In a recent webinar, AWS and SANS explored how the rise in remote workforces has illustrated the need for decentralized network security architectures. A secure access service edge (SASE) implementation brings cloud capabilities to networking and security and involves several security technologies, including firewall-as-a-service (FWaaS).
Read this article to learn about FWaaS challenges and benefits, and what to know when considering a FWaaS migration.
Key Takeaways:
- Exploring the evolution of firewalls, next-generation firewalls (NGFWs), and the move to the cloud
- Discussing FWaaS migration concerns and benefits
- One customer’s story of how their SASE approach increased visibility into all personal and unmanaged devices
- Discovering how AWS Marketplace facilitates the procurement of SASE and FWaaS solutions
Table of Contents
Firewalls and the Move to the Cloud
As cloud technologies improved over the last several years, organizations transformed their infrastructure, and with growing remote workforces, the pandemic further redefined the “traditional” network architecture.
While historically, organizations have had a physical, centralized infrastructure that offered visibility over all traffic, the move to the cloud begins to reduce security teams’ visibility. Traffic to those cloud applications and servers no longer passes through their choke points at the existing network perimeter.
A secure access service edge (SASE) model can increase visibility by creating a new perimeter that will provide insight into both cloud and on-premises activity. This is where the concept of an “edge” comes into play within this context. A unified SASE approach implements a security layer capable of securing on-premises data centers and offices, remote workforces, and cloud applications and services.
20% of Americans will be working from home full-time post-pandemic, up from just 5% pre-pandemic. — National Bureau of Economic Research
Next-Generation Firewalls (NGFWs) vs. Firewall-as-aService (FWaaS)
Prior to this new need for better cloud protection, the security market and its practitioners trended toward using Next-Generation Firewall (NGFW) appliances for implementing firewall protection at network perimeters.
However, the need for a broader solution comes from the fact that NGFWs are typically deployed in the form of physical appliances in a distributed fashion.
Next-generation firewalls (NGFWs): Network security devices that extend the capabilities of traditional, stateful firewalls with features such as application awareness, intrusion prevention, and threat intelligence enrichment.
Firewall-as-a-Service (FWaaS) essentially aims to take the functionality and capabilities of physical NGFW appliances and move them to the cloud by leveraging a cloud-based virtual appliance. Once deployed, an organization’s firewall capabilities are no longer limited by location and resources.
FWaaS provides a flexible and scalable approach to network security at the edge. Positioning a FWaaS within a SASE infrastructure removes the need for complex routing rules that ensure any relevant traffic is visible to the security appliance. This reduces latency as traffic no longer needs to be sent to a data center for processing; instead, it occurs at the edge, a more immediate path between the source and destination.
Addressing FWaaS Migration Concerns
When an organization decides to significantly change their technology stack, like moving to a cloud or hybrid model, stakeholders will always have concerns, but FWaaS benefits outweigh migration challenges.
The SASE model may be overwhelming to those who have operated with the old model of network security for most of their careers, but once network security architects open up to the possibility of the FWaaS approach, the value will become clear quickly.
Specifically, the Shared Responsibility Model (SRM) that comes with a SASE/FWaaS approach not only reduces cost and effort for internal network security teams, but also often increases resiliency and decreases response times.
The acquisition of a SASE/FWaaS model can also be a barrier for adoption for some organizations as they may be tied into existing physical NGFW contracts. However, overcoming the lack of visibility with a NGFW—and assumed risk of a potential breach due to that lack of visibility—is often worth the incremental investments in FWaaS.
The Benefits of FWaaS
Simplified Deployment & Management
- A single firewall deployment regardless of geographic location of the organization’s assets
- A single interface for management for quick syncing of configurations across the network
- Bundled FWaaS and SASE components for vendor consolidation
Scalability
- Unlimited, near real-time scaling of resources such as storage, memory, CPUs, and more
- Eliminated hardware acquisition costs for managing seasonal spikes in demand or geographical expansion
Reduced Maintenance & Improved Resiliency
- Shared Responsibility Model (SRM) that distributes the responsibility of hosting, infrastructure connectivity, and scaling to meet demand and maintenance such as patchingë
- The SLAs of a SRM that offer uptime commitments of 99.99% or more
Time & Cost Savings
- Reduced internal resources needed due in part to SRM
- No hardware management or power costs
- No new hardware costs to accommodate scale
Simplified Log Management
- Simplified log routing from FWaaS to SIEM and other logging solutions
See it in Action: Lyft
Challenge
Lyft needed to streamline access to internal applications hosted on Amazon Web Services (AWS).
Solution
Cisco used Duo Beyond to enable Lyft with a centralized view into all managed and unmanaged devices so it could quickly deploy risk mitigation policies.
Result
- 50% reduction in total cost of ownership (TCO)
- Complete visibility into all personal and unmanaged devices
- Faster deployment of Lyft’s zero-trust strategy
“Duo Beyond has enabled us to push our zero-trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and grant granular access control.” —Mike Johnson, CISO, Lyft
Integrating Secure Access Service Edge (SASE)/FWaaS with AWS
Manage your own firewall—according to your requirements—without the management overhead.
- Managed infrastructure for high availability
- Flexible rules engine gives you fine-grained control
- Use open-source Suricata rules for Intrusion Detection/Prevention
- Centrally managed across all your accounts with AWS Firewall Manager