When we announced our new cloud generation firewall capabilities a couple of weeks ago, it was really interesting to hear from some of our experts about what these added capabilities would mean for customers. We started with Tim Jefferson, VP public cloud who provided some thoughtful insight into what’s necessary for customers to be secure in the public cloud, and how security has to adapt to these new requirements. This week, we caught up with network security guru Klaus Gheri to discuss some of the questions that often come up in regards to network security in the cloud generation. Here’s what he had to say:
Q & A with Klaus Gheri, VP and GM of network security at Barracuda
Q: Why would organizations that are not currently moving any workloads to the cloud need to think about a cloud generation firewall?
A: We interviewed hundreds of organizations earlier this year on their actual usage of the cloud, their plans for the cloud, and their security understanding of the cloud. During this process, it became clear that there is hardly a company out there today that is not making use of the cloud in one form or another. Cloud generation firewalls help companies save budget and improve security way beyond the traditional infrastructures as a service (IaaS) use case where you migrate an existing legacy application to the cloud. Most customers also use the cloud in the form of software as a service (SaaS) with applications like Microsoft Office 365, Salesforce, Dropbox, or OneDrive without even realizing it. Especially for the usage of SaaS apps, Barracuda Cloud Generation Firewalls offer an abundance of cost savings and network optimization not available with legacy next-generation firewalls.
Q: What is wrong with backhauling internet traffic through an on-premises firewall before going out to cloud applications?
A: We still see more than 60 percent of all larger company networks with a setup where all traffic from remote offices is sent through expensive private MPLS links to the HQ offices — then it typically gets funneled through a large firewall before it goes out to the internet. In some cases, the remote offices also have a secondary internet uplink that is used to establish a VPN connection to the HQ in case the MPLS fails. This setup has several issues when it comes to access to cloud applications:
Cost: Depending on your region, MPLS lines are 10 to 100 times more expensive over business quality broadband. Migrating existing datacenter workloads to the cloud, or replacing locally installed productivity applications like Microsoft Office with Office 365 online, results in the need for even more bandwidth to the internet. Cloud generation firewalls include the ability to use multiple uplinks intelligently at the same time and make use of the best uplink suited for the application. So the uplink with the fastest round-trip time and least packet loss is automatically selected for a remote desktop session. At the same time, if the same user transfers a large file with a different uplink that has better bandwidth — higher latency might be selected.
Organizations now have the option to use cloud generation firewalls to help get rid of expensive MPLS lines or reduce the purchased private line bandwidth significantly, and can augment with one or two much more affordable broadband uplinks. In the end, the customer typically experiences more available bandwidth at a largely reduced cost. To get an idea of the potential savings involved, Barracuda Networks provides a savings calculator at https://savings.barracuda.com/
Application Performance: When utilizing cloud apps from a network deviation introduced via backhauling, there will always be at least one more network hop on the way to cloud-hosted apps over going into the cloud directly. For nearby remote locations, this generally does not have notable adverse effects for casual web surfing or downloads. For remote locations in another state, another country, working with Office 365 online, or accessing workloads that used to be hosted in the local datacenter — backhauling will introduce a notable lag in application performance. There is a whole section in the Office 365 support area devoted to the performance topic, and Microsoft recommends latency of less than 50 ms for its most popular business online application.
Agility & availability: In general, private links like MPLS undoubtedly provide the best network performance, if they are available at every location needed. Even today, there are rural areas where MPLS lines are not available at all or, need to be established involving costly construction work over a couple of weeks. With cloud generation firewalls, a handful of widely available broadband and even 4G/LTE uplinks can be utilized to provide MPLS like performance for a fraction of the cost, everywhere at any time. So, instead of negotiating with a large telco provider to establish connectivity to a new remote location, it is as easy as getting one or multiple 4G/LTE routers, which can be done in less than a day. This comes in handy for seasonal or pop-up shops at airports, trade shows etc.
Q: Are organizations limiting their cloud deployments by using an on-premises firewall? How so?
A: Besides the benefits cloud generation firewalls provide when providing access to the cloud, there is another series of requirements to operate networks cost-effectively in the cloud.
Availability: Cloud generation firewalls must be available across all public cloud providers with the same set of functionality. In our research, we’ve found that a majority of our customer base utilizes at least two different cloud providers and requires the same functionality level and cross-cloud connectivity.
Cost: Making a legacy next-generation firewall work in the most prominent public cloud platform does not cover specific licensing demands by cloud architects. A full bring your own license (BYOL) model is usually prohibitive in highly agile cloud networks. Agile networking in the cloud requires a pay-as-you-go (PAYG) licensing model that is measured either based on usage time, or on actual traffic processed. Barracuda handles this by offering customers a usage-based billing option with its cloud generation firewalls. Additionally, suboptimal network constructs like a transit VPC setup (essentially the cloud analog of backhauling traffic) can be replaced with a centrally-managed HA firewall and VPN cluster inside each connected VPC — providing fully-meshed connectivity at a less or similar cost.
Automation: Only cloud generation firewalls provide deep integration into the cloud by allowing the automatic setup of either a full network or auto-scaling via templated deployment.
Q: What are a few of the top highlights that make Barracuda’s approach to network security work for so many of today’s organizations?
Besides all of the benefits mentioned above, there are many more distinct advantages deeply integrated into the product:
Secure SD-WAN included: Cloud generation firewalls combine the most comprehensive set of advanced security with capabilities that support the Software-Defined Wide-Area Network (SD-WAN). SD-WAN capabilities allow the creation of secure pathways across both multiple WAN connections and multiple carriers, even for VPN traffic. At the same time, built-in WAN compression and caching technologies significantly increase available bandwidth.
Superior VPN technology: Due to the limitations that come with standard IPsec connections, cloud generation firewalls include powerful extensions to standard IPsec tunnel management. At the core of the Barracuda Cloud Generation Firewalls is a proprietary VPN engine called TINA (Transport Independent Network Architecture). The dedicated TINA protocol allows the use of TCP, UDP, and ESP encapsulation for high-speed VPN connections, which improves the VPN connectivity substantially by adding:
- D'une connectivité de point de terminaison à point de terminaison (et non de réseau à réseau)
- De la prise en charge de la fonction NAT (Network Address Translation)
- De plusieurs liaisons physiques par tunnel logique
- De plusieurs tunnels entre deux emplacements
- De la compatibilité avec le protocole HTTPS et les proxies SOCKS4/5
- De la prise en charge des adresses dynamiques
- De la surveillance des pulsations des tunnels
- Traffic volume reduction through compression
For additional information on Barracuda Cloud Generation Firewalls, please visit: https://fr.blog.barracuda.com/products/cloud-generation-firewalls