firewall as a service (FWaaS)
Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic inspection capabilities to customers seeking to decommission or augment their existing network firewall appliances. This approach reduces the burden on on-premises data center equipment and reduces the management burden for internal cybersecurity teams.
FWaaS vendors differentiate their service offerings by providing advanced network security features. These include going beyond traditional network traffic inspection to include next-generation firewall (NGFW) capabilities. FWaaS vendors commonly provide intrusion prevention and detection, application-aware security policy enforcement, URL filtering, threat intelligence and advanced malware prevention capabilities.
How does FWaaS work?
FWaaS services operate in a manner similar to any other cloud infrastructure service. FWaaS vendors stand up data centers with massive firewall implementations, achieving significant economies of scale. They then create virtual isolation between the services offered to different customers, avoiding security issues that might arise if one customer were able to modify another customer's configuration or inspect their network traffic.
Each customer is then assigned a virtual instance of the FWaaS service that they may modify through a centralized console. Vendors typically use the firewall configuration interfaces already familiar to cybersecurity teams. In fact, customers moving from an on-premises appliance to an FWaaS service offered by the same vendor may be able to use the same management interface they use for their on-premises devices.
This article is part of
The complete Secure Access Service Edge (SASE) guide
After configuring firewall rules that implement the organization's security policy, cybersecurity teams then modify network and DNS settings to flip the virtual switch, routing traffic through the FWaaS vendor's infrastructure for security policy enforcement. At this point, the FWaaS service replaces existing network perimeters as the first line of defense.
Why is FWaaS important?
FWaaS platforms are playing an increasingly important role in cybersecurity programs due to three significant factors:
- Organizations are adopting cloud-first strategies where they seek to outsource infrastructure, software and other services to cloud providers as much as possible.
- Traffic originating outside the organization may remain in the cloud, bypassing on-premises data centers and communications links for remote and mobile users and reducing the burden on local equipment.
- Offloading a major security service to a cloud provider allows limited internal resources to focus on other activities.
Advantages and disadvantages of FWaaS
Organizations weighing a potential move to a FWaaS offering may be wondering whether the timing is right for this type of move. Consider several important advantages and disadvantages of these products:
- FWaaS offerings provide economies of scale, allowing vendors to spread the cost of enhanced service offerings across many clients. However, they also have the ability to generate additional revenue by increasing their rates. Depending upon the specifics of any negotiation, the net financial effect of a move may be insignificant or even increase direct costs.
- Adopting a FWaaS product allows an organization to gain access to state-of-the-art security filtering technology. Upgrades should occur in a relatively seamless fashion and organizations draw upon the deep expertise of the vendor in operating its own product.
- FWaaS offerings are still new in the market. While some vendors have a few years of offering these services under their belts, perimeter protection is a business-critical service and cybersecurity professionals considering a service offering must be confident that the service is rock solid and will not disrupt business operations.
- As organizations move significant portions of their operating environment to the cloud, FWaaS provides the benefit of cloud-native These offerings incorporate cloud capabilities as baseline features, allowing teams to quickly secure their cloud operations.
FWaaS and SD-WAN
FWaaS service offerings integrate well with software-defined wide area networking (SD-WAN) strategies that seek to decentralize network traffic routing. SD-WAN's dynamic route optimization capabilities makes it difficult to use traditional network firewalls, which quickly become a chokepoint. FWaaS allows the firewall to exist as a cloud-based service, reducing the dependency on the enterprise network. Together, FWaaS and SD-WAN are two foundational components of the emerging network security strategy known as secure access service edge (SASE).
Vendors across the security spectrum now offer cloud-based FWaaS solutions. As the major cloud infrastructure vendors, AWS, Microsoft and Google all provide firewall capabilities for their own environments but do not yet offer large-scale services designed to offer NGFW functionality for on-premises traffic. The major players in this market are traditional firewall vendors, including:
- Palo Alto Networks
- Barracuda Networks