1 month ago

A brand-new Approach to Better Branch Security


One of the most common network security solutions is usually the branch firewall. Branch firewall appliances can pack into just one device a wide range of security capabilities including a stateful or next-generation firewall, anti-virus, URL filtering, along with IDS/IPS.

nevertheless the reality is usually in which most of these edge devices lack the processing power to apply the full scope of capabilities on all of the necessary traffic.

If the firewall deployed within the branch cannot scale to address critical security needs, an alternative strategy must be used. Wholesale appliance upgrades are easy nevertheless expensive. Regional security hubs are complex along with also costly.

A brand-new approach, called firewall bursting, leverages cloud scalability to offer an easier, more cost-effective alternative to branch office security. (You can find a great table comparing the different Firewall approaches here.)

Costly Appliance Upgrades along with Secure Hub Architectures

The existing methods of evolving branch security force the idea into a tough trade-off: the cost along with complexity of managing appliance sprawl or the complexities of a two-tier network security architecture.

Upgrading all branch firewalls to high-performance, next-generation branch firewalls improve network security, no doubt. Branch offices gain more in-depth packet inspection along with more protections to be applied on more traffic. in which is usually a relatively straightforward, nevertheless very costly, solution to achieving stronger security.

Aside coming from the obvious, the firewall upgrade cost, there are also the costs of operating along with maintaining the appliance, which includes forced upgrades. Sizing branch firewall appliances correctly can be tricky.

The appliance needs enough power to support the mix of security services across all traffic—encrypted along with unencrypted—for the next three to a few years.

Alone in which might be complex, nevertheless the constantly growing traffic volumes only complicate in which forecast. along with encrypted traffic, which has become the brand-new norm of virtually all Internet traffic, is usually not only growing nevertheless must be first decrypted, exacting a heavy processing toll on the appliance.

All of which means in which the idea ends up either paying more than necessary to accommodate growth or under provision along with risk compromising the company’s security posture.

Regional hubs avoid the problems with upgrading all branch firewalls. Instead, organizations continue with their branch routers along with firewalls, nevertheless backhaul all traffic to a larger firewall with public Internet access, typically hosted in a regional co-location hub.

The regional hub enables the idea to maintain minimal branch security capabilities while benefitting coming from advanced security.

However, regional hubs bring their own problems. Deployment costs increase as regional hubs must be built out at significant hosting expense along with equipment cost. along with we’re not just speaking about throwing up an appliance in some low-grade hosting facility.

Hub outages impact not just one smaller office nevertheless the entire region. They need to be highly available, resilient, run the up-to-date software, along with maintained by expert staff.

Even then, there are still the same problems of forced upgrades due to increased traffic volume along with encrypted traffic share, in which time, though, of only the hub firewall appliances.

The network architecture is usually also made far more complex, particularly for global organizations. Not only must they rollout multiple regional hubs, nevertheless multiple hubs must be deployed in geographically dispersed regions or those regions having a high concentration of branches.

In short, while the number of firewall instances can be reduced, regional hubs introduce a level of complexity along with cost often too excessive for many organizations.

Firewall Bursting: Stretching your Firewalls to the Cloud

Cloud computing offers a brand-new way to solve the edge firewall dilemma. With “cloud bursting,” enterprises seamlessly extend physical data center capacity to a cloud datacenter when traffic spikes or they exhaust resources of their physical datacenter.

Firewall bursting does something similar to under-capacity, branch firewalls. Edge security processing is usually minimized where firewall capacity is usually constrained, along with advanced security is usually applied within the cloud, where resources are scalable along with elastic.

The on-premise firewall handles basic packet forwarding, nevertheless anything requiring “heavy lifting,” such as decryption, anti-malware or IPS, is usually sent to the cloud. in which avoids forced branch firewall upgrades.

Firewall bursting is usually similar to the regional hub approach, nevertheless having a key difference: the the idea team isn’t responsible for building along with running the hubs. Hubs are created, scaled, along with maintained by the cloud service provider.

Who Delivers Firewall Bursting Capabilities?

Secure web gateways (SWGs) delivered as cloud services, can provide firewall bursting for Internet traffic. However, since firewalls need to apply the same inspection to WAN traffic, SWGs only offer a partial solution.

Purpose-built, global Firewall as a Service (FWaaS) is usually another option. FWaaS providers, such as Cato Networks, create a global network of Points of Presence (PoPs), providing a full network security stack specifically built for cloud scalability.

While the PoPs are distributed, they act “together” as just one logical firewall instance. The PoPs are highly redundant along with resilient, along with in case of outages, processing capacity seamlessly shifts inside or across PoPs, so firewall services are always available.

The PoPs are capable of processing very large volumes of WAN along with Internet traffic. Because adding processing capacity either within PoPs or by adding brand-new PoPs is usually transparent to customers, you don’t have to adjust policies or reconfigure your environment to accommodate improvements in load or traffic mix.


With firewall bursting customers can keep their current edge firewalls along with still improve security. If you are running out of gas on your edge firewalls, you have options.

Beyond the obvious approaches of firewall upgrades along with hub-along with-branches set up, brand-new innovations like FWaaS are right now available.

FWaaS leverages cloud elasticity along with scalability to globally extend network security with minimal impact on current network design.

Firewall refresh, capacity upgrades, mergers along with acquisition, all represent a great opportunity to look at firewall bursting along with FWaaS to evolve your network security beyond the edge.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

three × 5 =