By Ulrica de Fort-Menares, VP of Product & Strategy, Indeni
What is Hybrid Mesh Firewall?
With the rise of hybrid workforces and cloud networks, there is growing demand to secure on-premise environments, multiple cloud environments and remote users with firewalls. As a result, vendors are introducing multiple firewall deployment types, including FWaaS and cloud firewalls. Hybrid mesh firewalls are platforms that help secure hybrid environments by extending modern network firewall controls to multiple enforcement points, including FWaaS and cloud firewalls, with centralized management via a single dashboard.
Hybrid mesh firewalls do not necessarily mean that you have to buy your firewalls from a single vendor. In fact, many enterprises continue to choose from best-of-breed vendors for specific use cases. For example, they may choose FortiGate for the remote sites because of the integrated SD-WAN and firewall functions. For the data center, enterprises have Palo Alto Networks NGFW and Check Point Secure Gateways. In enterprises’ cloud environments, they have Check Point CloudGuard Network Security. For remote users, they have Zscaler Private Access to protect user traffic from anywhere. In many cases, enterprises have a multi-vendor strategy in their environment to avoid vendor lock-ins. Incidentally, the latest Magic Quadrant for Network Firewalls indicated that enterprises are experiencing frequent increases in the prices of network firewalls causing dissatisfaction. This is another reason why many enterprises insist on a multi-vendor strategy. Besides, buying from the same vendor doesn’t guarantee simplicity and centralized management.
Demystifying Unified Management
Unified management is the most critical capability of a hybrid mesh firewall. If you need multiple dashboards for your data center, remote site and cloud firewalls, you don’t have a hybrid mesh firewall. Unified management can mean different things to different people. It is certainly an interesting topic for hybrid mesh firewall with its several deployment types. There are additional dimensions such as multiple administrative domains and more personae to consider. Let’s explore the different deployment types to understand what unified management means:
#1 – Conventional On-Premises Firewalls
Unified management for on-premise firewalls is generally well understood. These firewalls are under your administrative domain. You should have a single dashboard to manage your data center and remote site firewalls.
#2 – Cloud Firewalls
For cloud-based firewalls, they can either be under your administrative domains or they may be managed by your providers. For the former, you should treat them like your on-premise firewalls and manage them from a single dashboard. For the latter, it is a firewall as a service (FWaaS) that you purchase from a third-party or cloud service provider like AWS. See the next section for requirements.
#3 – FWaaS
It may sound like a bit of an oxymoron, but unified management for FWaaS that is not managed by you warrants some clarification. In this case, although you don’t manage the firewall, you want to ensure the provider’s firewalls are working. You expect them to detect issues before they cause disruptions. You need to ensure the necessary components on your side that are connecting to the service are working to avoid finger pointing. The primary requirement is visibility to the FWaaS availability.
#4 – Securing Remote Users
This type of firewall secures user traffic on mobile devices or personal computers from anywhere. You deploy an agent on the device to ensure traffic is sent to the cloud-based firewall for inspection. These firewalls control which SaaS and on-premise applications are available to the users. Effectively, this is another form of FWaaS that is not managed by you. This solution is also known as Secure Access Service Edge (SASE).
This is where additional personae come into the picture. Firewalls are typically managed by the infrastructure team. This FWaaS is a remote access service running on Windows, Mac, iOS or Android. Traditionally, the infrastructure team does not cover support for endpoints. It typically falls into the lap of the endpoint team who are accustomed to dealing directly with end users. The interesting question is, what does unified management mean for this FWaaS deployment type that spans multiple teams and device types? From the infrastructure team perspective, they need to ensure the data center is connected to the cloud-based firewall service so that remote users can access on-premise applications. The infrastructure team is typically not responsible for SaaS applications, nor are they directly responsible for the end users.
Summary
Let’s summarize unified management for hybrid mesh firewalls in a multi-vendor environment. Specifically, we are looking at it through the lens of the infrastructure team.
| Firewall Deployment Type | Is it under your administrative domain? | Requirements (Infrastructure Team) |
| On-premise (data center & remote office) | Yes | A single dashboard to manage your firewalls |
| Cloud-based firewalls from network security vendors | Yes | A single dashboard to manage your on-premise and cloud-based firewalls |
| FWaaS – Cloud-based firewalls from Cloud Service Providers (e.g. AWS, Azure) | Partial (shared responsibility model) | Ensure your management platform integrates with these firewalls, at a minimum you want visibility to firewalls availability |
| FWaaS connecting your remote offices from network security vendors | No | Ensure components connecting your data center and the service are functioning (e.g. GRE tunnel, IPSeC tunnels, App Connector)
Visibility to FWaaS availability |
| Remote Access for users | No | Ensure connection between your data enter and the firewall service is functioning
Visibility to FWaaS availability |
I hope this gives you some insight into what unified management means for hybrid mesh firewall deployments.
About the Author
Ulrica de Fort-Menares is the Vice President of Product and Strategy at Indeni with over 30 years’ experience developing software in networking and security technologies. She loves explaining complex technology and building high-profile and high-performance teams.
Ulrica can be reached online at our company website http://www.indeni.com/.
