Sorry for my ignorance, but I can’t seem to find a technical explanation of how a cloud service could possibly replace a hardware firewall. Everything I’ve found is just useless marketing fluff.

Can anyone ELI5 how FWaaS is able to work without intimate cooperation from every ISP or a local hardware installation? Thanks in advance!

  • Brkdncr@lemmy.worldEnglish
    13·
    4 days ago

    It’s a vpn to their datacenter. Either hosted on the client or at the site internet handoff, or both.

    Lots of jargon is used to make it sound more than that, but it’s not magic.

  • Semperverus@lemmy.worldEnglish
    11·
    4 days ago

    We use one of these at work! There are a couple of companies offering these solutions such as PaloAlto, Zscaler, etc. and they are typically of the “Next-Gen Firewall” variety (I.e. they scan the content of the packets rather than just routes and ports and such).

    The way they work is basically that you establish VPN connections to their endpoints, and they scan the traffic as it passes through. Like a VPN, you get a new IP address that is shared with other customers, but there is a way to pin your original IP in the packet headers if you need.

    These connections can be handled via one of a few ways:

    1. Software on the workstation (best option as it allows deeper traffic routing and control, as long as your workstations are locked down)

    2. IPSec tunnels configured on the building’s router service’s endpoints/datacenters

    3. GRE tunnels configured on the building’s router to the service’s endpoints/datacenters

    4. A physical firewall box that sits in front of your other hardware that does any of the above OR something bespoke

    Note that unless you have option 4, none of these replace traditional “dumb” firewalls. If you’re still using IPv4, you still need a NAT firewall.

    • DetachablePianist@programming.devOPEnglish
      2·
      4 days ago

      Thank you! This is basically what I’ve been assuming but haven’t been able to confirm anywhere. Do you happen to have a URL handy I could share with a client? Thanks again!

  • Max-P@lemmy.max-p.meEnglish
    8·
    4 days ago

    They’re usually local hardware but configured and managed via cloud services. Although I’ve seen people using EC2 instances as firewalls for some cursed enterprise reasons, which I guess does make it a firewall in the cloud.

    • YourNetworkIsHaunted@awful.systemsEnglish
      1·
      3 days ago

      I mean a lot of the services that companies are using are cloud-hosted, meaning that especially if you have branch offices or a lot of remote workers a normal firewall in the datacenter introduces an unnecessary bottleneck. Putting the logical edge of your organization’s network in the cloud too makes sense from a performance perspective in that case, and then turning the actual firewalls into SaaS seems much less absurd.

  • tiny@midwest.socialEnglish
    31·
    4 days ago

    It’s possible it could be a local firewall that is reaching out to their cloud for lists of bad IP addresses or domains or a local firewall that is configured from a cloud interface. The other case is it could be web application firewall or WAF which where a company intercepts traffic, drops malicious requests and forwards it to your actual web server