Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security //

Firewall

6/25/2018
08:05 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

How to Find a Next-Generation Firewall for the Cloud

If you use cloud-based servers for running business applications, you need to protect those servers with a software-based cloud firewall. There are many options, and here's how to choose.

Your software applications, as well as the data used by those applications, are your company's crown jewels. If hackers penetrate your defenses, they can steal your data, penetrate your other applications, disrupt your operations, mess up your customers -- and potentially -- land you in court.

That's true for applications running in your on-premises data center, as well as those running in the cloud, using virtualized servers that you control -- often referred to as platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS). (See As Public Cloud Use Increases, So Does Data Theft.)

If you are running applications in the cloud using PaaS or IaaS, you need to protect them with a firewall that's also in the cloud -- that is, a firewall that is actually running as software instances on your cloud servers. You need a firewall whether or not your cloud applications are for purely internal access -- such as employees or as back-end processes for on-site data center applications -- or if they're set up for external users -- such as customers or partners.

Such servers are sometimes referred to as Next-Generation Firewalls (NGFW), to distinguish them from traditional firewall products -- familiar rack-mountable boxes installed in your wiring closet, wired up between the Internet router and your local LAN switches.

(Source: Pixnio)
(Source: Pixnio)

By contrast, NGFW are software applications installed onto virtual servers, and which you are responsible for licensing, installing, configuring and managing.

Sources for NGFW
"So, Alan, where should I find the best NGFW?" The answer, of course, is "that depends."

Let's break it down in two different ways: Which cloud service or services you are using, and what you are using as a firewall for your on-premise network and servers.

Let's start by looking at the IaaS and PaaS hosts -- in particular, the best-known ones, such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure and smaller players including Rackspace, Oracle, Digital Ocean and IBM.

Each hosting company has partnered with one or more NGFW providers. For example, the AWS Marketplace incudes NGFW products from Palo Alto, Fortinet, Forcepoint, Cisco, Check Point, Juniper Networks, Huawei and others.

You'll find a similar selection from Google, Microsoft, ect...

AWS is unlike most of the other hosts, however, in also offering its own security system, called GuardDuty, which offers many of the same features as an NGFW. (See AWS Adds Security Management to Growing Portfolio.)

Each of the NGFW products is customized for the specific cloud service, and are available in a variety of licensing terms and free trial periods. However, be prepared to spend a lot of time to figure out which one of these offerings is really right for your applications -- frankly, there's no shortcut.

That brings us to the other way of slicing the issue: other firewalls you might be using.

There are benefits in running the same basic firewall engine everywhere, especially if you are in a hybrid cloud environment, where data center applications are tied to cloud applications; or if you're in a multi-cloud environment with some applications on Amazon and some on Azure.


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

If you standardize on one firewall -- Check Point, Fortinet or Palo Alto -- you already have experience with the product. It doesn't matter if you're running a Palo Alto firewall hardware appliance in your data center, and Palo Alto NGFW software in the cloud -- it's still Palo Alto.

If you chose a single vendor's product, you may also be able to set one up one integrated administrative panel -- single pane of glass -- to integrate management and threat reports. And for another possible benefit, you might be able to save on licensing costs. You may need to contact the firewall vendor or your favorite VAR to negotiate hybrid cloud or multi-cloud pricing, instead of licensing directly through the cloud host.

So, if you are running 100% cloud-based applications in a single cloud provider, your choice is simple: Find the best value for an NGFW in that provider's list of partners, click "purchase" and start provisioning. But if you are hybrid cloud or multi-cloud, my advice is to look for the best solution that spans all your computing environments, and standardize on that. In the long run, it'll make your life a lot easier.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.