So far in this series, we have covered the DNS-Layer Security, the Secure Web Gateway (SWG), and the Cloud Access Security Broker (CASB). As we continue to explore the critical role of data in powering the different pieces of the SASE framework, this post is focused on Firewall-as-a-Service (FWaaS) for delivering the next layer of SASE security.
The Evolution from Firewall, to Next-Generation Firewall, to Firewall-as-a-Service
Firewalls have long been a fundamental piece of cybersecurity, performing malicious detection and phishing detection at the network traffic level. Traditionally, firewalls were installed on-premises and designed to inspect the network traffic at the point where it enters or exits the network. To keep up with the changing conditions in the corporate work environment and the growing threat landscape (and for anyone old enough to remember), what started off as the Unified Threat Management appliance in the late 1990’s became the Next-Generation Firewalls (NGFW) in the 2000s, which were introduced as a more advanced solution with an extended set of features like greater visibility for application awareness and control, integrated intrusion prevention, advanced threat protection, cloud-delivered threat intelligence, SSL inspection and SSH control, web filtering, and more. The growth of cloud applications, combined with the shift to a modern remote work environment that moved data out of data centers and into the cloud, has made on-premise deployments of NGFWs both less effective and increasingly costly to deploy, manage and maintain. As organizations continue to adopt the cloud-native SaaS environment with endpoints both inside and outside of the network perimeter, firewalls have had to evolve accordingly. To meet the needs of the modern cloud and hybrid work environment, as well as to reduce overall costs, organizations now have the option of deploying the cloud-native Firewall-as-a-Service (FWaaS).
The Firewall-as-a-Service (FWaaS) is a centrally managed, cloud-native firewall service that delivers all of the capabilities of the NGFW like URL filtering, advanced threat prevention, intrusion prevention systems (IPS), and DNS security, while allowing organizations to eliminate costly appliances, simplify their infrastructure, and improve overall security.
Key Features of the Firewall-as-a-Service
Centralized Management. A centrally managed console allows organizations to offer the same level of protection to any user, on any device, connecting from any location by supporting a unified security policy deployed via the cloud. Additionally, centralized management reduces the strain on IT departments to manage and maintain individual appliances.
Intrusion Protection System (IPS). Intrusion prevention systems are designed to detect and block malicious threats that target an organization’s systems and applications. The FWaaS moves the IPS into the cloud to inspect user traffic both on and off-network which extends threat protection to all users regardless of device or location.
DNS Security and Control. The FWaaS brings the same front-line defense of DNS filtering to the cloud and prevents users from accessing high risk or potentially dangerous DNS connections to malicious, phishing, and non-sanctioned (objectionable) content domains. The cloud-based DNS security optimizes DNS resolution to improve cloud application performance for a better user experience, as well as more granular controls to detect and prevent DNS tunneling.
Visibility and Simplified Management. A FWaaS enables real-time visibility, control, and immediate policy enforcement across the platform. It is also designed with advanced analytic capabilities to improve event correlation for greater contextual relevance and insight into active threats and vulnerabilities detected.
URL Filtering. URL filtering allows you to implement security protocols that will block high risk or potentially dangerous connections to malicious, phishing, and non-sanctioned (objectionable) content domains. The most common approach is to have a simple, straightforward set of filtering rules designed for minimal sysadmin intervention and the ability to prevent most of the domain-level threats in as unobtrusive a way as possible.
Data Quality Drives Performance
For SASE vendors that include the Firewall-as-a-Service among their solution suite, particularly those who choose to pursue a maximum protection model, are advised to evaluate the same key areas we have recommended previously and included again below with a key focus on focus on threat detections, a highly granular taxonomy for content classifications, and having the very critical capability to block and filter full-path URLs.
- Threat Detection Speed. How quickly are new and emerging threats detected — hours, days, longer? While the average time to detect can be tricky to pinpoint, it can be evaluated by measuring one threat feed provider against another. It goes without saying, the fastest time to detect is crucial to threat protection.
- Accuracy. While the fastest time to detect may be a leading priority, it should not be considered independently of accuracy. A lack of accuracy, or high false positive rate can ultimately work against you.
- Coverage. Your visibility into the threat landscape, and ability to protect users and endpoints, depends on having extensive coverage of the ActiveWeb and global clickstream traffic.
- Curation vs Aggregation. Data curation itself is another fuzzy definition. There are threat feed providers claiming to curate threat feeds, but what they are really doing is aggregating a selection of feeds, as opposed to actually curating the data that comes from those feeds to have maximum coverage with the lowest possible number of false positives.
- Content Classification. A premium domain database will also have excellent coverage for all forms of objectionable and other content, providing the vendor with the opportunity to offer content-based filtering to supplement the phishing and malicious threat protection.
- Real-Time Detection/Update Capability. What constitutes ‘real-time’ in terms of technology applications can vary from minutes to hours. It’s important to understand how each threat feed provider defines real-time detections, as well as real-time updates (the time between which a threat is detected and the time that threat propagates to deployments).
- URL Level Classification for Blocking. It’s important to have the ability to filter and block URLs at various levels depending on the implementation — domains, subdomains, IPs and full-path. In some cases, blocking at the domain and subdomain is perfectly fine. Other times, full-path URL blocking is necessary to protect against threats more deeply embedded in commonly whitelisted sites like google docs, Dropbox, etc.
How FWaaS Fits with the SASE Framework
The SASE architecture is based on the idea of moving security systems and infrastructure into the cloud to offer better security for hybrid workforces while simplifying infrastructure requirements and reducing costs – which makes the FWaaS a better option than the NGFW for the SASE model. Like all the other pieces in the SASE framework, there is some overlap when it comes to the functionality of the FWaaS when compared to an SWG, CASB, DNS Filtering, etc., but each has a different use case because they were all designed to monitor specific types of traffic. Firewalls are specifically designed to monitor ALL network traffic, including machine-to-machine traffic and non-web based traffic. It functions at the packet level to inspect packets entering or leaving the network and then compare the contents against a signature of known threats at the network level. FWaaS brings that same functionality, along with other enhancements into the cloud environment to fit with the SASE framework. By contrast, SWGs operate at the application level to inspect the web traffic, while CASBs monitor and secure SaaS traffic in the cloud. So, while they share similar functions, the use cases are different and they all work in conjunction to maximize security by monitoring all the various types of traffic — human generated web traffic, machine-to-machine and non-web traffic, mobile, etc. — on the network.
Where zvelo fits with FWaaS and SASE
zvelo is the #1 provider of premium cyber threat intelligence data, URL database, and web classification services to SASE vendors. zveloDB is the market’s premier Domain Database with the broadest coverage of phishing, malicious and objectionable content detections, lowest FP rate, fastest time to update, and best lookup performance speed. Additionally, the zveloCTI threat data offers both phishing and malicious detection threat feeds to support the need for full-path, cloud-native threat protection you need to power your FWaaS. From DNS Filtering, to SWG, to CASB, to FWaaS, and more, zvelo is a data powerhouse for all of the SASE functions, all available through a single integration.
Up Next in the SASE Blog Series: Remote Browser Isolation: SASE Protection Against Browser-Based Attacks