FW inspection for Inter/ intra LAN segmentation is a bitch duplicate with FWaaS services
Using a firewall solution as a router/firewall such as palo or forti in a distributed branch scenario gives you outbreak control at the network layer and gives you a truckload of flexibility as well. Annuity costs are a potential issue depending on model, qty, scale.
More-so, defence in depth by mixing firewall vendors brings that layered edge that some large govt depts and businesses rely on. Zscaler can be a component in the mix but I’d still pass traffic through my internal firewalls after passing the cloud firewall if my data and services were primarily in-house.
everything “aaS” is being pushed right now. As far as it goes for a business model its easier and a whoooooolllleee lot cheaper to pay someone else to do it for you than to have to build and maintain your own devops and engineer team not to mention allocate time and/or money with a talent management team to retain and recruit those highly paid individuals.
Hell I can think of maybe 10 companies off the top of my head where thats even sustainable for more than 10 years before it starts to cut into your bottom line so much you have to wonder if its not worth just contracting an IT team for your IT company.
My management wants to rip out our branch office firewall and use a cloud provider from firewall,
Sounds like management got cold-called by marketing or went to some executive retreat and was talking to a fellow egg-head who somehow convinced them it was a good idea.
Our management is also pushing everything on zscaler but oh my, it’s so shitty, their support is dead end incompetent, it’s SaaS so if you need to get things done/troubleshoot live it takes time. We have been using their firewall for some time but if you want logs you need another license. Plus their POPs don’t have best connections, heard through the grapevine that’s one of the reasons for them being so cheap, in US perhaps western EU it’s good, but central/Eastern Europe, Middle East, Latam you can expect issues.
Hah I love watching the mental gymnastics here from vendors.
Trying their hardest when pushing SDWAN to crap all over centralised breakout and traditional l3vpn based solutions, hdvrf, Cisco GET VPN etc to come full circle to a shoddier, more expensive version.
What you are refering to are SWG (Secure Web Gateway) features, it’s more like a proxy with an encryopted tunnel for web traffic than a firewall. It is often part of SASE solutions.
Terminology aside,
Advantages of a SASE solution is to reduce the reliance on your hardware availability and the added extra mobility potential.
The same question should always be asked before implementing a solution: What problem am i trying to solve?
have they considered the cost factor?
There are usually lower-tier and virtual options for branch offices.
What does your current firewall vendor support? It’s usually a hell of a lot easier to manage one platform compared to splitting it up.
I bet the FWaaS provider sold them on a “total cost” savings that’s complete bullshit. Your labor to learn and support two different platforms is also a cost.
If you contact your current vendor and tell them about the FWaaS offering, they’ll probably suggest cost-effective alternatives and may offer discounts to retain your business.
Someone found another way to license you something [recurring fee] on something you could otherwise just buy.
I haven’t heard of any hype in this space except from the marketers. Don’t believe the hype.
Zscaler is powerful for sure, it also has its own flaws. No way for users to know the real IP, so requests will be messed up with 100.64 range. Also highly dependent on users internet, while you are in the office, it just works normally, it will not be the case in the future, home usage is Ok but whenever there is a problem, zscaler denies it and blames user connectivity. It also fucks up dns forwarding results. Overall, I am OK with the tool but will rip it up if possible.
Many companies don’t want to run any “unnecessary” hardware on-prem.
With (NG)FWaaS you don’t have to, among other things:
* Worry about setting up HA (interlinks, sync, finding two separate rooms with separate utilities etc.) or taking the hit of SNAT everywhere and still getting crappy failover in cloud virtualised instances.
* Worry about firmware updates, having to schedule maintenance windows, align the changes and testing with business for early morning hours every few months.
* Worry about hardware lifecycle.
* Worry about hardware maintenance (broken SFP+s, fans, power supplies etc.)
* Worry about scaling (oops, we bought too small of a firewall, now we have to replace it with a larger model.)
* Expend the capital that is then on the books, giving the company a better ROCE and at least the execs but hopefully everyone a better bonus.
CATO is how you do it properly.
This. Your old firewalls are just your termination point for whatever service you’re trying to subscribe to.
Our branch offices have no inbound services and zScaler let’s us have a simple outbound SNAT to the internet on our SDWAN boxes that break out locally rather than having to tunnel back to one of our hubs for inspection. Internet security/policy apply to our users regardless of where they’re connecting from.
I also like having my nipples pinched until I involuntarily vocalize.
/r/BrandNewSentence
Bonus points if you stand up said faux router like device as a virtual appliance on undersized hardware. Triple points if you treat this router like an endpoint and just drop it into a large server subnet and toss the garbage over the fence to your network team that you should have consulted with from the start. /s kinda
It’s good to know yourself.
Look into SIPA. It’s pretty cheap regardless if you host it or if you pay for zScaler to host it.