Credit to Author: Alice Barford| Date: Tue, 11 Jan 2022 15:16:58 +0000
With new forms of cyberattack being devised at rapid pace, firewalls need to be able to rapidly adapt to protect against evolving threat techniques. Containerization and container orchestration enable us to make our software more flexible and adaptable—and also easier for our customers to update.
In the past, network protection solutions were monolithic. Firewalls were built as a large, powerful package of technologies—but they couldn’t be sub-divided or modularized, and had to be developed and updated as a whole. This made them slow to change.
This was less of an issue when security systems were built to protect specific devices and applications. The monolithic products were applied to that single place and stayed there. But the way we all work has changed, and the edges of companies’ systems have become increasingly distributed—with multiple devices spread across an array of networks.
Flexibility has become a defining factor of working best-practices. With a changing perimeter to protect, it follows that flexibility must become a defining factor of security systems as well. It’s not just new working methods that are important. New forms of cyberattack mean your security systems need to be able to evolve as quickly as malware does.
To help you keep pace, we’ve been changing the way we develop new network security products, including firewalls. We’re finding ways to incorporate modularity and flexibility, to make sure security products and services are quickly updated when new threats surface. One way we’re doing this is through containerization.
Flexible and agile by design
Imagine the software functions are Lego pieces. The containers are the different colored bricks, and they all stack neatly together to form different systems. By housing different functions in separate blocks, we can cherry-pick the exact ones needed for a certain security job or deployment topology, for example, protecting on-premises applications vs cloud data.
Containerizing workloads gives us the speed and flexibility to add or update features as new kinds of cyberattack increase the importance different capabilities. A firewall may contain dozens of features today. With containerization, we can easily move those features around in the future to optimize protection against emerging threats in a way that’s not possible in old, monolithic systems, or even quickly replace some of the features with new capabilities.
Standardize you protection
We can also use the same kind of brick in more than one product—which increases consistency, and hence protection, across different solutions. By putting functions, policies, and configuration management into containers, we can enhance your ability to take a single, coherent view regardless of the mix of solutions you deploy.
For example, a firewall can contain the same functions and policies whether it’s deployed on-premises or in the cloud. And when it comes to securing access to company data, containers make it easy to enforce consistent policies and decision points on firewalls/gateways whether resources are on-premises, in the cloud, or accessed via a ZTNA solution.
If you want to integrate specialist solutions to further extend your firewall’s capabilities, we can partner with a certified third party. We can use their container with that specific function and run it on our system.
This approach could create an ecosystem of partnerships and alliances where we can work with leading vendors to build new technologies and strategies and let you control best-of-breed solutions in a single space.
Create secure, integrated infrastructure
A real-world example of how containerization can speed up our response to evolving threats is in giving users access to remote applications.
As organizations move to a zero-trust approach, we don’t want to use a Virtual Private Network (VPN) to punch large holes through firewalls to reach multiple different applications. Instead, we want to use a Zero Trust Network Access (ZTNA) gateway to create a micro connection to the remote application. And then we’ll add another layer of security by deploying a Web Application Firewall (WAF) between the gateway and the remote application itself.
Currently, these are two separate processes but, by using containerization, we could add the WAF Lego brick onto the ZTNA gateway to create one single, protected solution. And that means there’s one less piece of infrastructure to deploy and manage, simplifying the environment and keeping your workload and costs down.
A smoother way to update technology
Here’s the really smart part: just because containerization lets us speed up development, it doesn’t mean your software updates and patches will become more onerous. In fact, quite the opposite. Containers let us update your firewall software seamlessly, without downtime.
By using blue/green deployment, we’ll keep the old and new versions running in tandem until all your traffic had moved to the updated software. It’s only then that we’ll remove the outdated version. Doing this means the update doesn’t interrupt your system’s traffic, while giving us the ability to deploy new updates and technologies without ever taking your environments down.
This approach also removes the need for monolithic, time-consuming deployments. If you just want to update your WAF, you can. With containerization, operation complexity and downtime are reduced, enabling you to quickly bring in the latest protection capabilities.
The building blocks of the future
The beauty of containerization is that it’s as easy to manage as it is to build. You can manage your Sophos Firewall alongside your other Sophos solutions in the Sophos Central management platform which enables you to see and control everything from a single place. Your policies and functions can be integrated across all your applications, and you can manage them centrally.
This single management and building approach is the future of the industry.
If you want to learn more about the new features and capabilities we’re bringing to our firewalls, have a chat with your Sophos representative today.