It's time to move your security to the cloud.
Request a demo to learn how Zscaler's cloud firewall as a service can help make your organization more agile and secure.
Firewall as a service (FWaaS) is a network security technology referring to a cloud firewall that delivers advanced Layer 7/next-generation firewall (NGFW) capabilities, including access controls, such as URL filtering, advanced threat prevention, intrusion prevention systems (IPS), and DNS security.
The concept of FWaaS isn’t about simply virtualizing a network firewall appliance. FWaaS enables organizations to eliminate firewall appliances, simplify their IT infrastructure, and improve cybersecurity overall. With FWaaS, management is centralized from a single console, eliminating the challenges of change control, patch management, coordinating outage windows, and policy management associated with NGFW appliances while helping organizations deliver consistent policies, wherever users connect.
Traditional on-premises firewalls were designed and programmed to inspect network traffic for corporate offices. As the name suggests, FWaaS is delivered via the cloud; the main difference between the two is that on-premises firewalls struggle to scale and adapt to changing network demands and an evolving threat landscape. Because FWaaS is cloud native, it can do both, giving organizations a much more useful tool for securing data, keeping endpoints safe, and carrying out thorough security inspections.
Back when business happened in the office, traditional firewalls offered adequate network security. Because the scope of threats was limited to corporate offices—where employees were 99% of the time—there was no need for security and IT teams to extend a firewall’s services beyond its installation site.
Today, more and more organizations leverage cloud services such as SaaS, and with endpoints everywhere and new threats arising, firewalls can’t sit in the data center anymore. They must live in the cloud and scale to protect resources and employees everywhere.
Backhauling traffic to an NGFW at a corporate or regional data center made sense when applications resided in such data centers and most workers were in the office. But as applications began moving out of the data center and into the cloud—and as branch locations and remote work grew—these NGFWs became less effective.
Then, when the COVID-19 pandemic forced workers to move off the corporate network and begin connecting from everywhere, traditional approaches to networking and security, including the NGFW, became insufficient. That’s because NGFWs, just like other appliances, were never designed with the cloud in mind.
Frederick Janssen, VP of Global IT Infrastructure Portfolio, Siemens
Cloud applications, such as Salesforce and Microsoft 365, were designed to be accessed directly via the internet. Therefore, internet traffic must be routed locally to deliver a fast user experience. Routing traffic back to NGFWs in corporate data centers to egress to the internet no longer makes sense.
However, applying traditional security approaches to local internet breakouts means organizations would need to replicate the corporate security stack at every location. This would require deploying NGFWs or stacks of security appliances in every branch office, which is simply not viable in terms of the cost and complexity of deploying and managing them all.
It bears repeating: NGFWs were never designed to support cloud applications. NGFWs are easily overwhelmed by cloud apps because they can’t scale to support the high volume of long-lived connections the apps create. They also can’t handle SSL-encrypted traffic natively, which is increasingly important given the exponential growth in encrypted traffic during the past several years.
To execute SSL inspection, NGFWs must bolt on proxy capabilities that execute SSL inspection in software rather than at the chip level, which significantly impacts performance and results in a negative user experience.
FWaaS solutions are more than capable of carrying out capabilities such as deep packet inspection and much more suitable for data loss prevention because they’re cloud native. By being born in the cloud, FWaaS allows organizations to scale their security in ways that are impossible for NGFWs—although next-gen firewall vendors will say otherwise. In most cases, their security solutions are just virtualized firewall appliances, which can serve as good buffers but aren’t built for long-term cloud and hybrid workforce security.
As organizations embrace cloud infrastructure providers such as AWS to increase scalability, they still need to deliver enterprise firewall capabilities across the organization for all users and all locations. Unfortunately, NGFWs were architected more than a decade ago and aren’t designed to support cloud applications or the dynamic requirements of cloud computing in general.
Their virtual firewall counterparts have many of the same limitations and challenges as traditional NGFW appliances, lessening their effectiveness against modern cyberattacks. It makes sense, then, that as your applications move to the cloud, your firewalls should move with them.
FWaaS allows organizations to establish secure local breakouts for all applications without security appliances to buy, deploy, or manage. Security capabilities, including full Layer 7 firewall, are delivered as a cloud service that scales elastically to handle SSL inspection, growing bandwidth and user demands, and cloud application traffic with long-lived connections.
Centralized management from a single console enables organizations to deliver identical protection for any user, on any device, wherever they connect—whether they’re at the corporate office, visiting a local branch, or working from home.
FWaaS provides multiple benefits over NGFWs, including:
Now that you know how FWaaS can improve your security posture, your next question might be, “How can I begin my FWaaS journey?” Be wary. When it comes to FWaaS, there’s a bevy of service providers offering improved protection for data, endpoints, the cloud, and IoT, but only one vendor has built their firewall in the cloud, for the cloud—Zscaler.
The Zscaler Cloud Firewall, part of the integrated Zscaler Zero Trust Exchange™, brings next-gen firewall controls and advanced security to all users, in all locations, for all ports and protocols. It enables fast and secure local internet breakouts, and because it’s 100% in the cloud, there’s no hardware to buy, deploy, or manage.
NGFWs leave you bolting on countless security capabilities, making for a rigid and weak posture overall. The Zscaler Cloud Firewall allows you to:
Delivering Zero Trust with Cloud-Gen FirewallsWatch the webinar
Simplify network transformation with Zscaler Cloud FirewallRead the ebook
Zscaler Next-Generation Cloud Firewall
Zscaler Cloud Firewall A guide for secure cloud migrationGet the white paper
SD-WAN without a cloud firewall? Don’t even think about it!Read the blog