Managed firewall service providers handle the implementation and maintenance of firewall infrastructure. Instead of IT teams deploying the firewall internally, it is provided as a service.
Services are an area of the cybersecurity market that has been growing in recent years, as they represent an easy route to more sophisticated cyber protection. Unfortunately, security services have also gotten mired in marketing and terminology complexity, making purchasing decisions difficult for those buyers most in need of simplicity.
Vendor offerings have gotten so complex that at times it is hard to even find if there is a firewall service buried under all the other features. Gone are simple firewall offerings. Those disappeared a few years back when next-generation firewall (NGFW) became the preferred term. Vendors offered NGFWs that were firewalls plus many other features, and those feature sets varied depending on the vendor.
Now the term NGFW itself has disappeared. By decoupling the firewall from an appliance and moving it to the cloud (some vendors still retain the appliance on site), the latest terminology is Secure Access Service Edge (SASE). Under that banner, service providers are offering a great many security products, including firewall-as-a-Service (FWaaS), that are bundled together and aimed at ever-expanding network boundaries. Think Internet of Things (IoT) and mobile devices, remote workers, branch offices, partners, customers and more. It can be more than a little challenging for buyers with a more traditional network to defend.
Those looking for managed firewall or FWaaS offerings usually find themselves evaluating much broader offerings. Therefore, a direct conversation with vendors is recommended to find out what they offer. Otherwise, managed service providers (MSPs) and their customers may be paying for a lot more services than they need.
What is a Managed Firewall Service?
Let’s get back to basics. A managed firewall is a service delivered by an external provider of managed security services who provides firewall configuration, administration, monitoring, report generation, support, and sometimes on-site installation.
Sometimes the firewalls are software only, sometimes they are a combination of hardware and software, with an appliance installed on-site. It is up to the MSP to take care of the function and maintenance of the firewall. The MSP also provides alerts, feedback, reports, and may use the firewall at times for analysis. Other services may be included such as application control and web content filtering.
Do I Need a Managed Firewall?
Installing and configuring a firewall can be complex, depending on the environment, the requirements of the customer, and the ever-changing cybersecurity landscape. It is vital that the firewall be configured properly to not only protect an organization’s network but also to avoid interrupting business activities by accidentally blocking traffic that should be allowed through. Such skills are not always easy to come by. Training technicians in every nuance of firewall operation can be time-consuming and expensive, especially in cases where turnover in technical staff is happening every few months.
But another big reason why more people are opting to have their firewalls managed externally is their desire to have someone monitor firewalls 24×7, as hackers can strike at any time and only so many companies have round-the-clock security staff.
“Having this continuous monitoring enables the organization to detect and respond to threats before they can cause significant harm,” said Christopher Crellin, Senior Director, Product Management, Barracuda MSP. “Ultimately, having a managed firewall service ensures that the firewalls are properly configured and monitored so the business doesn’t have to worry as much about in-depth training.”
The Top Managed Firewalls
Channel Insider reviewed the many managed firewall services available on the market. Most of these are available to MSPs who wish to rebrand them or sell them to their existing customers. Here, then, are our picks for the best managed firewalls.
Jump ahead to:
Barracuda Managed CloudGen Firewall Service offers customers advanced threat protection. It is a good way to replace legacy firewalls without having to retrain staff. The service can be provided directly to enterprises or via other MSPs. The company makes it possible for MSPs to leverage the expertise of a mature and scalable service staffed by security experts. This helps get around the problem of how an MSP can acquire that expertise if it wishes to offer more security services.
Barracuda’s key features
- Network protection with custom firewall configurations based on your enterprise preferences
- 24/7/365 security event management
- Notifications sent of any qualified threats and their remediation
- Alerts about any communication disruptions from onsite equipment to the monitoring system
- A monthly consolidated report on equipment traffic and application usage
- Brandable reporting to demonstrate value to customers
- An exclusive support phone line
Two types of managed firewall are available from Verizon: The Managed Enterprise Firewall service is for those using Internet Dedicated Services or customer-provided dedicated Internet access with bandwidth of T1 or greater; and Managed Business Firewall, for Internet Dedicated Access Services or customer-provided dedicated Internet access with bandwidth up to a maximum of T1. This is one of many services that Verizon can bundle together for comprehensive protection.
Verizon’s key features
- The Verizon Web Application Firewall (WAF) filters, monitors and blocks bad HTTP traffic targeting vulnerabilities in web applications
- Protects against sophisticated attacks, including cross-site scripting (XSS), SQL injection (SQLi) and large-scale distributed denial of service (DDoS)
- Protects against advanced botnet attacks
- 124 Tbps of global network capacity
- 165+ points of presence connected to 6,000+ interconnects around the world
Fortinet Secure Access Service Edge (SASE) offers a firewall as a service as one element of a much broader offering. With networks expanding beyond the WAN edge to thin branch networks and the cloud, traditional hub and spoke models can break down. Fortinet SASE allows users, regardless of location, to take advantage of firewall-as-a-service (FWaaS), secure web gateway (SWG), zero-trust network access (ZTNA), and a host of other threat detection functions.
Fortinet’s key features
- FortiSASE is Fortinet’s scalable cloud-based service powered by FortiOS innovations and FortiGuard Labs AI-driven Threat Intelligence
- FortiSASE services is available as an extension of the Fortinet Security Fabric to extend FortiOS protection across distributed networks
- Consistent protection across every network edge
- Enterprise-grade security via cloud-based consumption
- Eliminates common security gaps with no impact to workflow operations for cloud and thin edge users
Palo Alto’s Prisma is another of these services where a managed firewall offering is just one element among many. Its Firewall as a Service (FWaaS) offering protects remote locations with next-generation firewall security, delivered as a service from the cloud. Again, this vendor prefers the SASE moniker.
PAN’s key features
- Provides segment-wise insights across the service delivery path
- Uses real and synthetic traffic analysis to drive remediation
- CloudBlades enable integration of branch services into the SASE fabric without needing to update branch appliances or controllers
- Cloud Secure Web Gateway secures web-based threats using static analysis and machine learning
- Data protection keeps sensitive data safe by categorizing it and protecting it while in motion across remote users and remote locations
- Integrates with Prisma SD-WAN
- Blocks exploits, malware, and command and control traffic
Perimeter 81’s FWaaS offering includes rule-based network access, with firewall rules that privatize network traffic and protect assets and data from exposure.
Perimeter 81‘s key features
- Allows users to create and manage identity-based policies to automatically determine how devices, users and services enjoy network access
- IT managers can segment the whole network by resource sensitivity and filter access based on role, location, and device type
- Incorporates firewall capabilities on the network edge, with the ability to deploy private gateways anywhere
- To ensure privacy and compliance, Perimeter 81 provides client and endpoint visibility, identity and access management, OS and application-level security, and mutual TLS encryption
Zscaler Cloud Firewall enables fast and secure off-network connections and local internet breakouts for all user traffic. It scales across all ports and protocols to handle all cloud application traffic. And it ensures users have consistent protection regardless of device or location.
Zscaler’s key features
- No need for appliances, appliance management, and hardware refreshes
- Enables secure direct-to-cloud connections and optimizes DNS, TCP, and peering to reduce latency and ensure users are secure
- Protects users on any device, on and off the network, wherever they connect, without requiring a VPN
- Proxy-based architecture scales to deliver DNS security and IPS threat protection for all connection types and locations
- Cloud Firewall, along with Zscaler Client Connector, brings security close to the user to ensure consistent policy and protection
- Offers context-based security inspection and real-time threat prevention for all web and non-web applications
Check Point says its FwaaS gateways provide security beyond any next-generation firewall (NGFW). Based on the firewall pioneer’s Infinity Architecture, the new Quantum Security Gateway lineup of 15 models can deliver up to 1.5 Tbps of threat prevention performance and can scale on demand.
Check Point’s key features
- Delivers threat prevention with SandBlast Zero Day protection out of the box.
- CheckPoint’s R81 unified security management offers threat protection across networks, clouds, and IoT
- Increases efficiency, reducing security operations up to 80%
- Scalable protection up to 1.5 Tbps against cyberattacks
- Protects the network, data center, endpoint, and IoT
- Remote Access VPN
Part of Versa SASE, the Versa Next Generation Firewall includes decryption capabilities that perform macro and micro segmentation in addition to full multi-tenancy, for complete protection inside, outside, and along the border of the enterprise. Microsegmentation technologies can also bring zero trust principles to security services customers by limiting access to the most critical parts of the network.
Versa’s key features
- Enables identification of users, flows, packets, and applications
- Establishing, monitoring, and automatically adjusting security and network policies based on threats, vulnerabilities, and changes
- Zone-based Firewall support address objects, address groups, services, geo-location, time-of-day, rules, policies, zone protection, DDoS (TCP/UDP/ICMP Flood), syn-cookies, port scans, ALG support, SIP, FTP, PPTP, TFTP, ICMP, QAT support
- Identifies more than 3,000 applications and protocols, supports application groups, application filters, application visibility and logs