You Deserve Better Than a Branch Firewall

Firewalls have long been an integral part of the branch network architecture. But recent trends have turned the once-sturdy firewall into something of a relic and are driving organizations to move toward a cloud firewall. Here’s why.

What’s past is prologue

If your branch offices are like most others, they’ve been home to regional teams or, perhaps, certain departments, such as a customer service center. They generally have fewer employees than headquarters and they also tend to have a select number of IP-enabled devices, such as printers and security cameras, in use on a regular basis. 

Most often, your branch employees accessed applications hosted in the data center or they connected to a regional internet egress point. This accounted for roughly 75 to 80 percent of the network traffic in a branch office. These branch offices also had some local traffic segmentation and some minimum access controls in place.

Under these conditions, the traditional firewall appliance was more than adequate to accommodate your user traffic. But did you notice something missing? Yep. Security. There’s not a lot of security here. Instead, the focus of these branch firewalls was to provide basic access controls and connections to the data center or providing application and device access. That is the role of the branch firewall.

Something’s different

Branch office network architecture has been evolving as a result of two trends that have changed the way employees work and the way organizations conduct business: cloud and mobility. 

Thanks to the cloud, applications are no longer housed in the corporate data center. Salesforce, Office 365, and many other business-critical apps are in the cloud, and branch users are connecting to them directly over the internet. In fact, roughly 75 to 80 percent of traffic is now going to the internet instead of the data center, a total reversal from a few years ago. 

Direct-to-internet connections must be secured, but the question becomes how. Can you put a full next-generation firewall (NGFW) security stack in every branch? And what happens when employees leave the branch and connect from home or use public Wi-Fi? In the past, employees were connected to specific applications over secure links that you controlled. Now, employees are accessing data, applications, and websites over unsecured links, increasing the risk to your organization.  

Put it all into context

With all of these changes, your fundamental architecture also has to change. Migration to an architecture that allows direct-to-internet connections is critical, but to allow direct connections, security has to evolve as well. You can no longer afford to have centralized security—you need to inspect locally. Furthermore, you need deep inspection with context about the traffic you’re inspecting. But, to build that context, you need a lot of data.

Traditional hardware-based security is based on what’s known—signatures are compared to lists of known threats and if they match, the threat gets blocked. But there is no guarantee that what is good today is going to be good tomorrow. After all, web pages don't just contain plain text nestled inside HTML tags. Instead, they are filled with Java applets, flash videos, and ActiveX, and other objects designed to run programs. Hackers routinely embed malicious scripts and applications in legitimate websites, turning a previously “safe” site into a suddenly dangerous one. And all of this is hidden within SSL-encrypted traffic, helping bad actors evade detection and putting visitors at risk. Without native SSL inspection capabilities, your security appliances would allow employees to access these sites, risking infection to their systems and possibly the network.

It’s well known that signature-based security is no match for today’s threat actors. Security must go deeper and look at the context of every transaction, which would encompass the operating system on the user’s machine, the transport or gateway being used to connect to the destination, and the destination the user is trying to access. Even the DNS comes into play. Additionally, this context takes into account the party that registered the domain and looks to see if this party is associated with any other domains, particularly those known to be suspicious. All of this information is needed to build context and get a true picture of any potential threat, and it needs to happen instantly. 

Not today

With traditional hardware-based security, most architectures would require the trade-off of a positive user experience to attempt to achieve this context—if they could achieve it at all. But a poor user experience is unacceptable with a growing work-from-anywhere workforce. So, IT teams need to achieve this deeper context while still providing a best-in-class user experience. That is what the new world demands.

And these demands are more than branch firewalls can deliver. Appliance-based firewalls can’t provide identical security without compromising the user experience. Today’s security solutions must be scalable with the ability to accommodate unlimited bandwidth needs, and they must provide identical security no matter where users connect—the branch, the HQ, at home, or on the road. Branch firewalls lack the capacity to handle growing bandwidth needs and lack the functionality to secure users in the cloud and mobile world. In short, branch firewalls are irrelevant in this new world.

Virtual and next-generation firewalls

As an answer, some organizations are turning to virtual firewalls, but they have the same limitations as physical firewalls. The only difference between a virtual and physical firewall is the form factor, which allows you to bring a virtual system online or add to its capacity more quickly and easily than a piece of hardware. However, that is the only difference. Its functions and limitations are exactly the same. Many see virtualization as a way to scale, but this approach can end up being costly. As your capacity needs grow, the vendor may be able to quickly accommodate you, but you’re going to pay for it every time. And virtual firewalls still don’t address the security challenge. 

A better solution

Since your applications and your users are moving to the cloud, shouldn’t your security? A cloud-built solution can better address the needs of today’s branch offices and your employees.

A cloud-built solution enables secure, direct-to-internet connections for a fast user experience without any appliances to purchase, deploy, or manage. It also brings the entire security stack close to the user to ensure identical protection when they leave the branch office. And, a cloud-built solution reduces costs and complexity by reserving the use of MPLS for data center traffic only. 

Unlike appliances, a cloud-native solution scales elastically to handle SSL inspection and the demands of cloud application traffic, which often require multiple long-lived connections. It also provides security and access controls for internet traffic on all ports, not just 80 and 443, to prevent advanced threats. It logs every session and delivers real-time visibility and policy enforcement across all users, all locations, all applications, and all ports and protocols from a single console. 

You deserve better and so do your users

Even before the recent work-from-home mandates, the world of the branch office was changing. Traditional firewalls just weren’t built to function in a world where applications have moved out of the data center, the internet is the new transport network, and employees are working from everywhere, not just the office. In addition, firewalls can’t provide the level of security necessary to fight increasingly sophisticated and targeted threats. Don’t your branch offices, and your employees, deserve something better?

Are you ready to move away from your traditional branch firewall? Let Zscaler show you how.

Naresh Kumar is Director of Product Management, Zscaler