Tags: , , , ,

Firewalls have been a fundamental part of IT security in recent decades. Despite adjustments over the years, their role of blocking unwanted access while allowing authorized communications has remained the same.

Traditional methods are not enough…

In light of the growth of Web 2.0 applications, for instance, blogs, wikis, social media, instant messenger, file sharing, and Flash, which cannot be secured through traditional firewalls, the development of new security methods has become increasingly important. Furthermore, as more and more enterprises are adopting cloud computing and cloud services, new security risks and challenges have arisen.

Major changes to firewalls have been in management and location options. Many of these developments lie on a spectrum. On one end of the spectrum is the DIY (do it yourself) option, which requires the organization to invest human resources and capital to support new firewall technology. On the other end is the cloud-based firewall solution. In between these two extremes are other choices, such as a hybrid system, or on-premise outsourced management.

Cloud-based firewalls

A cloud-based firewall solution, also referred to as a (NBFW), can serve the same purposes as traditional firewalls. However, this option can also present a number of different dynamics, which are explored in further detail below:

• Scalability – The cloud-based firewall provider handles scaling, maintenance and resource management. The provider is responsible for building the network and firewall in order to uphold the (SLA) with the client.

• Availability – Many cloud-based firewall providers are able to offer high availabilities, often >99.99%. Their infrastructures boast fully redundant power, HVAC, network services and backup strategies, in the event of a site failure. Compared with DIY firewalls, which are only as stable as the organization’s existing IT infrastructure, the availability aspect of cloud-based firewalls is certainly attractive.

• Extensibility – As long as the provider is able to offer a protected communications path, the firewall can be extended. Many cloud-based firewall providers also maintain trusted relationships with other providers, so the boundaries of this network may be quite extensive.
• Accessibility – The cloud-based firewall model is structured on one internet connection, despite the number of locations. Traditional models require internet connections at a number of locations, which may mean multiple ISP contracts.

• Maintainability – In this model, the service provider has the responsibility to maintain and support the firewall. With traditional models, or DIY setups, maintenance and support may require the redirection of internal resources.

Deciding Factors

Although there are notable advantages to implementing cloud-based firewall solutions, moving into the cloud requires careful consideration. For instance, decision-makers must examine risks, threats and level of trust in the service provider. The following takes a look at some deciding factors that IT executives ought to consider:

• Service Level Agreement (SLA) – The organization’s corporate risk profile requirements must be met by the provider’s SLA. Analysis may require input from technical, legal and management points of view. In addition, the SLA should guarantee 99.99% availability and responsiveness that matches international standards.

• Escalation Procedures – It is recommended that any escalation and notification procedures conform to international SOC standards. Before implementation, all event-notification procedures (i.e. email, SMS, telephone) should be well-established. This will ensure that the appropriate individuals can address any issues as they arise and that events will be properly tracked.

• Certification and Accreditation – The organization should be . Certified engineers (i.e. CISSP, CISM, GIAC) should also be on staff. All the appropriate compliance requirements should also be met.

• References – Decision-makers should also examine the references from other similar organizations who are customers of the service provider.

CloudFlare

, a relatively new startup, is one option for a cloud-based firewall. Currently, CloudFlare offers three tailored solutions: a free option, a pro and an enterprise option. Upon joining the community, website traffic is routed through CloudFlare’s globally distributed network. Delivery of webpages is automatically optimized, to ensure fast load times and better performance. The service blocks threats, abusive bots and crawlers as well. According to the , websites on CloudFlare boast 30% faster load times, use 60% less bandwidth and have 65% fewer requests.

XRoads Networks

Recently, , perhaps best known for providing unified bandwidth management platforms, announced the launch of its . It offers cloud firewalls in a variety of deployments:

• Network firewall
• Spyware and web filter
• Endpoint anti-virus solution

Unique to XRoads Networks is the fact that their offering, the , provides both network and endpoint security in a unified platform. The Edge2WAN was designed specifically to run in the cloud, providing real-time spyware and malware checking; real-time anti-virus support; and real-time web threat protection and filtering. These firewalls were also designed with built-in multi-ISP capability, which allows for better load balancing, link failover and failback, when compared with similar products on the market.

Summary

In light of more and more enterprises moving to cloud computing and other cloud-based services, the issue of cloud-based firewalls is becoming a prominent one. This article takes a look at cloud-based firewall advantages and disadvantages, as well as some current options of services and providers on the market.

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

• Contractual Security Requirements (Domain 2)
• Enterprise and Information Risk Management (Domain 2)
• SAS 70 Type II (Domain 4)
• Provider Selection (Domain 8)