What Is a Cloud Firewall? | Firewall as a Service

A cloud firewall protects cloud infrastructure despite the absence of a clearly defined network perimeter. Learn how they work and how they're different from NGFWs.

Share facebook icon linkedin icon twitter icon email icon
  • What Is the Cloud?
  • What Is Multicloud?
  • What Is Hybrid Cloud?
  • What Is a Cloud Firewall?

    What is a cloud firewall?

    Banks have a lot of physical security in place. Most brick-and-mortar banks will include security features like security cameras and bulletproof glass. Security guards and bank employees also help stop potential thieves, and cash is stored in highly secure safes.

    But imagine if, instead of being kept in one place, each bank branch's cash was stored in different safes all over the country that were operated by a company specializing in safe maintenance. How could the bank be sure that its money was secure without deploying additional security resources around its scattered safes? This is what cloud firewalls do.

    Cloud Firewall

    The cloud is like a bank with scattered resources, but instead of money, the cloud stores data and computational power. Authorized users can connect to the cloud from anywhere and on almost any network. Applications that run in the cloud can be running anywhere, and that also applies to cloud platforms and infrastructure.

    Cloud firewalls block cyber attacks directed at these cloud assets. As the name implies, a cloud firewall is a firewall that is hosted in the cloud. Cloud-based firewalls form a virtual barrier around cloud platforms, infrastructure, and applications, just as traditional firewalls form a barrier around an organization's internal network. Deploying a cloud firewall is like replacing a bank's local security cameras and a physical security guard with a global 24/7 security center that has a centralized staff and security camera feeds from all the places where a bank's assets are stored.

    What is a firewall?

    A firewall is a security product that filters out malicious traffic. Traditionally, firewalls have run in between a trusted internal network and an untrusted network – e.g., between a private network and the Internet. Early firewalls were physical appliances that connected to an organization's on-premises infrastructure. Firewalls block and allow network traffic according to an internal set of rules. Some firewalls allow administrators to customize these rules.

    traditional firewall

    However, with the growing popularity of cloud computing, the division between a trusted network and the larger Internet is gone; hence the need for cloud firewalls that form a virtual barrier between trusted cloud assets and untrusted Internet traffic.

    What does Firewall-as-a-Service (FWaaS) mean?

    Firewall-as-a-Service, or FWaaS for short, is another term for cloud firewalls. Like other "as-a-Service" categories, such as Software-as-a-Service or Platform-as-a-Service, a FWaaS runs in the cloud and is accessed over the Internet, and third-party vendors offer them as a service that they update and maintain.

    What is the difference between a cloud firewall and a next-generation firewall (NGFW)?

    A next-generation firewall (NGFW) is a firewall that includes new technologies that weren't available in earlier firewall products, such as:

    • Intrusion prevention system (IPS): An intrusion prevention system detects and blocks cyber attacks.
    • Deep packet inspection (DPI): NGFWs inspect data packet headers and payload, instead of just the headers. This aids in detecting malware and other kinds of malicious data.
    • Application control: NGFWs can control what individual applications can access, or block applications altogether.

    NGFWs may have other advanced capabilities as well.

    "Next-generation firewall" is a broadly applied term, but NGFWs don't necessarily run in the cloud. A cloud-based firewall may have NGFW capabilities, but an on-premises firewall could also be an NGFW.

    What is the network perimeter? How does cloud computing affect the network perimeter?

    The network perimeter is the division between the internal network an organization manages, and the network access provided by an external vendor, usually an Internet service provider (ISP). In other words, the network perimeter is the edge of what an organization has control over. Networks can be physically locked down as well: an employee of a company may have to be in the office and using a company-managed device to connect to the corporate network. Firewalls were initially designed to control this type of network perimeter and not let anything malicious through.

    In cloud computing, the network perimeter essentially disappears. Users access services over the uncontrolled Internet. A user's physical location, and sometimes the device they're using, no longer matters. It's difficult to put a layer of security around corporate resources, because it's almost impossible to determine where the security layer should go. Some companies resort to combining a number of different security products, including traditional firewalls, VPNs, access control, and IPS products, but this adds a lot of complexity to IT and is difficult to manage.

    What does the Cloudflare Web Application Firewall do?

    The Cloudflare Web Application Firewall (WAF) protects cloud properties from vulnerability exploits, helps stop DDoS attacks, and allows IT admins to write their own custom firewall rules. Companies can deploy the Cloudflare WAF in front of any type of cloud deployment – hybrid cloud, multicloud, public cloud, etc.

  • Glossary

Cloud Firewall

Learning Objectives

After reading this article you will be able to:

  • Understand what a cloud firewall is
  • Explore how cloud computing changes the network perimeter
  • Learn the difference between cloud firewalls and traditional firewalls
  • Differentiate next-gen firewalls from cloud firewalls
  • Understand what 'Firewall-as-a-Service' means

What is a cloud firewall?

Banks have a lot of physical security in place. Most brick-and-mortar banks will include security features like security cameras and bulletproof glass. Security guards and bank employees also help stop potential thieves, and cash is stored in highly secure safes.

But imagine if, instead of being kept in one place, each bank branch's cash was stored in different safes all over the country that were operated by a company specializing in safe maintenance. How could the bank be sure that its money was secure without deploying additional security resources around its scattered safes? This is what cloud firewalls do.

Cloud Firewall

The cloud is like a bank with scattered resources, but instead of money, the cloud stores data and computational power. Authorized users can connect to the cloud from anywhere and on almost any network. Applications that run in the cloud can be running anywhere, and that also applies to cloud platforms and infrastructure.

Cloud firewalls block cyber attacks directed at these cloud assets. As the name implies, a cloud firewall is a firewall that is hosted in the cloud. Cloud-based firewalls form a virtual barrier around cloud platforms, infrastructure, and applications, just as traditional firewalls form a barrier around an organization's internal network. Deploying a cloud firewall is like replacing a bank's local security cameras and a physical security guard with a global 24/7 security center that has a centralized staff and security camera feeds from all the places where a bank's assets are stored.

What is a firewall?

A firewall is a security product that filters out malicious traffic. Traditionally, firewalls have run in between a trusted internal network and an untrusted network – e.g., between a private network and the Internet. Early firewalls were physical appliances that connected to an organization's on-premises infrastructure. Firewalls block and allow network traffic according to an internal set of rules. Some firewalls allow administrators to customize these rules.

traditional firewall

However, with the growing popularity of cloud computing, the division between a trusted network and the larger Internet is gone; hence the need for cloud firewalls that form a virtual barrier between trusted cloud assets and untrusted Internet traffic.

What does Firewall-as-a-Service (FWaaS) mean?

Firewall-as-a-Service, or FWaaS for short, is another term for cloud firewalls. Like other "as-a-Service" categories, such as Software-as-a-Service or Platform-as-a-Service, a FWaaS runs in the cloud and is accessed over the Internet, and third-party vendors offer them as a service that they update and maintain.

What is the difference between a cloud firewall and a next-generation firewall (NGFW)?

A next-generation firewall (NGFW) is a firewall that includes new technologies that weren't available in earlier firewall products, such as:

  • Intrusion prevention system (IPS): An intrusion prevention system detects and blocks cyber attacks.
  • Deep packet inspection (DPI): NGFWs inspect data packet headers and payload, instead of just the headers. This aids in detecting malware and other kinds of malicious data.
  • Application control: NGFWs can control what individual applications can access, or block applications altogether.

NGFWs may have other advanced capabilities as well.

"Next-generation firewall" is a broadly applied term, but NGFWs don't necessarily run in the cloud. A cloud-based firewall may have NGFW capabilities, but an on-premises firewall could also be an NGFW.

What is the network perimeter? How does cloud computing affect the network perimeter?

The network perimeter is the division between the internal network an organization manages, and the network access provided by an external vendor, usually an Internet service provider (ISP). In other words, the network perimeter is the edge of what an organization has control over. Networks can be physically locked down as well: an employee of a company may have to be in the office and using a company-managed device to connect to the corporate network. Firewalls were initially designed to control this type of network perimeter and not let anything malicious through.

In cloud computing, the network perimeter essentially disappears. Users access services over the uncontrolled Internet. A user's physical location, and sometimes the device they're using, no longer matters. It's difficult to put a layer of security around corporate resources, because it's almost impossible to determine where the security layer should go. Some companies resort to combining a number of different security products, including traditional firewalls, VPNs, access control, and IPS products, but this adds a lot of complexity to IT and is difficult to manage.

What does the Cloudflare Web Application Firewall do?

The Cloudflare Web Application Firewall (WAF) protects cloud properties from vulnerability exploits, helps stop DDoS attacks, and allows IT admins to write their own custom firewall rules. Companies can deploy the Cloudflare WAF in front of any type of cloud deployment – hybrid cloud, multicloud, public cloud, etc.