The purpose of a firewall is to protect a system. However, new tricks by hackers can make a firewall’s processes outdated very quickly. The databases and procedures of firewalls have to be updated very frequently in order to keep them proficient and that creates maintenance tasks.

Firewall maintenance can be time-consuming and requires technicians to acquire special knowledge about how the firewall software works and about cybersecurity in general. Cloud-based firewalls are easier to manage because the hardware configuration decisions and software maintenance tasks are taken care of. The people who understand each firewall best are the teams that developed them.

Here is our list of the five best FWaaS systems:

  • Perimeter 81 FWaaS EDITOR’S CHOICE This cloud-based attack blocker is able to protect multiple sites and also remote workers and cloud platforms. This is an advancement on traditional network-based firewalls that only protect one LAN.
  • CrowdStrike Falcon Firewall Management A cloud-based firewall that integrates into the Falcon Suite of enterprise security tools.
  • Zscaler Cloud Firewall A flexible cloud-based firewall system that protects team member devices wherever they are located.
  • SecurityHQ Managed Firewall A cloud-based firewall that includes the services of cybersecurity experts to manage the system for you.
  • Secucloud Firewall as a Service This cloud-based firewall is provided from a global network of servers and deploys machine learning techniques to identify malicious activity and malware.
  • Cato Networks SASE A comprehensive edge services platform that includes Security as a Service features, such as its FWaaS.

FWaaS packages

When users of firewalls have difficulty setting them up properly, they call the help desk of the system providers. Support call solutions can even involve the help desk technician accessing the customer’s system to fix the problem.

In an FWaaS scenario, rather than buying the software and installing it on-site, the customer subscribes to a firewall service. This includes the software, the server to run it on, storage space for log files, and the staff needed to fine-tune and maintain the system. Some FWaaS products are part of a managed firewall solution. That concept changes the perception of a firewall from a software package into a security service. A firewall element is just a tool used by cybersecurity experts who are contracted to protect a business’s IT system.

Firewall configuration options

Every firewall vendor would like to think that their system is impregnable and every firewall buyer would like to believe them. However, total confidence is a delusion. There is always the possibility that hackers will find a way around the security system.

In medieval Europe, communities defended themselves from attack by building high, thick walls around their towns. However, a new attack strategy invented by clever raiders literally undermined these defenses. They dug a tunnel beneath the walls, filled it full of wood, and set fire to it, causing the mortar in the foundations to disintegrate, leading to the collapse of the wall.

Modern hackers would like to do exactly the same thing to ruin the strength of a firewall – get under its foundations. The key vulnerability of any piece of software lies in the operating system that it depends on.

Firewall providers would have to create a very comprehensive series of checks and controls in order to monitor the system that supports its software. Ultimately, protecting the system on which the firewall is resident becomes a bigger task than protecting the network.

In order to reduce the risks of a hacker getting into the operating system and just passing beneath the firewall software, it is advisable to run the firewall software on a separate physical device.

Where firewalls are resident on servers that are shared with other applications, the firewall package includes its own operating system and is run as a virtual machine – making it impossible for any process to break out of the container and interfere with other running programs.

Onsite firewall solutions have three configurations:

  • An appliance that hosts all necessary security software and controls the gateway to the network
  • A dedicated server
  • A virtual appliance

Cloud hosts offer a fourth option. Logically, if it is safer to run a firewall on a separate device as far out on the edge of the protected system as possible, it is even safer to run it on a server in an entirely separate building and operated by a separate company.

FWaaS is a category of a system that is termed an edge service. It is out beyond the boundary of the protected system. A firewall is supposed to protect a network by examining all traffic between it and the internet, so filtering all traffic somewhere else in a faraway place still creates a vulnerability. The clean traffic still has to travel over the internet to its intended destination.

Does an FWaaS customer need a second firewall to re-examine traffic coming in from the FWaaS? Having a firewall in a remote location could give hackers an easy opportunity to bypass the firewall service entirely and go directly to the unprotected network. FWaaS providers close down that option by establishing a VPN link between its servers and the protected network. The internet interface of the network is controlled by the VPN client, which will only accept traffic coming in from the FWaaS server. All transmissions are protected by encryption, making it impossible for hackers to break in and tamper with it.

FWaaS benefits

Cloud firewall providers can go all-out in their strategy to protect the firewall from attack. Serving many customers gives them the cost base that allows them to invest in clusters of servers with failover backup hardware, technicians working in shifts around the clock, and a worldwide perspective to cybersecurity.

If a new attack vector arises, the firewall provider has to come up with a solution very quickly and roll that out to all of its customers. An FWaaS provider does the same thing but rather than sending out updates to its customers all over the world, it just needs to update the software on its own servers and every customer is instantly protected by the adjustment.

The distributed software strategy of traditional onsite firewalls opens up the risk of a customer blocking automatic updates, neglecting to install a patch, failing to read a security warning notice, or just not securing their systems properly. Letting the firewall provider host the security system removes all of those weaknesses.

The best FWaaS providers

There are many firewall providers in the world and a large number of them have opened up FWaaS divisions. It can take a long time to investigate all options, so we have created this review to focus on the best providers in the field.

Using this set of criteria, we looked for FWaaS edge services that provide constant protection.

Our methodology for selecting an FWaaS package

We reviewed the market for Firewall as a Service platforms and analyzed the options based on the following criteria:

  • Easy to set up and use
  • Automated responses on threat detection
  • Full event logging
  • Alerts sent by SMS or email
  • Integration with other edge services
  • A free trial or a demo system that provides an opportunity for a no-cost assessment
  • Value for money offered by strong protection provided for a fair price

You can read more about each of these options in the following sections.

1. Perimeter 81 FWaaS (ACCESS FREE DEMO)

Perimeter 81 is an edge service platform and its Firewall-as-a-Service is its central product. Unlike traditional firewalls, the Perimeter 81 system isn’t limited to guarding a single network. Instead, it can be used to control access to all of the resources of an enterprise. This includes the workstations of remote home workers and cloud platforms as well as all of the LANs that a multi-site business might operate.

Key Features:

  • Covers multiple sites
  • Protects the devices of remote workers
  • Scalable pricing
  • Offers a single IP address
  • Protected DNS system

Although this is a great security system for large, multi-site operations, that doesn’t mean that Perimeter 81 isn’t suitable for small businesses. On the contrary. The pricing structure of the FWaaS from Perimeter 81 favors small enterprises because it offers all of the features that big businesses get but at a rate per user per month. Also, you don’t need to employ cybersecurity experts or even have a big server to host the software. The Perimeter 81 configuration is particularly useful for businesses that don’t invest in premises but operate virtual offices.

There are no installation fees, no minimum subscription period, and no upfront cost to using the Perimeter 81 service. The system is very flexible because if you expand your workforce, you just increase the capacity of your subscription packager. The minimum number of users for the lowest package of Perimeter 81 which includes the FWaaS is five.

Perimeter 81’s FWaaS fronts your organization, while providing connection security behind it to protect all of the communications between your own equipment that cross the internet. The FWaaS ties all of your sites together because it offers you one public-facing IP address for all of your sites. It is not difficult to use this system to unite the address space of all of your sites and remote devices into one centrally managed network.

The entire Perimeter 81 package offers a range of protection strategies against attack inside your network and for internet connections through the firewall. You can choose to protect access to specific applications, which you can host yourself or subscribe to on the cloud. You also get protection from DNS-based spoofing attempts because the Perimeter 81 package gives you a private, protected DNS system.

You can examine the Perimeter 81 system, including its Firewall-as-a-Service with a demo. All plans are covered by a 30-day money-back guarantee.

Pros:

  • Flexible features and offers that cater to smaller networks as well as enterprises
  • Multi-site management makes this viable for MSPs
  • Wide variety of integrations (LDAP, SAML, etc.)
  • Flexible pricing – great for any size network
  • Easy to use object-based configurations

Cons:

  • Would like to see a trial as opposed to a demo

2. CrowdStrike Falcon Firewall Management

EDITOR’S CHOICE

Perimeter 81 FWaaS is our top pick for a Firewall-as-a-Service because it offers internal network security as well as protection against attacks from the outside world. You can link all of your resources together into a unified network and monitor it centrally with this package. Your enterprise might be scattered across the globe, but Perimeter 81 makes it seem contiguous. All of this technology that protects your network is fronted by a cloud-host firewall. You can let the Perimeter 81 technicians look after your security systems and get on with your core activities.

Download: Access FREE Demo

Official Site: https://www.perimeter81.com/demo

OS: Cloud-based

CrowdStrike Falcon is an enterprise security suite that delivers next-gen AV and endpoint protection. The Falcon system includes a number of modules and the Firewall Management component is an optional extra.

  • Firewall coordinator
  • Interacts with on-site firewalls
  • Enhances third-party firewalls
  • Integrates with other CrowdStrike products

As with the endpoint protection system from CrowdStrike, the Falcon Firewall Management module is resident in the cloud and also relies on an installed agent onsite to gather data and implement workflows. The tool protects the network and each endpoint, creating a two-phase protection service.

The CrowdStrike Falcon dashboard is delivered from the CrowdStrike server and accessed through any standard browser. That means that it is available anywhere and the administrator does not need to be in the same location as the protected system. It also means that remote workers and different sites can all be protected and managed from one central console.

Even though it is a distributed system, the central Firewall Management console enables administrators to impose the same rules and policies on all protected devices. This unifies the firewall, making it operate as a single entity.

Although there are onsite elements to the CrowdStrike Falcon system, the bulk of processing, such as threat hunting and traffic scanning, is carried out on the cloud servers. This greatly reduces the hardware requirements of the business using the service. It also means that network administrators don’t need to worry about keeping the system updated or providing failover hardware because all of those issues are dealt with by the CrowdStrike staff.

Falcon is available in four editions: Falcon Pro, Falcon Enterprise, Falcon Premium, and Falcon Complete. None of those plans include the Firewall Management module automatically – it has to be added on. The Falcon Complete option is a bespoke plan that includes a managed security service and a Breach Prevention Warranty. Potential customers can get a 15-day free trial of the Falcon security suite.

  • Combines FaaS and endpoint protection through a single platform

  • Can track and alert anomalous behavior over time, improves the longer it monitors the network

  • Can install either on-premise or directly into a cloud-based architecture

  • Lightweight agents won’t slow down servers or end-user devices

  • Would like to see a longer trial period

3. Zscaler Cloud Firewall

Zscaler built its FWaaS system with virtual offices in mind. The company noted that traditional business practices that involve crowding all workers into an office space is no longer valid. This system offers a solution that allows remote workers to safely connect to the business network and enjoy protection from the corporate firewall while working.

CrowdStrike Falcon Firewall Management is a great FWaaS because it provides a nice blend of network and endpoint protection. The service is charged for by subscription, so there are no upfront hardware or software costs with this security system. Thanks to the cloud architecture of CrowdStrike Falcon Firewall Management, administrators can include protection for remote workers and other sites into the home network protection plan.

Get a 15-day free trial: go.crowdstrike.com/try-falcon-prevent.html

OS: Cloud-based

  • Unifies multiple sites
  • Covers user-owned devices
  • Intranet connection security

The software for the firewall service doesn’t need to be resident on the protected computer. Instead, the service just protects the connection, checking all traffic to make sure that the worker’s device doesn’t pass viruses over to the main system.

The Zscaler solution is a great idea for businesses that deploy a BYOD strategy as well as those that regularly deal with home-based workers. Whether the protected device is owned by the company or the user, the firewall service doesn’t touch the device. This means that there are no heavy background processes to drag down the performance of the device. It will even protect communications via mobile equipment.

The remote inclusion service sounds like a VPN. However, Zscaler points out that its system doesn’t just protect the privacy of connections, it implements firewall policies within the secure connection. So, it could be seen as a VPN+ – it is certainly a proxy service as all traffic needs to flow through the Zscaler server, which acts as an edge system between the company’s network and the wider internet.

Zscaler is coy about its pricing for the Cloud Firewall and it doesn’t offer a free trial. However, it is possible to get a demo of the firewall service.

  • Operates in the cloud, no compliance onboarding or infrastructure expense

  • Can customize bandwidth allocation on a percent basis, good for larger networks and more granular control

  • Can access the dashboard via browser from anywhere

  • Can unify multiple sites – great for multi-site operations and MSPs

  • Must contact sales for pricing

4. SecurityHQ Managed Firewall

SecurityHQ goes one step further than just hosting a firewall service, it also offers the management of the firewall. This is a great option for businesses that don’t have their own IT team or those that do but don’t have specific cybersecurity skills onsite.

  • Managed service
  • Data protection standards compliance
  • Free security audit

IT specialists with cybersecurity expertise are hard to find and, as in any market with a shortage, their wage levels are high and constantly rising. Even if you manage to hire an expert to manage your firewall, it won’t be long before another business outbids you, leaving you with the need to go through the hiring process again.

Managed services plug the skills gap. This is a particularly useful option for small businesses that just don’t have the volume of traffic that would justify the expense of a dedicated cybersecurity expert on their staff. The other option that small businesses usually go for is to dump the responsibility for the firewall’s installation and management on an unskilled manager.

The SecurityHQ service is staffed around the clock and is hosted on a cluster of servers, which guarantees persistence. The system is run along with ITIL standards and it enables businesses to be fully compliant with PCI DSS, HIPAA, SOX, NERC, and CIP.

SecurityHQ’s Managed Firewall is a bespoke service. There is no price list or plan schedule. You need to contact the company and ask for a free security audit in order to get a quote.

  • Offers FaaS as a managed solution – great for companies lacking technical expertise

  • Supports compliance monitoring and auditing support for standards like PCI-DSS, HIPAA, and SOX

  • Offers great data visualization and customizable dashboards

  • Must acquire pricing through a free security audit

5. Secucloud Firewall as a Service

The Secucloud Firewall as a Service uses AI-based machine learning techniques to identify traffic that is out of the ordinary. This is the hallmark of a next-gen security system and it reduces the incidences of false-positive anomaly identification.

  • AI-based
  • Scores traffic sources
  • Threat intelligence feed

Traditional firewalls are difficult to calibrate. They require a list of identifying characteristics against which all traffic needs to be compared. That requires heavy processing of data that can slow down transmissions and cause genuine traffic to be blocked. The next-gen approach adjusts the pattern of regular traffic according to a reputation grading of the source and destination addresses for the connection. This speeds up processing for genuine traffic.

A second advantage of the Secucloud system is the company’s Global Cloud Intelligence feed. This is a blacklist system that gathers live transaction reports from all over the world, identifying hacker addresses and the file names used for detected virus attacks. The blacklisting of suspicious sources also cuts down processing time for live data.

Secucloud is a hosted system, which means that it operates as a proxy, channeling all internet traffic that passes in and out of the protected network. The connection between the client’s system and the Secucloud server is protected with a VPN.

  • Leverages machine learning and AI to detect malicious traffic

  • Uses AI to reduce false positives and improve anomaly detection

  • Operates as a proxy for your traffic – providing an extra layer of infrastructure protection

  • Protects traffic through it’s own VPN tunnel

  • Not the best option for organizations looking for self-hosted solutions

6. Cato Networks SASE

Cato Networks has developed a cloud-based security platform, called SASE, which stands for Secure Access Service Edge. This system offers a range of edge services including an FWaaS. This strategy makes sense because there are a number of services that a proxy service can offer to businesses and they can all be performed simultaneously.

  • Complete connection security
  • Provides a private corporate network over the internet
  • Deep packet inspection

Other edge services in the SASE system include an SD-WAN, WAN optimization, a content delivery network, and a DNS service. This is supplied by a network of servers in many locations rather than just one data center. The system also includes a secure remote access system for home-based workers so that they can connect to the company network and be protected by the FWaSS while on company business. This system will also include mobile devices in the network.

The FWaaS is part of a bundle of security services offered by SASE, which also include a next-gen anti-virus, a managed threat detection and response, and a managed intrusion prevention system.

The Cato Networks SASE system is very comprehensive and so it takes some time to fully understand. It deals with all communications issues that any business connected to the internet could have. The FWaaS deploys deep packet inspection to examine all incoming and outgoing traffic, enabling businesses to block access to certain websites and it also implements data loss prevention strategies. The firewall checks on the protocol of each transmission and adapts its control standards accordingly.

The Cato Network SASE is a very good option both for very large businesses that want to centralize the security measures that cover many sites and it is also appropriate for small businesses that use freelance workers and have most of their staff out on-site or that operate a virtual office.

  • Offers excellent graphing, reporting, and dashboard visuals

  • Supports a wide range of cloud and edge services

  • Offers a remote access system feature – great for secure WFH solutions

  • SASE offers a bundle of other security features such as IPS, antivirus, and threat detection

  • Better suited for larger organizations

  • Packet Filters – Check the header of each packet for suspicious identifiers

  • Stateful Inspection – Accumulate information across packets

  • Proxy Server Firewalls – Pre-filter traffic before it reaches the network