Firewall Security: Understanding Your Options
What is a Firewall?
A firewall is a network security tool that controls inbound and outbound network traffic. It allows administrators to define security rules and use them to filter traffic, with the objective of preventing unauthorized access and cyber attacks.
Network firewalls were introduced over 25 years ago, and are deployed either as software or as a dedicated hardware device. The firewall introduced the concept of a demilitarized zone (DMZ)—an internal network which contains valuable, protected resources, and is isolated from untrusted external networks. A basic tenet of network security is to place valuable assets “behind the firewall” to make them inaccessible to attackers.
In recent years, network security has changed, and the concept of a secure perimeter is breaking down. Modern networks are complex and include resources outside the control of the organization—such as cloud systems, mobile devices and the Internet of Things (IoT). This new environment has given rise to new deployment models for firewalls, including cloud firewalls and firewall as a service (FWaaS).
Next-Gen Firewall vs. Legacy Firewall
What Is a Traditional Firewall?
A traditional firewall operates at Level 3 and Level 4 of the OSI network model. It inspects the source and destination IP of data packets, as well as the port they were addressed to and the protocol they use. Based on this information, and the security rules defined by the administrator, it decides whether to allow the packet to enter or leave the network.
The key capabilities of a traditional firewall include:
- Stateful inspection—a traditional firewall primarily looks at sessions, and applies rules to traffic flows, rather than individual packets.
- Traffic filtering—inspects inbound and outbound traffic, and is able to terminate a connection if it originates from an untrusted source, or violates organizational policies.
What Is a Next-Generation Firewall (NGFW)?
A next-generation firewall (NGFW) goes beyond basic packet filtering. It goes beyond stateful inspection, looking inside data packets and understanding application traffic.
An NGFW looks at network data at Level 3 and 4, but in addition inspects Level 7—the application layer. NGFWs can block packets based on the application they are intended for. This application awareness lets administrators block risky application traffic.
Next Gen Firewall Security Capabilities
NGFW provides the following unique capabilities that were not present in previous-generation firewalls:
- Deep Packet Inspection (DPI)—looks inside data packets to identify application-layer traffic patterns.
- TLS decryption and inspection—able to decrypt secure channels to inspect traffic.
The following features are added as optional extras in some NGFW solutions:
- Intrusion prevention system (IPS)—detects malicious traffic and blocks it in real time
Malware prevention—integrates with threat intelligence, identifies malware signatures in inbound traffic
Options for Implementing a Firewall Security System
Deploying NGFW On-Premises
There are two ways to deploy NGFW on-premises:
- Software-based / host firewall—running NGFW software on every server or machine that requires protection. The NGFW can filter inbound and outbound traffic, monitor processes running on the host, and control their communication. However, this deployment model uses CPU and RAM resources in the host.
- Hardware-based / appliance firewall—deploying a central NGFW as a hardware device that can protect an entire network segment. This can be complex for organizations with multiple branch offices, or when employees need to access services remotely. When a remote user needs to access a cloud service, for example, traffic needs to be backhauled to the NGFW, and then routed to the cloud service, which is inefficient.
There are several key challenges with on-premises NGFW:
- Difficult deployment and ongoing maintenance—deploying NGFW appliances across a geographically-distributed enterprise is difficult, and requires a major investment in hardware. The organization must correctly size the appliances, and if traffic volumes grow, there is a need to upgrade or replace them.
- Hurts remote user experience—backhauling traffic to a central NGFW appliance causes latency issues. When most of the workforce is remote, this can create major issues for employees trying to access corporate services.
- Does not sufficiently address security risks—an NGFW can effectively address risks from untrusted devices accessing the corporate network perimeter. But it is less effective at addressing risks to cloud systems, SaaS applications, unmanaged user devices, and the risk of attackers compromising or stealing credentials.
NGFW In the Cloud
Increasingly, organizations are moving applications and infrastructure to the cloud. In the cloud, it is not possible to deploy hardware NGFW appliances, and it is often difficult to install host firewalls on cloud servers.
This gave rise to a new deployment model for NFGW: a cloud firewall, which operates as a virtual machine on the cloud provider’s network, and can protect multiple cloud resources. Because a cloud NGFW is virtualized, it is easier to deploy compared to NGFW appliances.
At the same time, cloud firewalls have important limitations. Most organizations have a multi-cloud strategy, and a cloud firewall needs to support all cloud environments. Additionally, if the cloud firewall instance operates in a different availability zone (AZ) than the resources it protects, it increases latency because application traffic must be redirected.
Cloud firewalls may be easier to maintain than physical devices, but they are not hands-off—IT teams are still responsible for configuring, deploying, and managing them. To protect against zero-day threats, you need to patch them and deploy the latest threat signatures. Finally, most implementations of cloud firewalls do not support clustering. So it is difficult to scale up a virtual appliance beyond the capacity of a single cloud instance.
What is FWaaS?
Firewall as a Service (FWaaS) products enable organizations to provide perimeter protection without the need to deploy dedicated firewall hardware, or self-managed virtual firewall appliances. Instead, FWaaS providers run a globally distributed firewall service that can inspect traffic wherever the organization operates.
An FWaaS provides firewall services on demand for headquarters, branch offices, and cloud services. It can support mobile users traveling to other countries, as well as third-parties who need to access the organization’s services. FWaaS offerings can implement consistent security policies across all types of traffic, regardless of source or destination.
FWaaS Delivered as Part of SASE
FWaaS can protect multiple distributed sites via a single, logical firewall, controlled by a unified security policy. It can support organizations of all sizes, and provides high-performance access for on-premise and mobile users.
This makes FWaaS a basic building block of a secure access service edge (SASE) architecture. SASE is gradually replacing traditional wide area network (WAN) infrastructure. It provides networking as a cloud service, packaged together with advanced security capabilities supporting a zero trust approach. This is where FWaaS comes in—SASE solutions offer FWaaS and other security solutions like cloud access security broker (CASB) to provide an all-in-one network security solution.
FWaaS supports modern networks by extending NGFW capabilities to anywhere the organization operates—on-premises, in the cloud, and at the edge. As NGFW technology evolves and new detection and prevention methods are developed, FWaaS is dynamically updated by the service provider, ensuring the organization is protected against the latest threats. FWaaS is pre-integrated with other aspects of the network environment, eliminating configuration errors and reducing risk.