What Is Firewall as a Service (FWaaS)?
Firewall as a Service (FWaaS) is a new application mode in the cloud computing and cyber security field. Compared with the conventional firewall, which is deployed locally, FWaaS signifies a shift towards cloud-based firewall services. Leveraging FWaaS, users can easily create, manage, and use firewalls on the cloud service provider's platform without having to deploy and maintain hardware locally. Users can configure and monitor firewalls through the web UI or application programming interfaces (APIs). This service mode provides a more flexible, scalable, and easy-to-manage cybersecurity solution for organizations to effectively cope with the ever-changing cyber threats and service requirements.
Why Do Companies Need FWaaS?
As the digital transformation of enterprises and hybrid office (such as remote office, mobile office, and cloud applications) gain momentum, employees, partners, and contractors need to access the Internet, enterprise private applications, SaaS applications, and resources anytime and anywhere. Meanwhile, the network experience, security, and O&M efficiency also need to be assured. This requires a unified network and security architecture for enterprises. This is where Secure Access Service Edge (SASE) comes in. The security service edge (SSE) part of SASE provides security services, and FWaaS is an indispensable component of SSE. To meet the requirements of remote office and access to cloud resources, security policy control and threat detection need to be performed on the cloud, and flexible deployment and elastic scaling are required. FWaaS is designed to do just this, making it the best solution for enterprises to migrate security detection capabilities to the cloud.
How Does Firewall as a Service Work?
As shown in the following figure, the conventional locally deployed firewall is usually deployed at the border of a data center to protect the internal network from external network threats. FWaaS is implemented in the facilities of cloud service providers or managed service providers. In this way, security measures are not limited to physical boundaries, and can be extended to the cloud environment, to implement more flexible and dynamic security protection.
FWaaS deployed on the cloud
Although FWaaS is deployed on the cloud, its capabilities are similar to those of NGFW/AI firewalls. Actually, there are no significant differences in core function between FWaaS and NGFW/AI firewalls. Both of them are equipped with network traffic filtering and threat detection functions, such as IPS and antivirus.
- Security policy control: Application-based security policy access control can help to control users' network access behaviors in a refined manner. Unlike conventional firewalls that can only perform access control at the protocol layer, NGFW/AI firewalls and FWaaS can identify specific upper-layer applications of HTTP, such as Facebook and WeChat, and implement fine-grained control.
- Intrusion detection and prevention: Monitors network traffic in real time to detect and prevent various vulnerability attacks and web intrusions, such as SQL injection and cross-site scripting (XSS) attacks. This function can also detect malicious traffic, such as botnets, worms, Trojan horses, and remote control traffic.
- Antivirus protection: Provides powerful virus detection and defense capabilities to effectively defend against various viruses and attacks, including ransomware, cryptominers, and Trojan horses. With the help of AI capabilities and sandbox integration, this function can also identify unknown threats and viruses.
- Threat intelligence integration: The cloud leverages technologies such as AI and knowledge graph as well as expert experience to generate a large amount of threat information, including IP addresses, domain names, and URLs. The threat information is integrated with firewalls to improve threat detection capabilities.
- Data filtering: includes URL filtering, file blocking, and keyword filtering to prevent the spread of malicious information and data asset leakage as well as enhance cyber security protection.
In addition, there are other similar functions, such as traffic management, logging, and reporting.
Benefits of Firewall as a Service
Compared with the conventional physical dedicated firewalls (such as NGFWs and AI firewalls), FWaaS has the following advantages:
- Flexible expansion: FWaaS is deployed on the cloud and can be flexibly adjusted and scaled based on the service changes (traffic) and location changes of enterprises.
- Initial cost: In the initial deployment phase, customers do not need to purchase dedicated hardware devices. Instead, they only need to purchase services on the cloud, reducing initial investment.
- User experience: FWaaS provides security at the edge of the cloud and is closer to users. This facilitates remote access and access to cloud applications while reducing the latency and improving user experience.
- Simplified management: Leveraging the cloud, FWaaS can implement global security configuration management. Compared with the physical firewalls that are geographically dispersed, FWaaS reduces hardware and cabling requirements, simplifies network and security management, and improves O&M efficiency. FWaaS can also be easily integrated with cloud services through APIs to achieve automatic configuration and management.
- Network and security visualization: Through centralized management, FWaaS can comprehensively monitor and analyze network traffic and threats, offering higher visibility into network and security conditions.
- Integration with SASE: To adapt to the changes in conventional office requirements brought by remote office, cloud, and mobile devices, enterprises need to adopt SASE/SSE to provide security services. FWaaS is critical to achieving this.
FWaaS vs. NGFW/AI Firewall
Although FWaaS and NGFW/AI firewalls are similar in functionality, they have significant differences in terms of deployment mode, scalability, stability, function scalability, maintenance and management, cost, performance, and data privacy, as shown in the following figure. These differences make FWaaS a more flexible, scalable, and easy-to-manage cyber security solution that can adapt to the changes of modern network architecture and service requirements.
FWaaS vs. NGFW/AI firewall
FWaaS vs. SWG
FWaaS and SWG play an important role in the cyber security field. They have similarities and significant differences in terms of functions, application scenarios, and core technologies, as shown in the figure below.
Both FWaaS and SWG are parts of enterprises' security policy control. They can control users' network access behavior, detect threats in traffic, and protect enterprise assets and networks. Some capabilities are even universal, including:
- URL filtering: controls accessible websites by category and detects malicious web pages.
- Antivirus: detects viruses in the files downloaded from the Internet.
- DLP: checks whether the data sent from enterprise inside to outside contains sensitive information.
The differences between FWaaS and SWG lie in the traffic to be processed and functions.
- FWaaS manages and controls all traffic, including L3 to L7 traffic, as well as that of different protocols, such as HTTP, SMTP, POP3, Telnet, and FTP. This helps to prevent vulnerability intrusion, virus intrusion, and data leakage. In addition, FWaaS inspects incoming and outgoing traffic to detect malicious traffic.
- SWG mainly monitors and manages users' web access to prevent malware intrusion and data leakage. It checks and filters all incoming and outgoing web traffic, including HTTP and HTTPS traffic. For HTTPS traffic, the SSL/TLS decryption function is enabled for in-depth inspection to ensure network security, compliance, and Internet access security. In some deployment modes, proxy settings are needed on the client or explicit proxy settings are needed on the browser to manage and control the network access behaviors of enterprise employees.
To sum up, FWaaS focuses on the control of incoming and outgoing traffic on enterprise networks, while SWG concentrates on the monitoring and management of web access. They can be used together to provide more comprehensive and powerful cyber security protection for enterprises.
FWaaS vs. SWG
FWaaS vs. SASE
SASE is a cloud-based network architecture that integrates network functions (such as SD-WAN) with SSE, as shown in the following figure. SSE covers a host of security functions or services. FWaaS is one such security function or service. Therefore, FWaaS is a security function or service integrated in the SASE architecture. It works with other components to provide comprehensive security access services.
Relationships between FWaaS and SASE
Applications of FWaaS in Huawei Xinghe Intelligent SASE Solution
In the Huawei Xinghe Intelligent SASE Solution, FWaaS has all the functions of Huawei AI firewalls, including SSL/TLS offloading, security policy control, intrusion prevention, antivirus, URL filtering, DNS security, and DLP (file blocking and data filtering). In addition to these, Huawei Xinghe Intelligent SASE Solution offers other network and security services, such as SD-WAN access, VPN, ZTNA, SWG, and sandbox detection, as well as providing consistent service experience, security protection, and security operation capabilities for enterprises. For more solution details, see Huawei Xinghe Intelligent SASE Solution. For details about solution deployment and maintenance, see Huawei Xinghe Intelligent SASE Solution Documentation.
- Author: Li Shiguang, Yang Xiaofen
- Updated on: 2024-12-11
- Views: 1768
- Average rating: