Your software applications, as well as the data used by those applications, are your company's crown jewels. If hackers penetrate your defenses, they can steal your data, penetrate your other applications, disrupt your operations, mess up your customers -- and potentially -- land you in court.
That's true for applications running in your on-premises data center, as well as those running in the cloud, using virtualized servers that you control -- often referred to as platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS). (See As Public Cloud Use Increases, So Does Data Theft.)
If you are running applications in the cloud using PaaS or IaaS, you need to protect them with a firewall that's also in the cloud -- that is, a firewall that is actually running as software instances on your cloud servers. You need a firewall whether or not your cloud applications are for purely internal access -- such as employees or as back-end processes for on-site data center applications -- or if they're set up for external users -- such as customers or partners.
Such servers are sometimes referred to as Next-Generation Firewalls (NGFW), to distinguish them from traditional firewall products -- familiar rack-mountable boxes installed in your wiring closet, wired up between the Internet router and your local LAN switches.
By contrast, NGFW are software applications installed onto virtual servers, and which you are responsible for licensing, installing, configuring and managing.
Sources for NGFW
"So, Alan, where should I find the best NGFW?" The answer, of course, is "that depends."
Let's break it down in two different ways: Which cloud service or services you are using, and what you are using as a firewall for your on-premise network and servers.
Let's start by looking at the IaaS and PaaS hosts -- in particular, the best-known ones, such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure and smaller players including Rackspace, Oracle, Digital Ocean and IBM.
Each hosting company has partnered with one or more NGFW providers. For example, the AWS Marketplace incudes NGFW products from Palo Alto, Fortinet, Forcepoint, Cisco, Check Point, Juniper Networks, Huawei and others.
You'll find a similar selection from Google, Microsoft, ect...
AWS is unlike most of the other hosts, however, in also offering its own security system, called GuardDuty, which offers many of the same features as an NGFW. (See AWS Adds Security Management to Growing Portfolio.)
Each of the NGFW products is customized for the specific cloud service, and are available in a variety of licensing terms and free trial periods. However, be prepared to spend a lot of time to figure out which one of these offerings is really right for your applications -- frankly, there's no shortcut.
That brings us to the other way of slicing the issue: other firewalls you might be using.
There are benefits in running the same basic firewall engine everywhere, especially if you are in a hybrid cloud environment, where data center applications are tied to cloud applications; or if you're in a multi-cloud environment with some applications on Amazon and some on Azure.
If you standardize on one firewall -- Check Point, Fortinet or Palo Alto -- you already have experience with the product. It doesn't matter if you're running a Palo Alto firewall hardware appliance in your data center, and Palo Alto NGFW software in the cloud -- it's still Palo Alto.
If you chose a single vendor's product, you may also be able to set one up one integrated administrative panel -- single pane of glass -- to integrate management and threat reports. And for another possible benefit, you might be able to save on licensing costs. You may need to contact the firewall vendor or your favorite VAR to negotiate hybrid cloud or multi-cloud pricing, instead of licensing directly through the cloud host.
So, if you are running 100% cloud-based applications in a single cloud provider, your choice is simple: Find the best value for an NGFW in that provider's list of partners, click "purchase" and start provisioning. But if you are hybrid cloud or multi-cloud, my advice is to look for the best solution that spans all your computing environments, and standardize on that. In the long run, it'll make your life a lot easier.
- Cyber Criminals Using Hidden Tunnels to Attack Banks, Financial Institutions
- Public Cloud, Part of the Network or Not, Remains a Security Concern
- GDPR Should Change Your Thinking About Network Firewalls
- Next-Generation Firewalls: Poorly Named but Essential to the Enterprise Network
— Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity and software development. Follow him @zeichick.