For a large part of the last two decades, I have been designing, developing, and deploying firewalls. Initially, the industry was happy with 5-tuple, port-based stateful firewalls. In the mid-2000s, next-generation firewalls were born, and they included other dimensions such as users, groups, and applications. URL filtering and threat and data protection techniques evolved and became integral add-ons to the next-generation firewall. But as applications moved to the cloud and employees logged in from anywhere, these next-generation firewalls soon became ineffective, requiring the third wave of evolution—the cloud-generation firewall.
So, why is there a need to replace next-gen firewalls aside from being regarded as a "last-generation" solution? And what can replace them? We're going to answer this question from the point of view of security and network operations teams.
Firewalls cannot do zero trust
First, let's begin with the fact that next-gen firewalls do not conform to zero trust principles. The most basic tenet of a zero trust architecture is least-privileged access: the idea that a security solution, network—even professional—should never obtain inherent trust. Firewalls simply can't do this at the level it takes to inspect encrypted traffic while making accessibility decisions for users working on various devices, from a myriad of locations, over countless unprotected networks.
In contrast, the Zscaler Zero Trust Exchange quickly and securely connects a user or device to a specific application or workload by leveraging least-privileged access defined by context-based identity and policy enforcement, allowing employees to work from anywhere using the corporate network. Without this, the risk of lateral movement is too pronounced.
Next-gen firewalls lead to broad network access and unwanted lateral movement
Traditionally, enterprise firewalls provide zone-based network segmentation and implement rudimentary anti-spoofing techniques. If an internal IP address originates from the internet or Demilitarized Zone (DMZ), it is deemed as “spoofed” and is blocked. However, zone-based segmentation still allows broad network access and lateral movements, “allowing” intra-zone traffic. Unfortunately, if an attacker has access to one DMZ server, they have access to all of them.
Therefore, a compromised internal print server could propagate malware across all users and devices within the “trust zone” through implicit intra-zone “allows.” In fact "trust zone" is a misnomer and a contradiction to the principle of zero trust mentioned above.
Next-gen firewalls fall short when preventing compromise
Physical firewalls and appliances are incredibly prone to misconfigurations. In fact, Gartner reports that 95% of firewall breaches are caused by misconfigurations. Some of the most common misconfigurations per a firewall management vendor include allowing SMTP access or lax 'allow-any-to-any service,' inbound ICMP or ping, and so on. Moreover, having multi-vendor firewalls amplifies misconfiguration and leads to more harm than benefit. Because firewalls have to be connected to the internet, they themselves are vulnerable. Moreover, allowing inbound HTTP/HTTPS can lead to distributed denial-of-service (DDoS) attacks even if it accesses just one server at a branch location. Additionally, enterprise firewalls are not web-application firewalls and do not have load balancers to bear the brunt of DDoS attacks.
Shodan, which is a search engine for hackers, crawls the web to list exposed and vulnerable devices, shining a light on the number of exposed devices, including firewalls with default passwords and wide open services.
As long as there are humans, misconfigurations may never go away. The move to cloud applications further unravels the need for cloud protection. So, what is the recommended approach? A cloud-gen firewall that provides zero trust security helps reduce the attack surface on-premises. Point your users, devices, and edge routers to the Zscaler Zero Trust Exchange. The Cloud-gen firewall in the Zero Trust Exchange will examine all traffic—both web and non-web. As a default gateway, it enforces the right access policies and hands-off traffic for additional web security, threat and data protection. It is less error-prone due to centrally orchestrated uniform policies and is much better at preventing compromise along with the DNS and IPS Control services. All services are inline, and inspection happens using the Single-Scan, Multi-Action (SSMA) technology which ensures that there is no incremental latency in inspecting packets.
An enterprise firewall is a hardened device, and may have additional compliance enforcements like Common Criteria. But most firewalls are not subject to proactive security compliance checks. Sure, security teams commission penetration testing on firewalls. But how proactive and effective is it in every enterprise? Compare this with a fully certified cloud that is ISO/Fedramp/SOC-2, CSA-Star compliant . There is no one appliance compliance standard that can offer this level of confidence through compliance.
Lack of horizontal scale, reduced availability
If you look at a typical firewall datasheet, you will see limits of X Mbps. Once you turn on TLS inspection, this listed performance drops by about half. Threat prevention further brings it down to one-third of its original performance. With 90% of traffic being TLS-encrypted, your firewalls will always be half as bad in advertised performance. Sudden bursts of new sessions/ sec could also lead to congestion and latency as firewall appliances do not scale horizontally like a cloud service. Assuming quarterly planned, unplanned patching, and maintenance of 1-3 hrs each, it leads to at least 6-12 hours of downtime per year which leads to an availability of 99.86% to 99.93% at best. A redundant high-availability firewall helps improve the situation slightly but it is not enough.
Compare this with a cloud service where there is infinite horizontal scale. Sure, there are limitations in cloud hardware too. But they can be easily overcome by adding more load balancers and public service edge instances. Zscaler is ISO27001-certified and provides 99.999% availability guarantees, with additional SLAs on latency and security. No other vendor can match this. Check out our guide to demystifying cloud SLAs that provides more insight into this.
Comparison: Legacy Firewalls vs. Zscaler Zero Trust Exchange
Zscaler Zero Trust Exchange
Users & Devices
When users move, firewalls do not move. Road warriors are not protected by legacy firewalls
User connects to any of the 150+ Datacenters worldwide. Protects users and devices anywhere, anytime
Scale & Performance
Limited by fixed scale & performance that drops when SSL and threat inspection are added
Load balancers distribute new sessions/sec to service edges based on user proximity, current performance and scale
High Operational Cost
Patching and maintenance result in loss of availability. It also results in high operational costs that include specialized IT staff at every location to maintain, patch, and upgrade firewalls. Based on studies from the report, Secure Cloud Transformation, the CIO’s Journey, enterprises save on average 50-85% on security appliances such as firewalls at the branch when they move to the Zscaler Zero Trust Exchange. Zscaler engineers maintain, patch, manage incidents, and issue advisories for all cloud services per cloud SLAs. This eliminates the operational costs of maintaining the firewalls at every site.
It is prime time for cloud-gen firewalls on the Zscaler Zero Trust Exchange. So, when are you replacing your next-gen firewall?