If you ask any laptop user what a firewall is, there is a good chance that they will give a reasonably accurate answer, even if they aren't techies. The fiery orange wall with bricks, represented in any network design, is neither a new technology nor an unfamiliar innovation. So, how come we are still talking about firewalls and trying to (re)define them?
Reminders: What is a Firewall?
A firewall is a defensive device that can be software, hardware, or both and is used in network security to block or allow network traffic based on a set of pre-established rules or access control lists (ACLs). In other words, firewalls are physical or/and logical barriers that protect trusted networks (internal) from untrusted networks. However, this definition is not accurate because firewalls can also be deployed within an organization's "trusted" network to perform network segmentation.
There are different types of firewalls based on the functionalities they provide and the level of security required in each organization. First, we will mention some of the many types of firewalls such as packet-filtering, circuit-level, application-level or proxy, stateful inspection, and Unified Threat Management (UTM). Figure 1 explains some features of each type.
Figure 1: Some types of firewalls
All in all, firewalls are very important in any organization, as they are the first line of defense in any network. They monitor traffic and decrease malicious activities and risks. However, as the ecosystem of IT grows and shifts, traditional firewalls have to adapt to focus on the current change of network design and architecture.
Next-Generation Firewalls (NGFWs) and Beyond
As the focus has turned to the application, the adaptation of firewalls to protecting applications has become inevitable. WAFs, or Web Application Firewalls, are devices that protect web servers and web applications from layer-7 threats and attacks (e.g., SQL injection, XSS attacks, and DoS attacks). WAFs create barriers between users and web applications, and they inspect HTTP traffic.
Additionally, there are Next-Generation Firewalls (NGFWs). In a 2009 report, Gartner, Inc. defined them as deep-packet inspection firewalls that offer, in addition to traditional packet filtering firewalling, application-level inspection, intrusion detection, and intrusion prevention.
In a traditional network, the organizational boundaries of security are well defined. The boundary types are internal and external, trusted and untrusted. Nowadays, more organizations are shifting towards cloud computing, Bring Your Own Device (BYOD), and Work From Anywhere (WFA) strategies. This shift upsets the order in the traditional boundaries of internal and external networks. The traditional security focus of the enterprise on perimeters has become an obsolete model. Instead, the new perimeter of an organization is a set of dynamic capabilities delivered when users and processes access the organizations' resources. As a consequence, access control is moving outside the traditional enterprise perimeter. So, the definition provided before for firewalls as "the first line of security defense that protects the internal network from external one" is no longer valid in this dynamic change of the network perimeter.
The Rise of FWaaS (Firewall as a Service)
With the shift toward cloud computing, firewalls were adapted to be a cloud-based solution. These firewalls are known as cloud firewalls or FwaaS (Firewall-as-Service). They can be considered as a type of application-level firewalls or proxy firewalls, and they are configured based on each organization's requirements. Basically, they are provided and maintained by third-party vendors. FWaaS also offers NGFW capabilities, as explained before. They have the added benefits of URL filtering, DNS security, and advanced threat prevention to meet the security challenges found in cloud computing.
The cloud-based security component FWaaS is used in "Secure Access Service Edge" (pronounced Sassy) introduced by Gartner, Inc in 2019. SASE is an architectural concept that offers network and security capabilities in a dynamic access control when needed. It combines network capabilities (software-defined wide-area networking (SD-WAN), WAN optimization) with security functions (such as secure web gateways SWG, cloud access security brokers (CASB), FWaaS, and zero-trust network access (ZTNA)) to support the dynamic access control needed. SASE uses FWaaS to offer online protection and dynamic access control based on the context and identity of entities and give visibility to all traffic between all edges (cloud, mobile, etc.) and from edges to the Internet.
How Different are FWaaS From Legacy Firewalls?
FwaaS operates much the same as a traditional firewall. It enforces the set of rules defined by the organization to block or allow traffic on the network. The difference between the legacy on-premises firewall and FwaaS is that the latter is offered as a service and hosted in the cloud instead of being physically connected to the routers and network of the organization. On-premises firewalls can be configured as dedicated servers, physical appliances, or virtual ones. FWaaS offers a fourth configuration, which is configured logically.
To implement a FwaaS, the organization must change its router's settings and connect to the FwaaS provider. This way, the traffic is going through the provider instead of over the internal network.
Benefits of Using FWaaS
The main benefit of FWaaS is scalability. They can scale with the demand, the traffic load, and the growth of an organization in general. Using cloud-based firewalls makes it easier to add additional resources without the extra worry about security or hardware acquisition. FWaaS can be used to secure both the internal network and the cloud infrastructure.
Moreover, FwaaS can be configured for specific jobs (e.g., filter URL), and it gives increased visibility of network traffic, all in one unified cloud platform. Furthermore, it extends protection to remote workers, securing their access to the organization's resources.
What is The Best Firewall Architecture to Choose?
Choosing a firewall architecture for the organization depends, first and foremost, on the need and requirements of the organization. It depends on the organization's size, the defined perimeters and edges, the availability and the logical location of its resources, and the level of security required. A combination of different types of firewalls and adding multiple layers of protection remains the best strategy for an organization to protect its data and resources while keeping in mind the scalability and shift of the ecosystem of Information Technologies.
- "Defining the next-generation firewall." Gartner RAS Core Research Note (2009). [Online]: https://www.gartner.com/en/documents/1204914/defining-the-next-generation-firewall
- "Invest Implications: The Future of Network Security Is in the Cloud." Gartner (2019). [Online]: www.gartner.com/en/docu-ments/3957375/invest-implications-the-future-of-network-security-is-in