Is anybody here using FWAAS from cloud providers like Zscaler? My management wants to rip out our branch office firewall and use a cloud provider from firewall, we are still assessing the pros and cons, but i don’t see any benefit in moving to FwAAS in the cloud
I think performance will take a big hit as on-premises firewalls offer packet inspection at line rate, moving to the cloud you are at mercy of cloud providers POP’s?
Most vendors like Palo-Alto or Checkpoint offer virtual firewall software, so if you are in a branch, you can use a bare-metal and their software license to get basic firewall functionality.
So, I am not sure the benefits of using FwAAS in the cloud. The capabilities won’t match, and we are looking at a performance hit. Did anyone replace their branch office firewall with a FwAAS in cloud? any opinions?
While I agree somewhat… never ever get rid of a firewall that connects, with a piece of cable or otherwise, to a service that you do not own. It’s your perimeter…
Whether your internet ingress / egress or POP is cloud managed is a question of Day2 operations and day 1 requirements, either way, keep a firewall at a branch, if only to interconnect an. IPSEC/wireguard tunnel with a cloud provider.
Maybe I’m out of touch but I would never consider running a cloud based firewall unless it were right there alongside a cloud based environment I need to create a boundary for.
I love complaining about latency and then injecting an arbitrarily suboptimal transit node into the path. I also like having my nipples pinched until I involuntarily vocalize.
It works great for Internet traffic / URL filtering.
Speaking of Zscaler specifically;
You can send all your VPN users to the nearest firewall in the cloud. You don’t have to do configure much to select the nearest firewall / traffic flow. The agent works flawlessly compared to traditional VPN agents and it integrates really nicely with MFA providers.
And you have the same policies apply to everyone globally even people in a branch office. User identity, NGFW, URL filtering, DNS security, DPI, SSL Decrypt it’s all there
This can be a challenge compared to tunneling all your VPN traffic to a single pair of firewalls in a data center which requires a lot of effort.
Tools like Zscaler are very powerful. In that sense the “hype” is real. Is it the solution that fixes everything? Absolutely not.
You need to look at what your current firewall does at a branch. If Zscaler can replace it, it is a valid solution for the business. If there are gaps, risks, etc, you need to point to the business impact of these. imho for branches and remote workers, it is pretty decent
The biggest pain I found with zScaler was whitelisting all their potential source IPs into our data centers.
As someone who is doing a pilot for one of these at work, it is painful to do work if your upload speeds suck.
Like a lot of things, there’s pros and cons.
I’ve been involved with SaaS (Security as a Service) SDWAN deployments, where effectively all traffic is tunneled back to a provider core where it egresses out onto the internet. The performance hit is not as big as you might expect, and the benefit is things like:
-
uniform firewall policy. No matter who is located where, the firewall policy is in effect. Users in office A, office B, or connected by client VPN are all subject to the same firewall rules. Yes, this can be done with a centrally managed firewall platform like Panorama that is then deployed to the nodes. It’s the same concept except the traffic is brought to the central node where the rules are located.
-
you need a good platform with sufficient bandwidth and plenty of local pops. If you have geographically dispersed users, the pop locations will get traffic into the backbone where internet traffic can be processed and egressed out to the internet. Not enough pops means too much back and forth.
-
VPN is now a service. Users are no longer connecting to a single firewall, but are connecting to the cloud provider. Their traffic is then subject to the same firewall rules that everybody else is.
-
bandwidth at the office can be aggregated among multiple ISP connections, so in addition to redundancy you get to use more of each pipe. Of course, if one goes down, you’re really starved for bandwidth if you normally rely on two.
-
you can’t polish a turd. You still have to have good quality circuits in order for latency and jitter to remain intact. If you have crappy broadband that struggles during business hours, this will not provide the improvements hoped for.
-
If you have only a few locations and a user base that does not travel a lot, the benefits diminish in comparison to the performance hit and probably cost.
Like most things, there’s multiple ways to accomplish something. I also love the idea of local circuits handling the traffic. It just feels right not adding the overhead of tunneling everything to some other place. But there are administrative benefits that come from such an architecture.
FwAAS makes someone else a LOT of money. Goes along with CAAS. You write a check and magically everything works.
Companies try to tout this as a solution to businesses that struggle to have good in-house engineers to maintain network security in an increasingly hostile communications spectrum. They may be right but you also lose a lot of autonomy. Its like hosting exchange in the cloud. Its a slippery slope. What happens if you stop paying the bill? In some (many cases) you still need a firewall on prem to interface with the remote hosted firewall anyway.
Tongue and cheek, but when I’ve spoken to vendors about that and asked about making sure I could maintain admin access to the (hypothetical) remote firewall, that usually ends the friendliness right then and there. They want all the control and all maximum fees.
Try building appliances for HTTPS inspection. It takes a ludicrous amount of hardware and bandwidth to do it without either:
- Grinding everything to a crawl
- Poking so many holes in the policy it makes your investment in inspection worthless
Frankly, I believe inspection is right up there with email as one of those services that you just shouldn’t try to run in-house.
Not sure about Zscaler, but Palo Alto Prisma is good, Checkpoint Harmony Connect is meh (I believe they were a lot better before going EOL). Have had multiple customers bottlenecked by Checkpoint gateways that have been fixed by backhauling traffic to Prisma instead.
Depending on your equipment, you can also split the tunnel to have latency sensitive applications run direct, and have basic web traffic run through the NSaaS/FWaaS (whichever sales terms you prefer lol) like other VPN implementations. That’s generally how I like to approach it.
I’d say the real question, like some others have stated, is whether you’re willing to effectively outsource your traffic inspection to the CSP you choose?
Really depends on what kind and direction of the traffic flows at the branch offices.
Nowadays most remote offices access cloud based service or application. So if it’s a bunch of remote users might slap an agent on everyone’s laptop and now they always go up to the firewall in the cloud regardless of where they are.
If they mostly access resources in the public cloud anyway might be a good fit.
There are scenarios where it makes sense. Ha hardware at each site may be EOL and need to purchase new hardware and service contracts.
Moving the egress for those to a cloud can be much cheaper. If it’s cloud native you also don’t have to manage patching or security updates.
Policy becomes easier to manage because it’s all centralized so no need for an additional management console. Bandwidth. Usage should be fairly low for remote offices.
If your stuff isn’t EOL then it really only makes sense if you already have a cloud security presence. For instance you have applications or services in a public cloud, have a SD-WAN solution.
Once laptops have 5G / Sim cards this will be a thing. Until then, no gain.
ZIA is pretty awesome for a hybrid/remote workforce. Everything controlled in one UI and firewall changes are near instant. Users get the same L7/NGFW protection regardless of where they are (Home/Work/Travel/Etc)
I think performance will take a big hit as on-premises firewalls offer packet inspection at line rate, moving to the cloud you are at mercy of cloud providers POP’s?
zScaler specifically has datacenters all around the world with hundreds of gigabits of backhaul. It’s faster than your internet (most likely)
It’s like LBaaS or any other network service.
I wouldn’t see it being terribly useful outside of a hosted cloud environment.
My guess is it’s always the same, business doesn’t want people running services on-premise. It’s more convenient terminating contracts than firing people.
Keep your on premise equipment
Sounds like your management have gone through the zscaler sales processes where they aggressively sell
So what would say is that you can see prices for this on the gcloud UK site. I was a bit shocked by the price. For our organizational zscaler was like £300k for basic zia however add in the fwaas and it was double
https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://assets.applytosupply.digitalmarketplace.service.gov.uk/g-cloud-13/documents/706729/870417759755592-pricing-document-2022-05-18-0759.pdf&ved=2ahUKEwiZvIyOsJiHAxVfS0EAHR5yAeMQFnoECBwQAQ&usg=AOvVaw3dYK7O2qdPKYszSzaizBRN
Yes, have done it for years w ZSC—works great. Users don’t see any latency in my experience and we get policy globally deployed across all locations in one shot. There’s lots of other upsides as well. If you want/need to do SSL inspection, good luck doing that on premise everywhere—otherwise you have to do it in the cloud.