SASE, the appeal of cloud firewalls, and when on-prem still matters

Avatar for Jay BarbourBy Jay Barbour|Jan 26, 2021|7:30 am CST

The shift away from predominantly on-premises IT to cloud-based solutions is causing significant security challenges given today’s work-from-anywhere business models. As people and digital assets spread beyond the walls of the traditional enterprise, risks and vulnerable attack surfaces increase, causing IT leaders to reevaluate their firewall strategies.

While on-premise firewall appliances remain strong tools, relying on them for remote locations is an increasingly deficient approach. Why? Because it requires remote users to route their Internet sessions through firewall appliances in a data center, which is inefficient, costly, and bad for performance. The alternatives are equally problematic. For example, arranging hardware firewalls at branch offices are expensive and hard to manage.

A cloud-based approach to the firewall, also known as Firewall-as-a-Service (FWaaS), is a popular solution, enabling efficient security for the cloud-first and work-from-anywhere enterprise. So it’s no surprise that cloud firewalls have become a primary component in Gartner’s secure access service edge (SASE) framework. But does that mean all firewalls should migrate to the cloud? In this article, we explore the advantages of cloud firewalls, the role they play in SASE, and when to opt for the cloud or stick with on-premise.

Problems with on-premises NGFWs

Next-generation firewalls (NGFW) are an effective first line of security defense. However, using centralized NGFW appliances installed in a corporate data center is not an easy approach for companies with geographically distributed employees. In these scenarios, workers are trying to access corporate assets in the cloud using their home Internet connections. But with a centralized firewall, this traffic must be routed first to the data center so it can pass through the firewall before going to the cloud service. This is known as backhauling traffic, and it’s inefficient.

Issues with the on-premises NGFW include:

  • Burdens enterprise operations—It’s a huge chore to deploy and manage physical NGFW appliances in branch offices and home offices, for that matter. The process creates administrative burden, high costs and the opportunity for configuration errors that expose the organization to risk. Correctly sizing NGFW appliances for future growth has inherent uncertainties. Hardware upgrades can be expensive. And, the unpredictable load characteristics of a mobile workforce may yet render the remote appliances ineffective at delivering a high-performance network edge.
  • Drags down the remote user experience—Backhauling network traffic via VPN so it can exit a centralized NGFW tends to cause latency issues for remote workers. The end user experience will inevitably suffer. When a large percentage of employees are remote, this can lead to a wave of user complaints that no IT team enjoys, as it typically increases the number of IT tickets created.
  • Increases security risks—Appliance-based firewalls are designed to work with traditional security perimeters, i.e., based on location. Yet, this is no longer the firewall’s clear use case. The concept of an enterprise security perimeter has been steadily dissolving over the last few years, particularly with the widespread adoption of Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS). Recent trends have only accelerated this paradigm shift. Take for consideration the increased connectivity with business partners, driven by IT system integration, along with COVID-19 and the explosion of work from home. Relying on legacy on-prem firewalls increases risk due to the complexity of trying to protect users and mobile devices who are not tied to a location.

The cloud firewall solution

Cloud firewalls change the NGFW deployment model from local appliances to the cloud, which is much better suited for addressing today’s use cases–primarily cloud services and work-from-home (WFH) employees. It provides all the security capabilities of an appliance but with these additional benefits, which solve the problems outlined above:

  • Eases administrative burdens on enterprise operations: With cloud firewalls, IT no longer has to worry about forecasting, planning, deploying, upgrading and managing dedicated firewall appliances and related network infrastructure. In this sense, cloud firewall is analogous to other paradigm changing cloud-based services like IaaS and SaaS. Just like these other cloud resources, the cloud firewall dramatically simplifies IT operations, in this case avoiding issues that arise when swapping out appliances to increase capacity and so forth.Cloud firewall benefits include increased speed, agility, and return on investment (ROI). IT can get business sites or employees up and running more quickly, which enables faster time to value for new business investments. And, given how cloud firewalls scale indefinitely on demand, the challenges of forecasting and planning for firewall capacity are now the responsibility of the vendor—but this is something they know very well.
  • Accelerates the remote user experience: Regarding the user experience, for example, cloud firewalls do not require backhauling user traffic. This reduces latency issues along with other difficulties with connectivity. In addition, the cloud firewall simplifies the work of securing end users and their devices.
  • Improves security posture: Cloud firewalls also contribute to an improved overall security posture by making it easier to ensure that all devices are covered by NGFW capabilities, wherever they are. This has the effect of reducing an organization’s attack surfaces. Also, the centralized, direct control over virtual firewalls make it possible to configure and enforce firewall policies quickly and consistently to all users, regardless of their locations.

Cloud firewalls and SASE: Should it be the end of the appliance?

With cloud firewalls solving so many challenges, it’s easy to see why many IT leaders are bullish about it. Even the SASE framework makes them a key component–a prerequisite if you will. So, is it the end of the on-premise appliance? And moreover, should your SASE approach only put firewalls in the cloud? Zeus Kerravala, Principal Analyst and Founder of ZK Research, says IT executives shouldn’t jump to conclusions or assume the SASE model is that prescriptive. “The world may have gone cloud crazy, but there is still a role for on-premises infrastructure,” he wrote in this Network World article on this topic.

So, when should you go cloud versus on-premise?

The short answer: When you’re designing solutions for big companies and headquarter locations with large traffic workloads.

When it comes to large sites, IT leaders find the dedicated security appliance is still the best solution. That’s because on-premise firewalls have a lower cost of ownership when compared to cloud firewalls–at least in the case of large offices. And the appliance firewall, with highly-specialized security ASICs, perform better too–providing a consistent, responsive user experience.

It’s also worth noting that appliance firewalls can be managed via the cloud using cloud-based management tools. This simplifies the duties of the IT team, helping with consistent policy management. Cloud-managed firewall appliances are hardware after all, so they are always a capital expense. Thus, for IT decision makers it’s a matter of balancing the benefits against costs to achieve the right outcomes for your business. This balancing act explains why the flexibility to mix and match both cloud and on-premises firewalls is attractive when comparing SASE solutions.

Cloud firewalls and hybrid options from Masergy

In November 2020, Masergy strengthened its SD-WAN Secure solution to offer SASE capabilities, combining security technologies from leaders in their respective Gartner, Inc. Magic Quadrants to deliver a converged network and security solution.

Firewalls in the cloud or on-prem–the choice is yours

Masergy offers a fully managed cloud firewall as well as a useful hybrid option. Masergy supports a productive blend of cloud-based and high-performing on-premises NGFW appliances. This approach enables people at headquarters to enjoy the advantages of hardware-based firewalls. It’s a flexible model. This comes in handy when an organization wants to use cloud firewalls for smaller offices with lower employee counts, but deploy NGFW appliances in the central office.

Best-of-breed security from Fortinet

Masergy uses Fortigate NGFWs. Fortigate’s specially designed security ASICs provide multigigabit line speed performance. They are also highly cost effective. Fortigate is recognized as a Leader in the Gartner NGFW Magic Quadrant. The managed hybrid cloud/appliance service offers the further advantage of near real time monitoring for security events across the entire cloud and on-premises network ecosystem.

Services to handle and respond to firewall alerts

Working with the Masergy managed hybrid firewall service, it is possible to have a quick, effective incident response, regardless of organization size. Indeed, many mid-enterprises simply do not have the budget or expertise to do 24/7 monitoring and handle the alerts from NGFWs. Masergy does. We offer cloud and on-premises firewalls (and a hybrid of both) all with Threat Monitoring and Response, so you get a fully managed service. All firewalls are managed together under a single, consistent security policy.

Learn more about Masergy’s SASE offering with cloud firewalls