Skip to Content

Firewall-as-a-Service (FWaaS) in a Secure Access Service Edge (SASE) Model Improves for Decentralized Network Architecture

In a recent webinar, AWS and SANS explored how the rise in remote workforces has illustrated the need for decentralized network security architectures. A secure access service edge (SASE) implementation brings cloud capabilities to networking and security and involves several security technologies, including firewall-as-a-service (FWaaS).

Read this article to learn about FWaaS challenges and benefits, and what to know when considering a FWaaS migration.

Key Takeaways:

  • Exploring the evolution of firewalls, next-generation firewalls (NGFWs), and the move to the cloud
  • Discussing FWaaS migration concerns and benefits
  • One customer’s story of how their SASE approach increased visibility into all personal and unmanaged devices
  • Discovering how AWS Marketplace facilitates the procurement of SASE and FWaaS solutions

Firewalls and the Move to the Cloud

As cloud technologies improved over the last several years, organizations transformed their infrastructure, and with growing remote workforces, the pandemic further redefined the “traditional” network architecture.

While historically, organizations have had a physical, centralized infrastructure that offered visibility over all traffic, the move to the cloud begins to reduce security teams’ visibility. Traffic to those cloud applications and servers no longer passes through their choke points at the existing network perimeter.

A secure access service edge (SASE) model can increase visibility by creating a new perimeter that will provide insight into both cloud and on-premises activity. This is where the concept of an “edge” comes into play within this context. A unified SASE approach implements a security layer capable of securing on-premises data centers and offices, remote workforces, and cloud applications and services.

20% of Americans will be working from home full-time post-pandemic, up from just 5% pre-pandemic. — National Bureau of Economic Research

Traditional Firewall Deployment Architecture

SASE Implementation in a Hybrid Network

Next-Generation Firewalls (NGFWs) vs. Firewall-as-aService (FWaaS)

Prior to this new need for better cloud protection, the security market and its practitioners trended toward using Next-Generation Firewall (NGFW) appliances for implementing firewall protection at network perimeters.

However, the need for a broader solution comes from the fact that NGFWs are typically deployed in the form of physical appliances in a distributed fashion.

Next-generation firewalls (NGFWs): Network security devices that extend the capabilities of traditional, stateful firewalls with features such as application awareness, intrusion prevention, and threat intelligence enrichment.

Firewall-as-a-Service (FWaaS) essentially aims to take the functionality and capabilities of physical NGFW appliances and move them to the cloud by leveraging a cloud-based virtual appliance. Once deployed, an organization’s firewall capabilities are no longer limited by location and resources.

FWaaS provides a flexible and scalable approach to network security at the edge. Positioning a FWaaS within a SASE infrastructure removes the need for complex routing rules that ensure any relevant traffic is visible to the security appliance. This reduces latency as traffic no longer needs to be sent to a data center for processing; instead, it occurs at the edge, a more immediate path between the source and destination.

Addressing FWaaS Migration Concerns

When an organization decides to significantly change their technology stack, like moving to a cloud or hybrid model, stakeholders will always have concerns, but FWaaS benefits outweigh migration challenges.

The SASE model may be overwhelming to those who have operated with the old model of network security for most of their careers, but once network security architects open up to the possibility of the FWaaS approach, the value will become clear quickly.

Specifically, the Shared Responsibility Model (SRM) that comes with a SASE/FWaaS approach not only reduces cost and effort for internal network security teams, but also often increases resiliency and decreases response times.

The acquisition of a SASE/FWaaS model can also be a barrier for adoption for some organizations as they may be tied into existing physical NGFW contracts. However, overcoming the lack of visibility with a NGFW—and assumed risk of a potential breach due to that lack of visibility—is often worth the incremental investments in FWaaS.

The Benefits of FWaaS

Simplified Deployment & Management

  • A single firewall deployment regardless of geographic location of the organization’s assets
  • A single interface for management for quick syncing of configurations across the network
  • Bundled FWaaS and SASE components for vendor consolidation


  • Unlimited, near real-time scaling of resources such as storage, memory, CPUs, and more
  • Eliminated hardware acquisition costs for managing seasonal spikes in demand or geographical expansion

Reduced Maintenance & Improved Resiliency

  • Shared Responsibility Model (SRM) that distributes the responsibility of hosting, infrastructure connectivity, and scaling to meet demand and maintenance such as patchingë
  • The SLAs of a SRM that offer uptime commitments of 99.99% or more

Time & Cost Savings

  • Reduced internal resources needed due in part to SRM
  • No hardware management or power costs
  • No new hardware costs to accommodate scale

Simplified Log Management

  • Simplified log routing from FWaaS to SIEM and other logging solutions

See it in Action: Lyft


Lyft needed to streamline access to internal applications hosted on 
 Amazon Web Services (AWS).


Cisco used Duo Beyond to enable Lyft with a centralized view into all managed and unmanaged devices so it could quickly deploy risk mitigation policies.


  • 50% reduction in total cost of ownership (TCO)
  • Complete visibility into all personal and unmanaged devices
  • Faster deployment of Lyft’s zero-trust strategy

“Duo Beyond has enabled us to push our zero-trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and grant granular access control.” —Mike Johnson, CISO, Lyft

Cisco Secure and SecureX for Lyft

Integrating Secure Access Service Edge (SASE)/FWaaS with AWS

Manage your own firewall—according to your requirements—without the management overhead.

  • Managed infrastructure for high availability
  • Flexible rules engine gives you fine-grained control
  • Use open-source Suricata rules for Intrusion Detection/Prevention
  • Centrally managed across all your accounts with AWS Firewall Manager

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.