Hybrid Mesh Firewall Management – Cyber Defense Magazine


By Ulrica de Fort-Menares, VP of Product & Strategy, Indeni

What is Hybrid Mesh Firewall?

With the rise of hybrid workforces and cloud networks, there is growing demand to secure on-premise environments, multiple cloud environments and remote users with firewalls. As a result, vendors are introducing multiple firewall deployment types, including FWaaS and cloud firewalls. Hybrid mesh firewalls are platforms that help secure hybrid environments by extending modern network firewall controls to multiple enforcement points, including FWaaS and cloud firewalls, with centralized management via a single dashboard.

Hybrid mesh firewalls do not necessarily mean that you have to buy your firewalls from a single vendor. In fact, many enterprises continue to choose from best-of-breed vendors for specific use cases. For example, they may choose FortiGate for the remote sites because of the integrated SD-WAN and firewall functions. For the data center, enterprises have Palo Alto Networks NGFW and Check Point Secure Gateways. In enterprises’ cloud environments, they have Check Point CloudGuard Network Security. For remote users, they have Zscaler Private Access to protect user traffic from anywhere. In many cases, enterprises have a multi-vendor strategy in their environment to avoid vendor lock-ins. Incidentally, the latest Magic Quadrant for Network Firewalls indicated that enterprises are experiencing frequent increases in the prices of network firewalls causing dissatisfaction. This is another reason why many enterprises insist on a multi-vendor strategy. Besides, buying from the same vendor doesn’t guarantee simplicity and centralized management.

Demystifying Unified Management

Unified management is the most critical capability of a hybrid mesh firewall. If you need multiple dashboards for your data center, remote site and cloud firewalls, you don’t have a hybrid mesh firewall. Unified management can mean different things to different people. It is certainly an interesting topic for hybrid mesh firewall with its several deployment types. There are additional dimensions such as multiple administrative domains and more personae to consider. Let’s explore the different deployment types to understand what unified management means:

#1 – Conventional On-Premises Firewalls

Unified management for on-premise firewalls is generally well understood. These firewalls are under your administrative domain. You should have a single dashboard to manage your data center and remote site firewalls.

#2 – Cloud Firewalls

For cloud-based firewalls, they can either be under your administrative domains or they may be managed by your providers. For the former, you should treat them like your on-premise firewalls and manage them from a single dashboard. For the latter, it is a firewall as a service (FWaaS) that you purchase from a third-party or cloud service provider like AWS. See the next section for requirements.

#3 – FWaaS

It may sound like a bit of an oxymoron, but unified management for FWaaS that is not managed by you warrants some clarification. In this case, although you don’t manage the firewall, you want to ensure the provider’s firewalls are working. You expect them to detect issues before they cause disruptions. You need to ensure the necessary components on your side that are connecting to the service are working to avoid finger pointing. The primary requirement is visibility to the FWaaS availability.

#4 – Securing Remote Users

This type of firewall secures user traffic on mobile devices or personal computers from anywhere. You deploy an agent on the device to ensure traffic is sent to the cloud-based firewall for inspection. These firewalls control which SaaS and on-premise applications are available to the users. Effectively, this is another form of FWaaS that is not managed by you. This solution is also known as Secure Access Service Edge (SASE).

This is where additional personae come into the picture. Firewalls are typically managed by the infrastructure team. This FWaaS is a remote access service running on Windows, Mac, iOS or Android. Traditionally, the infrastructure team does not cover support for endpoints. It typically falls into the lap of the endpoint team who are accustomed to dealing directly with end users. The interesting question is, what does unified management mean for this FWaaS deployment type that spans multiple teams and device types? From the infrastructure team perspective, they need to ensure the data center is connected to the cloud-based firewall service so that remote users can access on-premise applications. The infrastructure team is typically not responsible for SaaS applications, nor are they directly responsible for the end users.

Summary

Let’s summarize unified management for hybrid mesh firewalls in a multi-vendor environment. Specifically, we are looking at it through the lens of the infrastructure team.

 

Firewall Deployment Type Is it under your administrative domain? Requirements (Infrastructure Team)
On-premise (data center & remote office) Yes A single dashboard to manage your firewalls
Cloud-based firewalls from network security vendors Yes A single dashboard to manage your on-premise and cloud-based firewalls
FWaaS – Cloud-based firewalls from Cloud Service Providers (e.g. AWS, Azure) Partial (shared responsibility model) Ensure your management platform integrates with these firewalls, at a minimum you want visibility to firewalls availability
FWaaS connecting your remote offices from network security vendors No Ensure components connecting your data center and the service are functioning (e.g. GRE tunnel, IPSeC tunnels, App Connector)

 

Visibility to FWaaS availability

Remote Access for users No Ensure connection between your data enter and the firewall service is functioning

 

Visibility to FWaaS availability

 

I hope this gives you some insight into what unified management means for hybrid mesh firewall deployments.

About the Author

Ulrica de Fort-Menares is the Vice President of Product and Strategy at Indeni with over 30 years’ experience developing software in networking and security technologies. She loves explaining complex technology and building high-profile and high-performance teams.

Ulrica can be reached online at our company website http://www.indeni.com/.



Source link