Skip Links

Masters of Internet Infrastructure: Sponsored by Verisign

The Pros and Cons of a Cloud-Based Firewall

Verisign Masters of Internet Infrastructure

By jburke on Fri, 11/11/11 - 4:22pm.

For the past few posts I’ve been writing about cloud-based security adoption while focusing on cloud-based firewall as a service, which enjoys high interest among enterprise security architects and staff. There are definitely inherent advantages and disadvantages to moving to a cloud-based firewall and in this post we’ll look at some of these as we work toward making a cloud-based firewall business case.

First let’s look at the advantages. What makes a cloud-based firewall different from an on-premise firewall (other than being off-premise) comes down to three things: scalability, availability and extensibility.

Scalability: Cloud-based firewall providers deliver services to multiple customers and at the core of their service they use firewalls designed to scale to meet ever-increasing demand. From the enterprise perspective this scalability comes into play when bandwidth increases. Unlike an on-premise firewall that needs replacement when bandwidth exceeds firewall throughput, cloud-based firewalls are designed to scale as customer bandwidth increases—or at least any hardware upgrade has to be made transparent to customers.

Availability: Cloud-based firewall providers offer extremely high availability (> 99.99%) through an infrastructure with fully redundant power, HVAC, and network services, as well as backup strategies in the event of a site failure. In contrast, on-premise firewalls are only as reliable as the existing IT infrastructure, which may not be an issue at the data center but could be at the branch. High availability is certainly possible but depending on the manufacturer, high-availability can double the cost of hardware and make operations more complex.

Extensibility: Cloud-based firewalls are available anywhere the network manager can provide a protected communications path. Given interconnection agreements between network providers, the footprint of service may extend well beyond the boundaries of any single service provider’s network. An on-premise firewall on the other hand may be deployed at any corporate location, with the associated capital cost (higher for redundancy)—if there is enough space and the necessary out-of-band management connection.

So, what about the downside to a cloud-based firewall? Fundamentally, it’s the same issues we see with managed security services: successful security management requires context. Security staff must evaluate an alert in the context of the infrastructure and unique institutional characteristics. To put this in context: “I’m not sure they [managed security providers] gained the expertise [of our environment] that really benefited them. For us, we gain security expertise [from the provider] but we lose internal knowledge. An alert out of context is just as much an issue as an alert without expertise,” says the chief security officer of a manufacturer.

A number of companies echo this sentiment: much of the corporate security zeitgeist is lost in the transition to the cloud. The best way to deal with this is to make sure you get multiple references and really dig into the process and procedures the cloud-based firewall provider offers to discover, assimilate and maintain its knowledge of the unique characteristics of your organization, the context necessary to deliver strong firewall security in the cloud.