Building a layered defense strategy with integrated Firewall-as-a-Service and Secure Web Gateway

Ransomware attacks are a high-profile concern for companies and other organizations. The Barracuda 2023 Ransomware Insights Report reveals that despite the global trends around ransomware, 27% of the companies surveyed report they are not fully prepared to deal with a ransomware attack. Many of these respondents say they feel overwhelmed by the high volume of cyberattacks.

Companies with a lot of data and a large attack surface are at a higher risk of an attack. Web traffic or web applications, email messaging, and other network traffic are common starting points for ransomware attacks.  Attack trends show variations in starting points based on industry, but all companies need to protect every threat vector in order to be fully secure. This means using a layered defense strategy that defends attack surfaces beyond the corporate firewall.  

Firewall-as-a-Service (FWaaS)

After the public cloud became popular a decade ago, it became clear that traditional firewall capabilities were no longer sufficient to protect the business Hardware-based firewalls could not extend beyond the company’s own premises, which meant the firewall protection could not follow the company to the cloud.  The immediate solution at that time was to deploy virtual appliances in the public cloud to protect and connect primarily  Infrastructure-as-a-Service (IaaS) offerings.  

The growth and evolution of the public cloud exposed some flaws in the virtual firewall strategy.  Virtual appliances performed as they were intended, but they did not have the flexibility required in the changing cloud infrastructure. Software-as-a-Service (SaaS)  applications were growing rapidly. Public cloud adoption created new considerations around scalability, licensing, and resource consumption and costs. A more flexible firewall design was required to meet these needs.

FWaaS is the new form factor for firewalls in the cloud. This is a firewall provided as a cloud-native service, but it is much more than a service to protect what’s in the cloud. As part of a larger Secure Access Service Edge (SASE) platform solution, the FWaaS can unleash its full capabilities. This means you can use your FWaaS to protect not just cloud resources, but users and sites too.

What makes FWaaS so special? Here are some quick facts about Firewall-as-a-Service:

• Like all best-of-breed modern firewalls, FWaaS includes the full next-generation security feature set, including an application- and intent-based ruleset, IPS/IDS, sandboxing (advanced threat protection), and many others. It protects resources against internal and external threats.
  
• The FWaaS is the entry point to connect to multiple cloud-hosted services that are not publicly available.  This allows the FWaaS to protect the cloud workloads and the users accessing those applications.
  
• The security and inspection capabilities of an FWaaS extend beyond the cloud to the on-prem world. The Firewall-as-a-Service can perform user traffic inspection alongside the on-premises hardware firewalls. This reduces the dependency on these firewalls and cumbersome backhauling detours. Configuring FWaaS for user traffic inspection also adds additional security to the endpoint. An intelligent endpoint solution performs intent-based inspection and identifies which traffic requires additional inspection. The endpoint will route that traffic accordingly.
  
• An FWaaS is managed through a slim but powerful cloud-based interface and is much quicker to configure and deploy than traditional firewall solutions. Although many organizations have a cloud-first approach, very few are purely cloud-only, so it is particularly important to unify management capabilities in a single pane of glass. This is especially true when there are other security components like Zero Trust Network Access (ZTNA) solutions or firewall hardware. The SASE platform enables the management of these security components as features of a single solution.
  
• Like most as-a-Service offerings, licensing is simple and flexible, with a low entry hurdle.
  

FWaaS moves the corporate firewall to the public cloud and comes as a service. It can be used as a standalone solution or combined with on-premises components in hybrid deployments.  

Secure Web Gateway (SWG)

The way we use the world wide web has evolved alongside public cloud adoption. Security teams used to defend against web-based threats with a web filter appliance in a central location. This approach cannot protect users who operate outside of that location.  Now that so many resources are available as web applications, users can work from any location with an Internet connection. Backhauling web traffic to a data center for inspection causes additional latency and may interfere with location-based access to resources. The traditional on-premises web filter cannot protect the modern user. Web security must be implemented where it is needed – at the endpoint.

And there is more to the evolution of web usage than just where users are when they access the web. Almost all user traffic to the internet is web traffic now, and it’s primarily encrypted HTTPS. Other protocols like FTP or SSH (can you remember?) have almost completely disappeared from common public use over the last couple of years. One could argue that internet firewalling for outbound traffic is web filtering today. This is why SWG and FWaaS go together nicely.

Quick facts on Secure Web Gateway:

• An SWG solution should have simple DNS-based filtering on the endpoint to immediately block unwanted or inappropriate website categories and known malicious sites. This prevents all access to these threats.  That’s a technically simple but highly efficient method to achieve a good level of security.
  
• Granular rule sets can be configured to block, allow, or closely inspect specific applications.
  
• All suspicious or unknown traffic has to pass through SWG inspection, where advanced threat protection is applied. This ensures that no threat is missed and passed on to the user.
  
• SWG is capable of SSL interception. This capability is required because most web traffic is HTTPS encrypted. Web traffic inspection can only protect users if it is capable of analyzing encrypted traffic.
  

How it works together

Both FWaaS and SWG are components of a modern SASE solution. And as with all parts of SASE, the benefit grows with the combined use cases. Greater integration of technical components creates more configuration and deployment advantages for the administrator. This leads to stronger security for the users.  

The benefits of FWaaS and SWG integration are obvious, but a  SASE deployment also involves ZTNA as an endpoint component. In a work-from-anywhere scenario, ZTNA is key to providing the same level of security to the endpoint and the user everywhere, no matter if at home or in the corporate office. Basic decisions, such as application-based rules and URL filtering, can be applied at the endpoint. Depending on where the user is located, traffic that requires additional inspection is processed by either a traditional appliance or the cloud firewall.  The cloud firewall capabilities provided by the combined FWaaS and SWG will perform network traffic inspection on OSI Transport Layer 4, as well as SSL interception and other detailed web inspection.

In the case of the user attempting to access private resources, the FWaaS would be the entry point to establish a connection anyway, otherwise, the user traffic is inspected and rerouted after being granted. 

Organizations with hardware-based appliances and SDWAN gateways protecting on-premises resources can integrate these solutions into the cloud-based SASE platform. This makes the entire architecture more flexible and compounds the benefits for IT administrators and end-users. In that case, clearly, more is more.

Getting started with SASE solutions and multi-layered security 

Barracuda offers comprehensive firewall and web security solutions that can be fully integrated with  Zero Trust Access. Our experts can answer your questions and take you through a demo of these solutions, or help you deploy a free trial in your own environment. Visit our website to get started.