Why Next-Gen Firewalls Miss the Mark for Today’s Remote Workforce

Why Next-Gen Firewalls Miss the Mark for Today’s Remote Workforce

For nearly three decades, next-gen firewalls (NGFWs) have proven to be essential perimeter-based security solutions, helping the enterprise network in the detection and blocking of malicious traffic. However, infosec pros are looking to evaluate if next-gen firewall technology is the right approach for secure remote access in today’s remote-heavy workforce, hybrid-IT and COVID-19 world.

Organizations are currently experiencing the perfect storm: Cyberattacks are on the rise; the majority of the workforce is remote and mobile; and cloud application adoption is at an all-time high, which means that employees need protected access to both the cloud and the local network. Plus, COVID-19 accelerated the adoption of a remote workforce and how organizations approach and prioritize technology that connects different types of users and their corporate and personal devices to business resources and applications. As such, it looks like these trends are here to stay for the foreseeable future.

In fact, 84% of businesses anticipate broader and more permanent work-from-home adoption beyond the COVID-19 pandemic. To ensure the flexible workplace runs smoothly, enabling remote users with secure access to resources across multi-cloud and hybrid IT infrastructure, requires additional traffic handling, increased identity and endpoint enforcement, rapid access provisioning and more granular access control— placing NGFW at a disadvantage.

Performance Can’t Keep Up

Available resources on next-gen firewalls depend on several variables, including the number of users, level of bandwidth, and sessions each user requires on average. However, changes within the IT environment and user behavior can throw off initial resource assumptions. For example, the adoption of Office 365 creates vast changes in how many concurrent sessions NGFWs must manage, especially in highly regulated industries such as finance, where remote endpoints must be inspected. Even if local internet breakouts are allowed for remote endpoints, the NGFW requires ample throughput headroom to provide consistent performance—and scale-out is costly and inefficient.

NGFW Can’t Handle Onerous SSL Traffic Demands

Next-gen firewalls cannot handle onerous SSL traffic demands, which are protocols for encrypting the data that goes from a user’s computer to a target website and back. This allows the SSL to ensure the data can securely travel from their browser to the web server—and this can all take place regardless of whether a user is accessing data from a local network or the cloud. Encrypting and decrypting on the NGFW is notoriously resource-intensive. This not only impacts user access but also can affect the other service options invoked on the NGFW.

Increased Secure Remote Access Demands Challenging

If an employee wants to use a VPN for both their laptop and smartphone, they will find using NGFW remote access features challenging. But it is worse for administrators. Management becomes cumbersome with various policies to accommodate the multitude of users, applications, access conditions and data protection obligations. This also adds to delays in access provisioning, audit and maintenance. Administrative efficiency requires an easy-to-use, centralized and secure access policy management interface versus managing individual rules, as is done with NGFW.

Scaling Out is More Costly

Upgrading NGFWs to provide basic remote access leads to a cascading list of expenses including additional licensing needs and load balancers. Implementing these changes can also be disruptive to the end user. The fact is, dedicated secure access solutions are significantly lower in overall cost, licensing management complexity, compared to scaling up NGFW.

Augment NGFW Capabilities With a Dedicated VPN

NGFWs do not adequately address performance, management, scale and security needs without breaking the bank and the administrator’s back. Dedicated VPN solutions, however, can better handle SSL traffic demands and advanced secure remote access scenarios, while providing a high-quality end user experience. Dedicated VPN solutions provide functionality that goes beyond the abilities of NGFW and includes the following:

  • Flexible and user-friendly access, which is essential for the remote-heavy workforce. Dedicated VPNs provide service continuity that keeps users productive.
  • An endpoint that can connect to cloud apps directly, instead of backhauling all traffic. A split-tunneling feature allows an endpoint to connect to cloud apps directly, instead of backhauling all traffic to the NGFW. This results in a more efficient connection with lower latency and therefore a better user experience.
  • A segregated administrative experience that can help maintain a more productive remote workforce. This requires a dedicated, simpler management interface that allows secure access policies to be defined, deployed and maintained to streamline operations and avoid errors. As a result, troubleshooting becomes less convoluted because logs are separated from the NGFW threats.
  • Stateful endpoint compliance ensures endpoints, including BYOD, comply with a minimum-security posture. Also, the ability to enforce endpoint security compliance prevents IT support overload.
  • Dedicated VPN solutions ultimately integrate well with the overall network infrastructure, as well as with identity and access management (IAM) and single sign-on (SSO) solutions, so remote users don’t need to log in and authenticate separately whenever they connect to VPN.

Regardless of when companies return to their offices, it is best to be prepared and have the correct technology in place to allow businesses to continue as usual, no matter the unforeseeable situation. As NGFWs are no longer cutting it, companies should consider a dedicated VPN solution to meet their unique needs, while ensuring compliance and protected connectivity. VPNs provide a more uniform access policy across users, roles and endpoints, and are overall easier—and more cost-effective—to deploy and scale as needed.

Featured eBook
A New Approach for Securing DevOps Environments in the Cloud

A New Approach for Securing DevOps Environments in the Cloud

Today's, high-performing teams deploy on demand or multiple times per day, and they can deploy changes to production in less than an hour. Servers themselves may exist for less than an hour. This rapid pace is leaving security teams behind. And the massive gap between code being deployed within hours and security projects taking weeks ... Read More
CloudPassage

Mike Riemer

Mike Riemer is the Global Chief Technical Officer at Pulse Secure, a leading provider of enterprise access security solutions. He has over 20 years of researching, assessing requirements for, designing, and supporting implementing integrated security systems across firewall, VPN, UTM, WAF, AAA, intrusion protection, and security monitoring and event management. Prior to Pulse Secure and Juniper Networks, Mike held over 12 years practitioner experience with Harley Davison and GE Capital.

mike-riemer has 3 posts and counting.See all posts by mike-riemer