Network firewalls were introduced in the 1990s, and have gone through several generations: from legacy firewalls, to next-generation firewalls (NGFW), to firewall as a service (FWaaS).
First Generation: Legacy Firewall
A network firewall secures a local network and prevents unauthorized entities from accessing sensitive systems and data. It separates the secured network from a less secure, broader network (e.g., the Internet) to control traffic between them. Network firewalls are essential for protecting resources that are connected to the network and preventing attackers from accessing them.
Second Generation: NGFW
A next-generation firewall (NGFW) builds on the basic stateful inspection capabilities of a legacy firewall. It provides the additional capability of deep packet inspection (DPI) – looking inside data packets to identify malicious activity. NGFWs are also application aware – they can inspect network Level 7 to block or allow data packets depending on the application they are intended for. This allows administrators to block dangerous applications.
Additional capabilities offered by NGFW solutions include a built-in intrusion prevention system (IPS) and integration with threat intelligence feeds, which allow an NGFW to block traffic from IP addresses that were used for malicious activity in the past.
Third Generation: FWaaS
Traditionally, NGFW was deployed as a hardware appliance. Firewall as a service (FWaaS) is a new way to deploy NGFW security functionality. An FWaaS is a cloud-native firewall that a cloud provider offers as a service.
In a modern IT environment, the network perimeter is disappearing. Users increasingly access networks from mobile devices and remote locations, and organizations are moving critical resources to the cloud, meaning that many assets are outside the organization’s direct control. These changes require a new type of security solution that is able to protect corporate assets wherever they are, and enable access from any location or device.
An FWaaS solution provides NGFW functionality as a cloud-hosted service. FWaaS decouples security functions from physical infrastructure, so organizations can benefit from NGFW protection wherever IT assets are running – on premises or in the cloud – and no matter how or where they are accessed from.
FWaaS has significant advantages over physical NGFW appliances:
- Location-independent – NGFW appliances can only protect traffic flowing into the network they are physically deployed in, while FWaaS can also protect remote users and cloud applications.
- Scalability – NGFW appliances can only serve a finite amount of traffic before running out of hardware resources. FWaaS is a cloud-native solution that can be scaled on demand.
- Flexibility – NGFW appliances need to perform software updates, or be physically upgraded, to provide new security features. FWaaS can be upgraded on a continuous basis by the service provider, without special maintenance or additional costs.
FWaaS is also an important component of SASE (also known as Secure Access Service Edge).