Sorry for my ignorance, but I can’t seem to find a technical explanation of how a cloud service could possibly replace a hardware firewall. Everything I’ve found is just useless marketing fluff.
Can anyone ELI5 how FWaaS is able to work without intimate cooperation from every ISP or a local hardware installation? Thanks in advance!
We use one of these at work! There are a couple of companies offering these solutions such as PaloAlto, Zscaler, etc. and they are typically of the “Next-Gen Firewall” variety (I.e. they scan the content of the packets rather than just routes and ports and such).
The way they work is basically that you establish VPN connections to their endpoints, and they scan the traffic as it passes through. Like a VPN, you get a new IP address that is shared with other customers, but there is a way to pin your original IP in the packet headers if you need.
These connections can be handled via one of a few ways:
Software on the workstation (best option as it allows deeper traffic routing and control, as long as your workstations are locked down)
IPSec tunnels configured on the building’s router service’s endpoints/datacenters
GRE tunnels configured on the building’s router to the service’s endpoints/datacenters
A physical firewall box that sits in front of your other hardware that does any of the above OR something bespoke
Note that unless you have option 4, none of these replace traditional “dumb” firewalls. If you’re still using IPv4, you still need a NAT firewall.
Thank you! This is basically what I’ve been assuming but haven’t been able to confirm anywhere. Do you happen to have a URL handy I could share with a client? Thanks again!