skip to Main Content
Cloudy & Cool. The Case For Cloud-Based Firewalls

Cloudy & Cool. The Case for Cloud-Based Firewalls

If you want to keep your company on top of things technological, you should consider a cloud-based firewall as a service. Cloud-based firewalls offer distinct advantages, according to Network World.

First, cloud-based firewalls deliver scalability, services to many customers, and scale to meet ever-increasing demand. From the enterprise point of view, this scalability starts when bandwidth increases. Unlike an on-site firewall, cloud-based firewalls are designed to scale as customer bandwidth increases. Second, cloud-based firewalls offer extremely high availability through an infrastructure with totally redundant power, HVAC, and network services, as well as backup strategies if site failures occur. In contrast, on-site firewalls are only as supportive as the existing IT infrastructure, which could be an issue at a company’s branch site. High availability is certainly possible on site, but depending on the manufacturer, high availability can double the cost of hardware and make operations more complex. Third, cloud-based firewalls are available anywhere the network manager can provide a communications path. Considering connection agreements between network providers, the service may extend well beyond the boundaries of any single service provider’s network. An on-site firewall on the other hand may be deployed at any corporate location, with the associated capital cost, if there is enough space and necessary out-of-band management connection. These three factors — scalability, availability, and extensibility – make cloud-based firewalls very attractive.

Cloud-based firewalls benefit from the cloud’s other important features: performance, efficiency, and reduced costs.

In an article from Tahawul Tech, Wieland Alge, Vice-President and General Manager EMEA, Barracuda Networks


The cloud aids performance and frees up on-site bandwidth from the asynchronous workload. Once networks had many perimeter scanning servers. But, consolidation in one box, in the hope of making management easier, killed performance. Firewalls ran into several problems when analyzing, prioritizing, and blocking the network traffic they dealt with. They had too much data to process. Data is increasing far faster than hardware can handle it and it is the sheer availability of bandwidth that causes the problem. There is no such thing as unused network bandwidth. When bandwidth is increased, it is used – which simply adds to the problem. All this real-time data strains the analyzing capabilities of the firewalls. When things are working right, firewalls stop the traffic, analyze things, and then send them on their way. However, this is impractical and causes delays. To function most effectively, firewalls must handle the increased data throughput without compromising security. The cloud helps to solve this problem by pulling out the asynchronous workload from the perimeter and redirecting it to cloud-based content filters.

From an administration perspective, nothing changes in comparison to the Unified Threat Management (UTM) approach; administrators still have one management console where they can manage the on-site firewall capabilities like fast packet processing, but also the content filtering capabilities taking place in the cloud.

So, cloud-based, scalable computing power can be used to handle the asynchronous CPU intense content filtering part of a firewall’s function, and make it a cleaner and more predictable environment for fast packet processing. From a cost perspective this brings us to another benefit; cloud-based scanning methods are far cheaper and more efficient than current firewall architectures. The cloud offers users the benefit of the ‘separation of duty’ architecture without the cost associated.

Firewalls are in the middle of everything. Most firewall vendors try to address the issues of what can be blocked, however, the modern firewall is not a device that blocks/separates malware and cybercriminals from the controlled part of the network. From an application architecture point of view, the firewall is somewhere in the middle of everything.

As such, can a firewall contribute positively to data application access? Traditionally, a firewall’s function is to create obstacles for the bad guys. Unfortunately, this also causes a problem for the good guys. Everyone has heard this from security administrators in organizations, “We apologize that we are down for security reasons.” Nobody wants to hear this anymore.

Many people thought that application detection capabilities are primarily used to block bad applications. However, in reality they are used to identify applications in order to prioritize them for end-user access, for example, SAP access, and WAN optimization techniques to some parts of the file sharing network. This is the primary reason for the use of use deep application detection.

Does a cloud-based firewall have any downside? Of course. Even making the transition to the cloud, a firewall will still be required. The cloud will complement the firewall, relieving it of some of its responsibilities, yet the need for a firewall will still exist. Successful security management requires context. Security staff must evaluate an alert in the context of the infrastructure and unique institutional characteristics. “An alert out of context is just as much an issue as an alert without expertise,” says the chief security officer of a manufacturer. A number of companies echo this sentiment: much of the corporate security zeitgeist is lost in the transition to the cloud. The best way to deal with this is to make sure you get multiple references and really dig into the process and procedures the cloud-based firewall provider offers to discover, assimilate, and maintain its knowledge of the unique characteristics of your organization, the context necessary to deliver strong firewall security in the cloud.