The Future of Firewalls: FWaaS, WAF and SASE
A firewall is a network security firmware or software that aims to prevent unauthorized access to a certain network. It uses rules to inspect inbound and outbound traffic to identify and block threats.
Firewalls are considered an essential network security component. You can run a firewall as part of an endpoint security solution, deploy an enterprise-grade firewall appliance to protect an entire data center, or run a managed firewall service to protect resources in the cloud.
Firewalls initially emerged in the early days of the Internet as a method to establish a secure network perimeter. Today, firewalls serve as the foundation of network security in the client-server model, a central architecture in modern computing.
Types of Firewalls
There are several types of firewalls that use different techniques to protect a system or network.
Packet-Filtering Firewalls
A packet-filtering firewall operates in line at a junction point where a device like a router or a switch performs its functions. This firewall doesn’t route packets but compares all the packets received against predetermined criteria. For example, it checks the packet protocol headers for attributes such as the IP address, packet type and port number. The firewall blocks any packet it flags as problematic.
Circuit-Level Gateways
A circuit-level gateway monitors the messages initiating network protocol sessions, such as TCP handshakes, to assess if the sessions are legitimate. It quickly identifies malicious content while the remote and local hosts communicate to determine the trust level of remote systems. It does not inspect packets directly.
Proxy Firewalls
A proxy firewall acts as a gateway between two networks for specific applications. It can add security and content caching functionalities, blocking external connections from accessing the network directly. However, a proxy firewall can also affect the throughput and the functioning of the applications it supports.
State-Aware Firewalls
A state-aware device examines every packet and keeps track of whether each packet belongs to an established network session or TCP. It provides greater security than packet-filtering and circuit-monitoring firewalls, although this comes at the expense of overall network performance.
A subset of stateful inspection is multi-layer inspection, which involves assessing the flow of in-process transactions across the different protocol layers of the multi-layered Open Systems Interconnection (OSI) model.
Next-Generation Firewalls
A next-generation firewall (NGFW) is a highly-evolved firewall that can block threats that easily slip past a packet-filtering or stateful inspection firewall. Most organizations deploy NGFWs to block sophisticated malware-based and application-layer threats.
To qualify as an NGFW, a firewall must integrate intrusion prevention capabilities with conventional firewall techniques like a stateful inspection. It must have application awareness to detect and block apps that pose a risk. An NGFW should also offer upgrade paths for future data feeds and incorporate additional techniques to identify evolving threats.
The Future of Firewalls
Many experts believe that the future of firewalls does not lie in additional, more sophisticated traffic filtering capabilities (although these will continue to be developed). The future firewall will have an innovative delivery model that makes it easier to deploy and more applicable to modern IT environments. Let’s review a few advanced firewall solutions that use innovative delivery methods, making them an essential component of the new cloud-native environment.
Web Application Firewall (WAF)
A WAF, or web application firewall, helps protect web applications by filtering and monitoring inbound and outbound HTTP traffic. It can protect web applications from attacks like cross-site scripting (XSS), file embedding, and SQL injection. WAF is a network Layer 7 defense (the application layer in the OSI model).
Deploying a WAF in front of a web application creates a barrier between the web application and the internet. It works as a reverse proxy, protecting the server from malicious clients by acting as an intermediary, which connections must interact before ever reaching the server.
WAFs work through a set of rules that are also called policies. These policies are designed to protect users from application vulnerabilities by excluding malicious traffic. Part of the value of WAFs comes from the speed and ease of implementing policy changes, allowing organizations to respond more quickly to different attack vectors. WAFs also dynamically receive new policies based on security research from the tool vendor, which can protect against new attack vectors.
Firewall as a Service (FWaaS)
A Firewall as a Service (FWaaS) provides cloud-based network traffic inspection capabilities for customers who want to transition away from traditional firewall appliances. This approach removes the burden of managing firewall infrastructure on-premises, moving the responsibility to a cloud vendor.
FWaaS vendors differentiate their offerings by offering advanced cybersecurity capabilities, typically within the feature set of NGFW. FWaaS solutions might provide intrusion prevention and detection, application-aware security policy enforcement, URL filtering, threat intelligence, and advanced malware protection.
Secure Access Service Edge (SASE)
SASE is a new networking framework that solves the problem of securing remote access from any edge location to any resource (whether on-premises or in the cloud). It can handle networking and security for external traffic without going through a data center. This is important for organizations who have moved workloads to the cloud, but whose security and network infrastructure remained on-premises, causing significant congestion and delays.
An important element of SASE is that it provides next-generation firewall capability built into the framework. This goes one step beyond FWaaS, because it is not just a firewall delivered as a service—it is a firewall that comes pre-integrated with the entire network stack. As such, it is completely transparent for the user while providing even better security due to the reduced chance of misconfigurations.
SASE reduces the strain on the data center and improves network response times by deploying network and security functions in the cloud, closer to users and applications. SASE is based on a software-defined WAN (SD-WAN) architecture that decentralizes packet inspection and policy enforcement and supports identity-based access.
SASE integration and unified policy management make the enterprise an attractive option for most organizations because it can quickly and effectively route and secure traffic, regardless of the source or location of corporate resources.
SASE is an integrated service that combines multiple networking and security features, including FWaaS, malware protection, intrusion detection and prevention (IDS/IPS), secure web gateways (SWG), cloud access security brokers (CASBs) and zero-trust network access (ZTNA).
Conclusion
In this article, I explained the basics of firewalls and showed that the future of the technology lies in new delivery models. I covered three such models that are pushing the envelope of network security:
WAF—A new type of firewall that extends traffic filtering to the application layer. It integrates with threat intelligence and incorporates custom rules that can block many types of malicious application traffic.
FWaaS—A standard NGFW that is delivered as a cloud service. Users enjoy complete functionality without having to deploy or manage software or hardware appliances.
SASE—A networking framework that includes everything needed to deliver and secure connectivity, from SD-WAN to FWaaS, SWG, CASB and ZTNA.
I hope this will be useful as you discover cutting-edge options for securing your network infrastructure.
