instead, many companies are adopting Firewall-as-a-Service (FWaaS) solutions. But will FWaaS go far enough? Let’s find out.

What is a Cloud Firewall Used For?

Physical firewalls, aka firewall appliances, have been a fixture in the network stack populating datacenters and branch offices everywhere. But as enterprises shifted data and applications to the cloud, they needed to secure them as well. Deploying a physical firewall in the cloud was impractical at best and frequently impossible.

Enter cloud firewalls. These offerings bring the protective ability of firewall appliances to the cloud. Cloud firewalls run as virtual instances within the cloud provider network. As such, cloud firewalls bring several significant advantages over firewall appliances.

We’ve already discussed one; they’re easy to deploy. Cloud firewalls are also easier to scale than physical firewalls. Need more memory or compute? Just add as you would to any workload in the cloud. Cloud firewalls are also often easier to make highly available. Yes, you’ll need to configure redundant instances appropriately. But the datacenters are already equipped with redundant power sources, HVAC systems, automated backup systems, and more needed to support an HA implementation.

The Limitations of Cloud Firewalls

At the same time, cloud firewalls come with key limitations. With each cloud environment requiring its cloud firewall for protection, security becomes more complex in a multicloud strategy, which is increasingly common among enterprises. What’s more, where cloud firewall instances exist out-of-region, traffic must be backhauled, adding latency to application sessions.

And while cloud firewalls might be easier to maintain than physical appliances, they still need plenty of care. IT teams still need to configure, deploy, and manage the cloud firewall. They still need to apply patches and deploy the latest signatures to protect against zero-day threats. Finally, resource sharing among cloud firewalls becomes challenging at scale. Cloud firewalls function as virtual appliances, requiring their memory and compute. They can’t pool them easily with other cloud firewall instances.

For many IT teams, the question “What is a cloud firewall” is being replaced by “What security tool can we use instead of a cloud firewall.”

Why FWaaS is Replacing Virtual Firewalls

And the answer to that question is quickly becoming FWaaS. FWaaS offerings are independent cloud services that provide companies with their own firewall instances to manage and run. Unlike firewalls, FWaaS provide customers their own logical firewall instances running on the provider’s multitenant firewall platform.

FWaaS platforms are genuine cloud services. They’re multitenant, elastic, and highly scalable, allowing the individual firewalls to consume compute resources more efficiently than individual cloud firewalls. FWaaS providers also assume the burden of ensuring firewall performance doesn’t suffer as traffic loads grow. And since compute resources and operating costs are spread across all customers, FWaaS platforms are often more cost-effective than cloud firewalls.

In short, by using FWaaS, organizations retain the scalability, availability, and extensibility of a cloud deployment. At the same time, they enjoy the low-cost cloud option and improved line-rate network performance.

Does FWaaS Go Far Enough?

FWaaS might seem to answer the security problems facing enterprises, but what they miss is the global network. Most enterprises have at least some resources in private datacenters. Users require optimized access to those resources and the cloud. FWaaS offerings, though, rely on the unpredictable global Internet for transport. Performance to corporate datacenters is far too unpredictable and sluggish for enterprises used to the MPLS and private backbones.

FWaaS offerings also often target HTTP-based applications. Other applications based around legacy protocols may not be supported or require purchasing additional products.

Since FWaaS offerings can’t cover the complete enterprise, they must be integrated with existing networking and security tools. This creates greater operational complexity for IT and leads to fragmented network visibility, complicating the detection of the network traffic patterns indicating malware infections.

In short, FWaaS steps in the right direction but without the underlying network remains a partial solution. For most enterprises, FWaaS doesn’t go far enough.

Moving from Cloud Firewall to SASE

Secure Access Service Edge (SASE) expands on FWaaS, converging security with a global, optimized network. The Cato SASE platform, for example, includes the Cato Global Private Backbone, a global, geographically distributed, SLA-backed network of 60+ PoPs interconnected by multiple tier-1 carriers. Within those PoPs, a complete suite of security services — NGFW, IPS, URLF, anti-malware, and more — operate on all traffic. The traffic is then sent onto the Internet or across the Cato global private backbone to other edges — branch offices, datatcenters, remote users, and cloud resources — connected to Cato PoPs.

The Cato network includes built-in WAN optimization, route optimization, dynamic carrier selection, and cloud optimization to deliver far better performance than the global Internet or legacy infrastructure. During customer testing, for example, file transfer performance improved by 20x with Cato when compared against MPLS. Other customers have seen similar, if not better results, when comparing Cato against the global Internet.

The convergence of security and networking also provides Cato with unprecedented visibility into enterprise traffic flows. Using this unique insight, a team of dedicated networking and security experts seamlessly and continuously update Cato defenses. They offload the burden from enterprises of ensuring maximum service availability, optimal network performance, and the highest level of protection against emerging threats.

It’s Time to Upgrade your Cloud Firewall with SASE

Cato is the world’s first SASE platform. It enables customers to easily connect physical locations, cloud resources, and mobile users to Cato and provides IT teams with a single, self-service console to manage security services.

Learn more on our blogs, contact our team of security experts, or schedule a demo to see how SASE can protect your network environment.