Next-generation firewall (NGFW) vs. firewall-as-a-service (FWaaS)
These terms describe two different aspects of a firewall — what it can do (NGFW) versus where and how it is deployed (FWaaS). A next-generation firewall (NGFW) has a specific set of security capabilities. Firewall-as-a-service (FWaaS) describes a firewall that is hosted in the cloud and offered as a service (such a firewall can also be called a "cloud firewall").
FWaaS can have next-gen capabilities, and an NGFW can be hosted in the cloud.
The type of firewall an organization needs depends on their infrastructure. If all of their networking infrastructure and applications are on-premise, a hardware-based NGFW may be sufficient. But most modern organizations run some workloads in the cloud, making FWaaS a necessity (ideally, a FWaaS solution with next-gen capabilities).
What does a firewall do?
A firewall is a security product that monitors and controls network traffic based on a set of security rules. Firewalls can be software applications installed on a server or a computer, or they may be physical hardware appliances that connect to an internal network. Firewalls usually sit between a trusted network and an untrusted network; often the trusted network is a business's internal network, and the untrusted network is the Internet.
The standard capabilities of a firewall include:
Packet filtering: Analyzes individual data packets and blocks them when necessary
Stateful inspection: Evaluates packets in the context of active network connections
Virtual private network (VPN) awareness: Identifies encrypted VPN traffic and allows it to pass through
What is a next-generation firewall (NGFW)?
NGFWs have the features of traditional firewalls, but they also have added features to address a greater variety of organizational needs and block more potential threats. They are called "next generation" to differentiate them from older firewalls that do not have these capabilities.
NGFW technologies include:
Intrusion prevention system (IPS): Scans network traffic, identifies malware, and blocks it
Deep packet inspection (DPI): Improves on packet filtering by analyzing the body of each packet in addition to the header
Application awareness and control: Identifies and blocks traffic based on which applications the traffic is going to
Threat intelligence feeds: Incorporates streams of updated threat intelligence to identify the latest threats
What is firewall-as-a-service (FWaaS)?
FWaaS is a firewall that is hosted in the cloud by a third party vendor. "Cloud firewall" is another term for this type of service.
FWaaS is not a physical appliance, nor is it hosted on an organization's premises. Like other "as-a-service" categories, such as infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS), FWaaS runs in the cloud and is accessed over the Internet.
Before the advent of cloud computing, a firewall sat in between a trusted network and an untrusted one, and there was a clear boundary (called a "network perimeter") between the trusted and untrusted networks. But in cloud computing, this boundary does not exist, because trusted cloud assets are accessed over an untrusted network (the Internet). Cloud-hosted firewalls protect these assets despite this lack of a network perimeter. Additionally, cloud-hosted firewalls are configured, maintained, and updated by the firewall vendor, not the customer.
What is Cloudflare Network Firewall?
Cloudflare Network Firewall is a cloud firewall with next-gen capabilities that is hosted on the global Cloudflare network. It protects data centers, remote users, branch offices, and cloud infrastructure, and it is tightly integrated with the Cloudflare One platform. Learn more about Cloudflare Network Firewall.
FAQs
What is a cloud firewall?
A cloud firewall is a security solution that filters out malicious network traffic directed at the cloud. Often referred to as firewall-as-a-service (FWaaS), these security services create a virtual barrier around cloud-based platforms and applications.
How does a cloud firewall differ from a traditional firewall?
While traditional firewalls are often physical hardware appliances connected to an organization's on-premises infrastructure, cloud firewalls are hosted remotely and accessed over the Internet. Because the traditional network perimeter has largely disappeared with the rise of cloud computing, cloud firewalls provide the necessary protection for assets that no longer reside within a private network.
What are the primary benefits of using firewall-as-a-service (FWaaS)?
FWaaS offers several key advantages, including the ability to block malware and malicious bot activity without creating network choke points. These solutions scale rapidly to manage traffic spikes, integrate easily with cloud infrastructure, and are maintained by the vendor, which removes the burden of manual updates from the organization.
How does a cloud firewall work within a secure access service edge (SASE) framework?
In a SASE model, cloud-based firewalls function alongside other security services to defend the network edge. This approach allows businesses to manage FWaaS, secure web gateways, and Zero Trust network access through a single vendor rather than maintaining multiple disconnected products.
Can a cloud firewall include next-generation firewall (NGFW) capabilities?
A cloud firewall can include NGFW capabilities such as deep packet inspection (DPI) and intrusion prevention systems (IPS). While an NGFW can be deployed as on-premises hardware, many modern cloud-based firewalls incorporate these advanced features to better detect and block complex cloud-directed cyber attacks.
Does a cloud firewall only protect cloud-based assets?
While they are designed for the cloud, these firewalls can also protect on-premises infrastructure. For example, Cloudflare Network Firewall is built to secure both local and cloud-based environments via a global network.