As networks become more decentralized, the benefit of moving applications and data to the cloud becomes increasingly practical and common. This is true for the firewall as well. Using a cloud-based and cloud-scalable firewall-as-a-service (FWaaS) enables companies to extend the benefits of unified threat management (UTM) and next-generation firewalls (NGFWs) beyond the local network to encompass a modern, dispersed IT architecture. See below to learn all about how FWaaS solutions work.
How does FWaaS work?
- What is the technology behind firewall-as-a-service?
- How does firewall-as-a-service fit the IT and cybersecurity environment?
- What are the differences between firewall-as-a-service and traditional firewalls?
- What are the core functions of firewall-as-a-service?
- Bottom line
Organizations will be familiar with most of the technology behind FWaaS because FWaaS builds off of traditional firewall, UTM, NGFW, and cloud technologies.
FWaaS cloud and IT technologies
The FWaaS IT architecture and cloud-based technologies provide inherent advantages:
As a cloud-based resource, vendors build FWaaS offerings to take advantage of cloud-based virtual architecture. FWaaS can scale memory, cores, firewall deployments, and bandwidth as needed to handle the needs of the organization.
Many FWaaS technologies act as a proxy. They create a flow of encrypted communication between the FWaaS and the requesting endpoint as well as a second flow of encrypted communication between the requested resource and the FWaaS.
This design allows for dynamic inspection of traffic for users, applications, devices, and locations. The FWaaS holds the encryption keys to decrypt and natively inspect Secure Sockets Layer and Transport Layer Security (SSL/TLS) traffic at scale to detect malware hidden in encrypted traffic as well as enable granular firewall policies.
With the ubiquitous reach of the internet, FWaaS can deploy standardized firewalls in different data centers that are configured and monitored through one software window and centralized expertise. FWaaS delivers equivalent protection to dispersed users, on any device, from any location, and to any resource.
FWaaS firewall technologies
FWaaS deploy a range of basic and advanced firewall, NGFW, and UTM functions at scale to provide added security and protection. These technologies include:
Deep packet inspection (DPI)
FWaaS can perform advanced threat analysis on packets to check for threats that might require alerts or mitigation. Some tools use machine learning (ML) or artificial intelligence (AI) algorithms that help to identify novel, zero-day threats by looking for anomalous and potentially dangerous behavior.
FWaaS can enforce bring-your-own-device (BYOD) policies and some network access control (NAC) features to prevent unauthorized devices from connecting with the network.
Domain Name System (DNS) security and control
FWaaS can block malicious domains and IP addresses based on threat intelligence and detect or prevent DNS tunneling.
FWaaS also incorporates rules for multiple OSI layer communication filtering based on network applications, cloud applications, fully-qualified domain name (FQDN), and URL filtering.
Internet Protocol (IP) mapping
FWaaS tools can map IP addresses to user names and MAC addresses. This can be used strictly for monitoring, or mapping can be used to block unknown or unauthorized device, user, and IP address combinations.
Organizations can configure FWaaS to explicitly define the IP addresses allowed to access the network. Further control can be implemented through static IP addresses for trusted traffic sources, blacklisted URLs, blocked IP addresses, and blocked geographical areas.
FWaaS use various intrusion detection systems (IDS) and intrusion prevention systems (IPS) features to flag or block inappropriate communications traffic. The FWaaS can also monitor network operations performance.
Packet inspection and filtering
Packets are examined for malformation, discrepancies, malicious content, or incorrect destinations. Known bad packets will be dropped, and suspected bad packets will usually be quarantined for review.
Port and protocol filtering
FWaaS blocks internet traffic on unused ports or traffic using unused or obsolete protocols.
FWaaS can incorporate Internet Protocol security (IPsec) and SSL to support various types of secure connections such as Secure Sockets Layer virtual private network (SSL VPN) connections.
Advanced IT architecture
A key benefit of FWaaS is support for modern, dispersed IT architectures that do not rely upon secured local networks.
Precise user segmentation
FWaaS can integrate with access management tools, such as Active Directory, and Lightweight Directory Access Protocol (LDAP), to implement granular policy-based permissioning of access and resources. This granularity delivers greater control over virtual infrastructure and can create tiny network segments that may be geographically dispersed.
Secure access service edge (SASE)
SASE attempts to create a secure network for resources and users connected from anywhere. It incorporates FWaaS as a key element within the technology, and many vendors offer FWaaS as a key feature of their offering, which may also include cloud access security brokers (CASB) and zero-trust architecture (ZTA).
Software-defined wide area network
FWaaS provides a centralized firewall solution for the dispersed software-defined wide area network (SD-WAN) environment. In a sense, this recreates the standard firewall plus local network security model without the limitation of local network wires.
FWaaS provides an initial, centralized screening of all traffic to all elements in a ZTA environment. Additional firewalls and controls will be provided for each endpoint and each resource to implement full ZTA, but the burden on subsequent ZTA security solutions can be reduced through initial FWaaS screening.
FWaaS deploys in IT architecture with a similar philosophy to local firewall appliances: Place the security between the uncontrolled environment, usually the internet, and the controlled environment, such as a local network, cloud resource, or remote user.
FWaaS broadens the capabilities of local appliances and expands the type of resources that can be protected by the firewall capabilities to include cloud resources like SaaS, PaaS, and IaaS as well as multiple geographically dispersed local networks and remote users.
Is FWaaS setup difficult?
FWaaS simplifies deployment by eliminating all of the hardware configuration, setup, and hardening for firewall appliances, virtual machines, or software. Organizations can proceed directly to the steps of managing the firewall settings for security features, network traffic management, and connecting devices to the firewalls.
To connect devices to a FWaaS generally involves changing router settings or remote access IP addresses to direct traffic to the FWaaS. Traffic automatically flows through the FWaaS provider and from there to the required resources.
The deployment is much easier than deploying multiple hardware appliances across multiple branch office local networks. Some specialized configurations may be required for specific environments like data centers and cloud-based applications, but these configurations can be standardized and centrally managed by the firewall experts managing the FWaaS deployment.
Is a FWaaS necessary with firewall appliances?
Replacing local network firewalls will not always be necessary if an organization has:
- A small number of local networks
- A small number of users on the local network
- Local firewalls that can provide all of the needed security features without exceeding memory, CPU usage, or network bandwidth
- A local firewall capital expenditure (CapEx) that is paid-off but not yet obsolete
The local firewall will have very low latency for local devices connecting to local resources, and a paid-off firewall appears to have very little costs from the perspective of the CFO.
However, the organization should verify the true costs and capabilities of the local firewall are accurate. For example:
- Paid-off firewalls tend to be older and may lack capabilities or sacrifice performance.
- The labor needed for constant updates and patching of firewalls needs to be allocated to the expenses associated with the firewall to accurately capture their ongoing costs.
Fortunately, FWaaS can be inexpensive to test. An organization can deploy a FWaaS instance for a local network and verify improvements in performance, security, and maintenance time. If the performance does not meet their expectations, they can cancel their subscriptions and switch the routers back to internal hardware.
Is a FWaaS necessary with ISP firewall services?
Internet service providers offer firewall services, but keep in mind their offering is generic and meant to be a lowest common-denominator applicable to all of their customers. Most customers can achieve much more effective security by taking direct control over their firewall and customizing the settings to match the needs of the organization.
What are the advantages of FWaaS for PaaS, IaaS, SaaS?
In the shared security model, organizations deploying PaaS and IaaS must deploy firewalls to protect their infrastructure and applications deployed to the cloud. SaaS does not necessarily require firewall protection, but SaaS tools generally do not screen traffic for unauthorized devices, access from malicious or unknown IP addresses, or unusual behavior like credential stuffing or multiple concurrent logins.
Adding a cloud-based firewall specifically for a PaaS or IaaS environment protects only that environment. Additionally, these cloud-based local firewalls often will introduce the same weaknesses as other local network firewalls compared to FWaaS:
- Resource constraints for packet inspection
- Less features
- Most inconsistencies in rules and settings
- More maintenance time required to keep the devices current
- Less centralized information on threats and attacks in progress
Deploying FWaaS provides a centralized location to manage firewall settings, observe threats across all environments, and improve firewall performance.
What are the downsides of FWaaS?
FWaaS tools do present some trade-offs compared to local networks.
Increased local network latency
If all traffic routes through FWaaS solutions, devices that used to connect through a local network connection without any monitoring might experience increased latency if the traffic reroutes through a FWaaS with packet inspections. Organizations might need to consider which has priority: security or speed.
Shifting from CapEx hardware to OpEx services can be seen as increasing costs compared to local hardware. Organizations need to accurately assign labor costs for maintenance and updates for local firewalls to accurately compare costs.
Single point of failure
Companies that used to have many different local firewalls, may find themselves sending all of their traffic through a single, cloud-based service provider.
Whether this increases the risk or decreases the risk depends upon an accurate comparison of local risks, such as inconsistent settings and an inability to keep up with packet inspections, versus FWaaS risks like possible company shutdown with FWaaS failure or possible breach of all traffic with FWaaS hack. The risk probabilities and the organization’s ability to control the consequences should be honestly evaluated and compared.
As with other cloud and as-a-service offerings, FWaaS technology isn’t new, but it takes full advantage of the scalability and reach of the cloud.
This concept is explored in-depth in What is FWaaS and Why is FWaaS Important, but to briefly recap, traditional firewalls typically have been deployed as dedicated physical appliances, virtual appliances, or as software on servers. These traditional deployments only cover the local networks behind the firewall, and the firewall license, the hardware connected to the firewall, and the local network bandwidth act as hard capability limits for the firewall’s capabilities.
These constraints limit the capabilities of traditional firewalls in significant ways:
- Limited processing cores and memory cap the capacity.
- Limited network bandwidth caps the amount of traffic that can pass through the firewall without delay, which limits the resources a single firewall appliance can protect.
- Limited overall capacity limits what features can be enabled or licensed.
Moving to the cloud enables FWaaS providers to deploy functionally-unlimited cores, memory, storage, features, and bandwidth. With limits removed, customers can now determine the security features they need and can deploy it across as many resources as needed worldwide.
As a caution, be aware of the difference between cloud firewalls and FWaaS. While the term isn’t standardized, cloud firewalls typically act as a traditional local-network firewall with the usual resource and bandwidth limitations, only installed into a cloud environment’s virtual network.
FWaaS sits between the internet and everything else on the organization’s network infrastructure: local networks, cloud resources, remote users, and SaaS applications. FWaaS provides the following core functions as a global network-encompassing firewall:
- Allows safe remote access between all users and all connected resources, regardless of their location or deployment
- Inspects traffic to detect and address threats
- Filters destination IP addresses to block malicious locations
- Provides insight into threats against the organization through consolidated observation of attacks and traffic patterns
- Consolidates and standardizes management of firewall security and deployment for consistent security and compliance
- Simplifies deployment and cost management for a scalable, global resource
The adoption of aaS solutions continues to revolutionize the IT landscape. Organizations continue to enjoy increased financial flexibility as they offload CapEx expenses and their associated maintenance and integration requirements.
FWaaS is no exception. Organizations that adopt FWaaS can enjoy the full functionality of firewall security with possible improvements for costs, consistency, performance, and security. Any organization looking to replace or upgrade their current firewall solution should consider FWaaS as a potential solution.