The shift away from predominantly on-premises IT to cloud-based solutions is causing significant security challenges given today’s work-from-anywhere business models. As people and digital assets spread beyond the walls of the traditional enterprise, risks and vulnerable attack surfaces increase, causing IT leaders to reevaluate their firewall strategies.
While on-premise firewall appliances remain strong tools, relying on them for remote locations is an increasingly deficient approach. Why? Because it requires remote users to route their Internet sessions through firewall appliances in a data center, which is inefficient, costly, and bad for performance. The alternatives are equally problematic. For example, arranging hardware firewalls at branch offices are expensive and hard to manage.
A cloud-based approach to the firewall, also known as Firewall-as-a-Service (FWaaS), is a popular solution, enabling efficient security for the cloud-first and work-from-anywhere enterprise. So it’s no surprise that cloud firewalls have become a primary component in Gartner’s secure access service edge (SASE) framework. But does that mean all firewalls should migrate to the cloud? In this article, we explore the advantages of cloud firewalls, the role they play in SASE, and when to opt for the cloud or stick with on-premise.
Next-generation firewalls (NGFW) are an effective first line of security defense. However, using centralized NGFW appliances installed in a corporate data center is not an easy approach for companies with geographically distributed employees. In these scenarios, workers are trying to access corporate assets in the cloud using their home Internet connections. But with a centralized firewall, this traffic must be routed first to the data center so it can pass through the firewall before going to the cloud service. This is known as backhauling traffic, and it’s inefficient.
Issues with the on-premises NGFW include:
Cloud firewalls change the NGFW deployment model from local appliances to the cloud, which is much better suited for addressing today’s use cases–primarily cloud services and work-from-home (WFH) employees. It provides all the security capabilities of an appliance but with these additional benefits, which solve the problems outlined above:
With cloud firewalls solving so many challenges, it’s easy to see why many IT leaders are bullish about it. Even the SASE framework makes them a key component–a prerequisite if you will. So, is it the end of the on-premise appliance? And moreover, should your SASE approach only put firewalls in the cloud? Zeus Kerravala, Principal Analyst and Founder of ZK Research, says IT executives shouldn’t jump to conclusions or assume the SASE model is that prescriptive. “The world may have gone cloud crazy, but there is still a role for on-premises infrastructure,” he wrote in this Network World article on this topic.
So, when should you go cloud versus on-premise?
The short answer: When you’re designing solutions for big companies and headquarter locations with large traffic workloads.
When it comes to large sites, IT leaders find the dedicated security appliance is still the best solution. That’s because on-premise firewalls have a lower cost of ownership when compared to cloud firewalls–at least in the case of large offices. And the appliance firewall, with highly-specialized security ASICs, perform better too–providing a consistent, responsive user experience.
It’s also worth noting that appliance firewalls can be managed via the cloud using cloud-based management tools. This simplifies the duties of the IT team, helping with consistent policy management. Cloud-managed firewall appliances are hardware after all, so they are always a capital expense. Thus, for IT decision makers it’s a matter of balancing the benefits against costs to achieve the right outcomes for your business. This balancing act explains why the flexibility to mix and match both cloud and on-premises firewalls is attractive when comparing SASE solutions.
In November 2020, Masergy strengthened its SD-WAN Secure solution to offer SASE capabilities, combining security technologies from leaders in their respective Gartner, Inc. Magic Quadrants to deliver a converged network and security solution.
Masergy offers a fully managed cloud firewall as well as a useful hybrid option. Masergy supports a productive blend of cloud-based and high-performing on-premises NGFW appliances. This approach enables people at headquarters to enjoy the advantages of hardware-based firewalls. It’s a flexible model. This comes in handy when an organization wants to use cloud firewalls for smaller offices with lower employee counts, but deploy NGFW appliances in the central office.
Masergy uses Fortigate NGFWs. Fortigate’s specially designed security ASICs provide multigigabit line speed performance. They are also highly cost effective. Fortigate is recognized as a Leader in the Gartner NGFW Magic Quadrant. The managed hybrid cloud/appliance service offers the further advantage of near real time monitoring for security events across the entire cloud and on-premises network ecosystem.
Working with the Masergy managed hybrid firewall service, it is possible to have a quick, effective incident response, regardless of organization size. Indeed, many mid-enterprises simply do not have the budget or expertise to do 24/7 monitoring and handle the alerts from NGFWs. Masergy does. We offer cloud and on-premises firewalls (and a hybrid of both) all with Threat Monitoring and Response, so you get a fully managed service. All firewalls are managed together under a single, consistent security policy.
Learn more about Masergy’s SASE offering with cloud firewalls
CASB is essential in a world where the cloud and remote work dominate. Here we examine use cases for it and how it fits into the SASE model.
Masergy can now make affordable public broadband connections perform like the most expensive ones do — delivering high-performance services.
The pairing of two technologies — SASE and AIOps — accelerates innovation, creating a new breakthrough for autonomous networking.