There’s a new kid on the block—or a new firewall, at least. Traditional network and security technologies generally don’t translate well to a cloud environment. Next-generation firewalls might have been “next generation” when they were introduced, but now they’re “previous generation”—legacy technology that isn’t capable of doing the job effectively in the cloud. The new “next generation” is the cloud generation firewall.
I’ve never been a fan of using the term “next generation” as a label. Where do you go from there? I mean, I love “Star Trek: The Next Generation, but what is supposed to come after that—”Star Trek: The Next Generation After That One”? It’s going to seem silly in 10 years when we’re talking about the archaic, outdated “next generation” technologies.
Thankfully, we might soon be able to retire one of the “next generation” labels. ZScaler sort of started down this path when it introduced the “world’s first cloud-based next-generation firewall” in 2015. Barracuda recently took it a step farther, dropping the “next-generation” and announcing cloud generation firewalls.
Cloud Generation Firewalls
Aside from a catchy new name that’s good for marketing, though, what does that actually mean? Traditional firewalls, including next generation firewalls (NGFW), were engineered to protect a centralized data center or network, or a distributed network spread out over multiple locations. The public cloud is a very different environment.
At face value, a distributed infrastructure with multiple locations connected across the internet seems similar to a cloud environment. A public cloud environment is much more dynamic, though, and has a more loosely coupled architecture than a dispersed private network. Companies move to the cloud to take advantage of DevOps, automated deployments, elastic scaling and other elements that enable them to develop and deploy applications and services more efficiently, but legacy security tools including NGFWs can’t protect effectively in the cloud.
As with other network and security solutions, companies need firewalls that understand the cloud. To be effective, a cloud generation firewall should be cloud-native and integrate with cloud management and monitoring tools. It also should be able to automate deployment and scaling, and offer APIs that enable it to work with DevOps development tools. Finally, its licensing and pricing should reflect the dynamic nature of the cloud environment.
Challenges of NGFW in the Cloud
I spoke with Tim Jefferson, VP of public cloud for Barracuda, about cloud generation firewalls. He agreed that companies are facing challenges as they embrace the public cloud and try to use tools that were optimized for data center architectures in cloud environments.
The design principles of an NGFW are “anti-pattern” in the public cloud, he said. The public cloud environment is based on keeping things loosely coupled and easily scalable, while NGFW solutions are designed for tight coupling with ties back to centralized policy enforcement.
What’s more, he noted the licensing model for a traditional NGFW poses a problem in the cloud. Traditional licensing forces customers to deploy only in production environments, when security best practices suggest automating security architectures in all stages. Customers want to—and should—deploy security in all stages of development to better support DevOps principles, and cloud-generation licensing enables this.
Cloud-native solutions need cloud-native licensing that takes into account the rapid scalability and dynamic nature of the environment. Barracuda went with an approach that meters based on bandwidth rather than time, so customers are billed only when the cloud generation firewall is used, not when it’s just sitting idle.
Naming conventions aside, cloud generation firewalls just make sense. Many organizations fall into the trap of moving to the cloud and thinking they can just use the network and security tools they already have—just in the cloud. The reality is that you need cloud-native tools to effectively take advantage of the reasons you’re moving to the cloud in the first place.
And, if cloud generation firewalls catch on, perhaps we can move beyond “next generation” and stop using that dumb term.