Listen to Audio
There have been a few times when tech pundits claimed that firewalls have become obsolete or passé. Still, these common security tools continue to exist as they evolve and introduce new features.
In the age of cloud computing, when enterprises are expected to shift to cloud-based protection platforms including application security solutions like WAF, or web application firewalls, remain in use in this setting.
Next-generation firewalls (NGFWs) have emerged to address the weaknesses of their traditional counterparts. These are firewalls “that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall,” as Gartner defines them.
However, even with all their improvements and new features, NGFWs are perpetually threatened by new challenges. In the time of COVID-19 in particular, the upgrades in next-gen firewalls are countermanded by new vulnerabilities and sophisticated attacks from cybercriminals.
Vaccines for COVID-19 may already exist, but it is unlikely for a return to the old normal to happen soon, especially among businesses. As a Gartner survey reveals, 82 percent of companies have decided to adopt remote work as part of their new normal. An overwhelming majority of companies say that they intend to allow workers to work remotely even after COVID-19 is completely controlled.
Too bad NGFWs appear to be NSFW (Not Safe for Work) in a remote work arrangement. This is at least what noted enterprise security expert Mike Riemer suggested in a Security Boulevard article on how next-gen firewalls fall short for today’s remote workforce.
“To ensure the flexible workplace runs smoothly, enabling remote users with secure access to resources across multi-cloud and hybrid IT infrastructure, requires additional traffic handling, increased identity and endpoint enforcement, rapid access provisioning and more granular access control— placing NGFW at a disadvantage,” Riemer wrote.
The performance of next-gen firewalls varies according to many variables including the bandwidth, the number of users, and user session requirements. Drastic changes in these variables can distort performance as variables go beyond the resource assumptions set initially.
Significant changes in the number of concurrent sessions in Office 365, for example, can throw off resource allocations concerning the number of endpoints to be inspected and monitored. This can have serious consequences in highly regulated industries such as finance and healthcare. NGWFs need a generous allowance for throughput headroom to maintain performance consistency.
Handling Onerous SSL Traffic Requirements
Remote work setups need to be secure not only for the benefit of individual employees but more importantly, for the protection of the enterprise. This security requirement more often than not entails onerous SSL traffic. Secure connections involve encryption protocols for data transmitted from a user’s computer to a target website and vice versa, which pose a crucial challenge for next-generation firewalls.
In the process of securing data exchanged between browsers and servers, a multitude of encryption and decryption cycles take place, which is highly resource-intensive. As a consequence, it is not only user access that suffers; other service options called upon on NGFWs can also be severely affected.
Challenges in Using VPNs
Employees that use VPNs on their devices will find it difficult to work with NGWF in place. Even the best remote access features of these new-generation firewalls can be challenging the deal with. The problem is exponential for network administrators, as they have to handle a variety of policies to accommodate numerous users, apps, data security protocols, and access conditions.
As such, delays in access provisioning can become common. Network auditing and maintenance can also become cumbersome. To attain efficient administration, it is essential to have a secure but easy-to-use centralized access policy management interface, something that is not available in almost all NGFWs.
“The fact is, dedicated secure access solutions are significantly lower in overall cost, licensing management complexity, compared to scaling up NGFW,” says Mike Riemer. This may not be true to all next-gen firewall solutions. However, scalability is indeed not the greatest feature of NGFWs.
In particular, there are additional costs when upgrading next-gen firewalls to supply basic remote access to teleworkers. These include additional licensing fees unless the NGFW and applications that are to be used remotely would not require additional payments. Also, it will be necessary to add more load balancers, and this can cost companies more.
NGFW vs WAF
If a company that has remote employees migrates to the cloud, will it still be necessary to use a firewall, or is a web application firewall (WAF) enough?
NGFWs are designed to protect internal clients whenever they access applications on the internet as well as applications within the local network. Web application firewalls, on the other hand, are meant to secure internal web applications from external threats within the application layer. They serve different purposes although they may have overlapping features depending on the specific sets of features of the NGFW and WAF concerned.
WAFs may afford sufficient protection to remote employees and companies if they strictly limit the apps and resources they use to those that are maintained by the company and secured by a reliable WAF. This is unlikely going to be the case in most remote work setups, though. It is inevitable to use of different devices and applications.
It will be difficult to force everyone to work in extremely restrained remote work environments. Doing so may have the benefit of security, but the inconveniences it creates may have a negative impact on productivity. It is better to prepare for all the possible cyber threats and vulnerabilities instead of creating overly stern rules, regulations, and work platforms.
Room for Improvement
This article does not suggest that NGFWs are totally useless against the threats facing the remote work situation. They are not next-gen for nothing. They can improve and add more features as the situation necessitates. However, with the current state of most NGFWs, it is better to observe excessive caution and prudence than to suffer setbacks for underestimating the risks.