Network security has been stuck in a box for too long. Much of what we know consists of perimeter or zone-based rules that limit which network segments can talk to which other network segments over which ports. The workhorse of this world has been the firewall appliance, interconnecting network segments and enforcing these rules. In the meantime, applications have moved to the public cloud and users have left the building. Hybrid work is challenging the very notion of the enterprise WAN. So what does this all mean for network security? And what is the future of the firewall appliance?
Corporate networks have gone through multiple generational shifts, each requiring a slightly different approach. Generation 1 was what we call the Castle & Moat world. You had a private corporate WAN, usually built using MPLS VPNs, and then you had the public Internet. Everything on the private WAN was assumed to be trusted and everything on the Internet was untrusted. Connecting the two worlds was the network firewall appliance which allowed some communication from the private WAN to the Internet so employees could surf the web and home users could access private apps using a VPN.
Generation 2 is where we saw applications move to the public cloud and organizations become more distributed with users everywhere. Network and security administrators had to adapt quickly by sticking virtual versions of their network firewalls in the public cloud, and by extending their WANs. However, the firewall model remained essentially the same. You still had discrete appliances that you had to manage and scale as your business needs to be evolved. From an administrator’s point of view, you now had more devices to manage — the legacy perimeter firewalls plus the virtual appliances in the cloud — thus increasing complexity and operating costs.
Generation 3 is today’s world where hybrid work and SaaS are the new normal. Your users and applications are all on the Internet. You still have offices, retail stores, factories, and distribution centers to connect using a corporate WAN but that network needs to look very different. The Castle & Moat model no longer works and your network security needs a fundamentally different approach.
The next generation of corporate networks will be built on the Internet. This requires a fundamentally different model of network security — a Zero Trust approach. Zero Trust simply means that every entity on the network is untrusted by default, and is given access to specific resources depending on their identity, location, and device posture, only for the duration of the task.
Secure Access Service Edge (SASE) provides a model for integrated network connectivity and Zero Trust security delivered on the same platform so that security services can be turned on as required without fundamentally changing the corporate network architecture. This provides a model for network security-as-a-service, where a firewall is a function on a SASE platform and not a distinct appliance that one has to plumb and manage.
Almost everything else in IT is now consumed as a service. Networking and firewall appliances are unfortunately some of the last elements to make this shift. With firewall-as-a-service, your focus shifts from managing and scaling appliances to managing security policies. The firewall is no longer a discrete element. It’s now a function implemented everywhere in the network. You no longer have to worry about pushing rule changes to individual appliances and ensuring consistency. There are simply no appliances to manage.
This is a significant positive shift in the world of network security that many organizations are starting to embrace. In fact, Gartner estimates in their latest Magic Quadrant for Network Firewalls that by 2025, 30% of new deployments of distributed branch-office firewalls will switch to firewall as a service.
If you’re looking to retire your aging firewall appliances with modern SASE-enabled firewall-as-a-service, join our upcoming webinar on Firewall-as-a-Service: The Joy of Cloud-native Security. You can also check out Cloudflare’s Magic Firewall and contact us for a demo.