SASE, the appeal of cloud firewalls, and when on-prem still matters

Avatar for Jay BarbourBy Jay Barbour|Jan 26, 2021|7:30 am CST

The shift away from predominantly on-premises IT to cloud-based solutions is causing significant security challenges given today’s work-from-anywhere business models. As people and digital assets spread beyond the walls of the traditional enterprise, risks and vulnerable attack surfaces increase, causing IT leaders to reevaluate their firewall strategies.

While on-premise firewall appliances remain strong tools, relying on them for remote locations is an increasingly deficient approach. Why? Because it requires remote users to route their Internet sessions through firewall appliances in a data center, which is inefficient, costly, and bad for performance. The alternatives are equally problematic. For example, arranging hardware firewalls at branch offices are expensive and hard to manage.

A cloud-based approach to the firewall, also known as Firewall-as-a-Service (FWaaS), is a popular solution, enabling efficient security for the cloud-first and work-from-anywhere enterprise. So it’s no surprise that cloud firewalls have become a primary component in Gartner’s secure access service edge (SASE) framework. But does that mean all firewalls should migrate to the cloud? In this article, we explore the advantages of cloud firewalls, the role they play in SASE, and when to opt for the cloud or stick with on-premise.

Problems with on-premises NGFWs

Next-generation firewalls (NGFW) are an effective first line of security defense. However, using centralized NGFW appliances installed in a corporate data center is not an easy approach for companies with geographically distributed employees. In these scenarios, workers are trying to access corporate assets in the cloud using their home Internet connections. But with a centralized firewall, this traffic must be routed first to the data center so it can pass through the firewall before going to the cloud service. This is known as backhauling traffic, and it’s inefficient.

Issues with the on-premises NGFW include:

The cloud firewall solution

Cloud firewalls change the NGFW deployment model from local appliances to the cloud, which is much better suited for addressing today’s use cases–primarily cloud services and work-from-home (WFH) employees. It provides all the security capabilities of an appliance but with these additional benefits, which solve the problems outlined above:

Cloud firewalls and SASE: Should it be the end of the appliance?

With cloud firewalls solving so many challenges, it’s easy to see why many IT leaders are bullish about it. Even the SASE framework makes them a key component–a prerequisite if you will. So, is it the end of the on-premise appliance? And moreover, should your SASE approach only put firewalls in the cloud? Zeus Kerravala, Principal Analyst and Founder of ZK Research, says IT executives shouldn’t jump to conclusions or assume the SASE model is that prescriptive. “The world may have gone cloud crazy, but there is still a role for on-premises infrastructure,” he wrote in this Network World article on this topic.

So, when should you go cloud versus on-premise?

The short answer: When you’re designing solutions for big companies and headquarter locations with large traffic workloads.

When it comes to large sites, IT leaders find the dedicated security appliance is still the best solution. That’s because on-premise firewalls have a lower cost of ownership when compared to cloud firewalls–at least in the case of large offices. And the appliance firewall, with highly-specialized security ASICs, perform better too–providing a consistent, responsive user experience.

It’s also worth noting that appliance firewalls can be managed via the cloud using cloud-based management tools. This simplifies the duties of the IT team, helping with consistent policy management. Cloud-managed firewall appliances are hardware after all, so they are always a capital expense. Thus, for IT decision makers it’s a matter of balancing the benefits against costs to achieve the right outcomes for your business. This balancing act explains why the flexibility to mix and match both cloud and on-premises firewalls is attractive when comparing SASE solutions.

Cloud firewalls and hybrid options from Masergy

In November 2020, Masergy strengthened its SD-WAN Secure solution to offer SASE capabilities, combining security technologies from leaders in their respective Gartner, Inc. Magic Quadrants to deliver a converged network and security solution.

Firewalls in the cloud or on-prem–the choice is yours

Masergy offers a fully managed cloud firewall as well as a useful hybrid option. Masergy supports a productive blend of cloud-based and high-performing on-premises NGFW appliances. This approach enables people at headquarters to enjoy the advantages of hardware-based firewalls. It’s a flexible model. This comes in handy when an organization wants to use cloud firewalls for smaller offices with lower employee counts, but deploy NGFW appliances in the central office.

Best-of-breed security from Fortinet

Masergy uses Fortigate NGFWs. Fortigate’s specially designed security ASICs provide multigigabit line speed performance. They are also highly cost effective. Fortigate is recognized as a Leader in the Gartner NGFW Magic Quadrant. The managed hybrid cloud/appliance service offers the further advantage of near real time monitoring for security events across the entire cloud and on-premises network ecosystem.

Services to handle and respond to firewall alerts

Working with the Masergy managed hybrid firewall service, it is possible to have a quick, effective incident response, regardless of organization size. Indeed, many mid-enterprises simply do not have the budget or expertise to do 24/7 monitoring and handle the alerts from NGFWs. Masergy does. We offer cloud and on-premises firewalls (and a hybrid of both) all with Threat Monitoring and Response, so you get a fully managed service. All firewalls are managed together under a single, consistent security policy.

Learn more about Masergy’s SASE offering with cloud firewalls