Firewalls as a Service (FWaaS): The Future of Network Firewalls?

Does your organization still have a physical appliance for a firewall? You might be able to count the days before that black box is gone. Advancements in cloud solutions have brought a suite of security services to your fingertips, now including firewall technology. Firewall as a service, or FWaaS in cloudspeak, has emerged as a stand-alone product and a core component of comprehensive security tools like secure access service edge (SASE). We look at the history of firewalls, FWaaS as it stands now, and where top network firewall vendors are with cloud-based firewalls.

Firewalls and FWaaS

Firewalls have been a core component of comprehensive network security strategies for almost 30 years. As the concept has evolved, new technologies surrounding network connectivity have enhanced firewalls to meet enterprise needs. Cloud computing has now opened the door to virtually-deployed firewall solutions.

History of firewalls

Firewalls are best visualized as barriers positioned between trusted networks needing protection and untrusted networks like the public internet. Before firewalls entered the marketplace in the early 1990s, routers were the key to isolating networks and applying filters for packet inspection. As we know them, firewall services offer inspection of network traffic, allow or block traffic based on port and protocol, and filter malicious traffic based on admin-defined rules.

By 2004, unified threat management (UTM) entered the computing lexicon to describe a new kind of comprehensive firewall security appliance, and next-generation firewalls (NGFWs) came on the scene a few years later. As internet-based applications grew in popularity, managing connectivity has only grown in importance for preventing unauthorized access, data compromise, and more. As the focus turned more to applications, web application firewalls (WAF) offered systems built for HTTP protocol in 2006.

Today, application-level Layer 7 firewalls are the gold standard for eliminating coverage gaps, advanced segmentation augmentation, security automation, and increased visibility for security management.

Also Read: Types of Firewalls Explained 

Web application firewalls (WAF)

A web application firewall (WAF) protects web servers and hosted web applications from application-layer HTTPS attacks. While traditional firewalls segregate internal and external network traffic, WAFs form barriers between public users and web applications. By inspecting hypertext transfer protocol (HTTP), WAFs can identify and defend your organization from attacks like SQL injections, cross-site scripting (XSS), and distributed denial-of-service (DDoS).

Next-generation firewalls (NGFW)

In 2009, Gartner defined the concept of next-generation firewalls (NGFW), which play the same role as traditional firewalls but go much farther in offering intrusion detection and prevention systems (IDPS), deep-packet inspection (DPI), and application control technologies. Gartner notes NGFWs “move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.” The core difference between NGFWs and FWaaS is that NGFWs are not inherently cloud-built, though that distinction grows muddier.

Read Also: Top Ten Next-Generation Firewall (NGFW) Vendors 

What is FWaas?

Firewall as a service (FWaaS) is a cloud-based firewall service offering Layer 7 and NGFW capabilities. As companies have adopted IaaS and PaaS models in the cloud, a not so clearly defined network perimeter has emerged. FWaaS vendors typically offer critical access controls like IDPS, advanced threat prevention, URL filtering, and DNS security to meet this growing challenge. Like other SaaS offerings, outsourcing FWaaS can provide organizations an affordable, scalable, efficient solution for enhanced network security.

SASE and FWaaS 

When moving to the secure access service edge (SASE), a firewall as a service joins with other cloud-based security components for your cyber architecture. Unlike traditional firewalls, which once required on-premises hardware to protect enterprise data centers, SASE uses FWaaS and a suite of cloud technologies to offer online protection and access control at the network edge.

Alongside FWaaS, SASE uses software-defined wide area networking (SD-WAN), cloud access security brokers (CASB), secure web gateways (SWG), and zero-trust network access (ZTNA) to defend the network perimeter from potential threats. SASE is taking the cybersecurity world by storm as a solution for connectivity requirements for heavy remote access use and establishing reliable connections for hard to reach locations using SD-WAN capabilities.

Also Read: SASE: Securing the Network Edge

Top Firewall Vendors and FWaaS

In Gartner’s Magic Quadrant for Network Firewalls, Palo Alto Networks, Fortinet, and CheckPoint stand out as market leaders. While Gartner’s review didn’t solely consider FWaaS products, we took a closer look at how these leaders and four other vendors (Forcepoint, Sophos, Cisco Systems, and Barracuda Networks) are approaching FWaaS in 2020.

Despite the shutdown of NSS Labs in October 2020, the 2019 NGFW Test Report results are included for each vendor. All vendors received a 100% device stability and reliability score, and 99% or higher for anti-evasion capabilities. Cisco was not included in the NSS Labs review, and Fortinet received a 94% for their anti-evasion capabilities.

Palo Alto Networks

Founded in 2005 in Santa Clara, California, Palo Alto Networks is a cybersecurity vendor started by former NetScreen executive and Check Point engineer Nir Zuk. In 2008, Palo Alto sparked a paradigm shift in the firewall industry with the launch of its NGFW. At the time, this innovation added essential visibility and application-based controls and resolved performance issues presented by UTM.

Today, Palo Alto touts a family of machine learning-capable NGFWs. The VM-Series of virtual firewalls enables users to manage on-demand scalability, mitigate risk with simplified compliance, and instantly act across multiple environments. Using Palo Alto’s virtual enterprise network, VMware NSX allows organizations to limit lateral threat movement, prevent data exfiltration, and secure traffic between trusted zones.

NSS Labs testing of the vendor’s PA-5220 PAN-OS 8.1.6-h2 firewall showed a 97.9% exploit block rate and overall security effectiveness score of 97.9%.

Fortinet

In late 2000, brothers Ken and Michael Xie launched Fortinet, and in 2002 FortiGate entered the market. Ken Xie previously founded NetScreen Technologies, which was acquired by Juniper Networks in 2004. By 2009, Fortinet held over 15 percent of the UTM market.

Fortinet’s firewall suite of products includes NGFWs that can bring your organization’s network performance and security to full view over the cloud. FortiGate offers built-in SD-WAN, intrusion prevention, anti-malware and virus protection, high-speed VPN, web and content filtering, and decryption capabilities. FortiGate is available as a virtual appliance in AWS, VMWare, Azure, GCP, Oracle, and Alibaba cloud environments. With FortiGate’s firewall as a service technology, users can also use Fortinet Fabric Connectors to enable open, API-based integration with multiple software-defined networks (SDN), cloud, management, and partner technology platforms.

NSS Labs testing of Fortinet’s FortiGate 500E v6.0.4 build 0231 firewall showed a 99% exploit block rate. However, the anti-evasion capabilities score of 94% brought the overall security effectiveness score to 93%.

Check Point

Shortly after its establishment in 1993, Israeli vendor Check Point Software Technologies became a cybersecurity pioneer upon launching FireWall-1. This early innovation introduced stateful inspection and graphic user interfaces to users in the market. Check Point followed with one of the first virtual private network (VPN) products, VPN-1, and by 1996 owned 40 percent of the market share.

Check Point’s NGFW is based on the Infinity architecture, and its Quantum Security Gateway lineup includes 15 models. While Check Point offers a suite of hardware, its NGFW technology is also available as a FWaaS. In 2020, Check Point is focused on fighting Gen V cyber attacks that bypass conventional detection defenses for mobile, cloud, and network security. Check Point also offers a comprehensive SASE solution called CloudGuard Connect. Using Check Point also provides access to the SandBlast Network, meaning robust protection against zero-day threats.

NSS Labs testing of Check Point’s 6500 Security Gateway R80.20 showed a 98.4% exploit block rate and an overall security effectiveness score of 97.4%.

Forcepoint

In 2016, Raytheon merged its Cyber Products business, Websense, and Intel outfits, Stonesoft and Sidewinder, to establish Forcepoint. In building its security platform, the Texas-based vendor spent 2017 acquiring Skyfence, Imperva’s CASB solution, and RedOwl, a user and entity behavior analytics (UEBA) company.

For firewall technology, Forcepoint offers Forcepoint NGFW, where “enterprise SD-WAN meets the #1 most secure next-gen firewall.” According to the vendor, Forcepoint NGFW boosts performance and defense with SD-WAN, stops emerging exploits and malware, and enables users to respond to incidents immediately. Built-in features include VPN, IDPS, anti-evasion, encrypted inspection, and mission-critical application proxies. Forcepoint’s firewall as a service is compatible with applications deployed in AWS, Azure, and VMware cloud environments.

NSS Labs testing of Forcepoint’s 2105 NGFW v6.3.11 showed a 97.2% exploit block rate and an overall security effectiveness score of 96.2%.

Also Read: Top CASB Security Vendors for 2021

Sophos

Sophos’ story kicked off in 1985 across the pond, offering early antivirus and encryption technology to the United Kingdom. By 2003, Sophos was expanding globally and incorporating anti-spam software into services. A flurry of acquisitions in the 2010s has expanded Sophos’ focus more broadly to network and cloud security.

Sophos’ firewall portfolio named XG Firewall is manageable on its cloud-based platform, Sophos Central. On Sophos Central, users “work together for real-time sharing and threat response with Sophos’ unique synchronized security approach.” Firewall products include enterprise protection, SD-WAN & branch, endpoint integration, public and private cloud, and an all-in-one plan. Sophos’ xStream architecture enables users to make policy, amend access control, and review insights into threats, compliance, system performance, and user traffic.

NSS Labs testing of Sophos XG 750 Firewall SFOS v17.5 showed a 94.2% exploit block rate and overall security effectiveness score of 96.2%.

Cisco

Cisco Systems, has been a market player in the technology space since its founding in 1984. However, it wasn’t until the 2015 acquisition of Embrane, an SD-WAN startup, that Cisco added Layer 3 through 7 capabilities, like firewalls, to Cisco’s Nexus product portfolio.

Cisco currently offers physical firewall appliances or firewall as a service for the public and private cloud. For virtual firewalls, Cisco’s security portfolio is accessible through the Cisco SecureX platform. By integrating the SecureX platform for your organization, you can identify problems, enable automation, strengthen access across the network, endpoints, cloud, and applications. Cisco also offers a SASE solution called Cisco Umbrella, including SD-WAN, SWG, FWaaS, and CASB functionality.

NSS Labs did not complete a test of Cisco’s firewall in 2019.

Barracuda Networks

Barracuda Networks launched in 2003 with the introduction of Barracuda Spam and Virus Firewall. In 2015, Barracuda launched its first NGFW offering. For firewall products, Barracuda offers Barracuda CloudGenFirewalls and Barracuda CloudGen WAF, both of which are available as an appliance, virtual, or for AWS, Azure, GCP, or MSPs.

Barracuda CloudGen Firewalls operate as a family of hardware, virtual, and cloud-based firewalls for your dispersed network infrastructure. Fit for major cloud platforms, this product provides VPN clients for all users and access controls for essential cloud applications. The CloudGen Firewall can ease cloud deployment with templates, APIs, and deep integration with cloud-native features. The CloudGen WAF is an application-level firewall offering advanced inspection capabilities and can improve overall application performance with included delivery features.

NSS Labs testing of Barracuda CloudGen Firewall firewall showed a 92.9% exploit block rate and overall security effectiveness score of 91.7%.

FWaaS: Added security for your organization

Every day more applications and data are being run and managed on third-party infrastructure. Reactive companies struggle to define their network perimeters, and the consequences can be severe. With the introduction of firewalls as a service, FWaaS vendors offer companies an alternative. On a subscription basis, users can aggregate traffic from multiple sources into the cloud, continually enforce security policies for all users and locations, and gain complete visibility and control over their networks.

Also Read: Edge Security: How to Secure the Edge of the Network

Sam Ingalls
Sam Ingalls is a content writer and researcher covering enterprise technology, IT trends, and network security for eSecurityPlanet.com, Webopedia.com, ChannelInsider.com, and ServerWatch.com.

Top Products

Top Cybersecurity Companies

Related articles