ARN

Examining firewall as a service

Virtualising physical appliances is just one part of the equation.
  • Jon Gold (Network World)
  • 09 September, 2021 11:45

Firewall as a service, or FWaaS, relies on technology in the cloud. A user or application connects to the FWaaS via the internet, and the service applies domain rules, URL filtering, and other security that physical firewall appliances use. The idea is to replace the multitude of hardware firewalls you’d need to secure all of your business’ traffic from all of its different operational sites with secure internet connections to the service.

What’s wrong with firewall appliances?

Possibly nothing. Physical firewalls are still quite popular, particularly for businesses without a lot of different locations and without a lot of remote workers. They even have some advantages over FWaaS, like different cost profiles. On-prem firewalls are a capex expenditure up-front but tend to be cheaper over time. They also have lower latency.

Why is FWaaS more prominent now?

The pandemic and its attendant spike in remote working made things tough on businesses that needed their employees’ connections to be protected at all times. FWaaS can protect connections coming from anywhere, from a branch office or even a remote worker’s study. Gartner estimates that FWaaS will go from a US$251 million industry to about US$2.6 billion by 2025, assuming that current remote-working trends continue. That would give FWaaS a 21 per cent share of the roughly US$12 billion firewall market in less than five years. Most of the fastest growth has been in North America and Europe.

How is it deployed?

It’s considerably easier than deploying a substantial number of hardware appliances across numerous branch offices, but it’s not the simplest thing in the world, either, according to Adam Hils, a senior research director at Gartner.

“[Organisations must] get some kind of understanding of what kind of access they need at each branch and configure the firewall,” he said. “This can involve multiple configurations, but, again, it’s not nearly as complex as plopping a thousand physical firewalls down in a network and having to configure those.”

How does FWaaS work, exactly?

It’s conceptually quite simple: It does precisely the same things an on-prem firewall does, it just does them remotely, either from a physical point of presence in a data center somewhere or in the cloud. The precise location of where the firewall workload happens varies by vendor.

It’s also worth noting that FWaaS is often either bundled with SD-WAN by networking vendors or simply used in tandem with another SD-WAN offering. It becomes another connection the SD-WAN manages and provides centrally managed firewall protection.

Are cloud firewalls and FWaaS the same thing?

Cloud firewall is a marketing term, and, according to IDC research manager Chris Rodriguez, isn’t a particularly helpful one. “I’d caution against cloud firewall because it’s confusing. Is it a firewall in the cloud or a firewall that’s defending a cloud network?” he said. So the short answer is cloud firewall and FWaaS are not necessarily the same thing.

What are the downsides of FWaaS?

From an opex point of view, FWaaS can be pricey, and it doesn’t get cheaper over time like a group of physical firewalls would. For another, there’s the issue of small transmission delays as the traffic gets filtered through the FWaaS.

“There can be some latency because you have to send user traffic through that cloud and to wherever it’s bound for,” said Hils. If, for example, a FWaaS provider’s nearest point of presence is down, round-trip times for the connections that were using that point would get substantially longer.