One of the most common network security solutions is the branch firewall. Branch firewall appliances can pack into a single device a wide range of security capabilities including a stateful or next-generation firewall, anti-virus, URL filtering, and IDS/IPS.

But the reality is that most of these edge devices lack the processing power to apply the full scope of capabilities on all of the necessary traffic.

If the firewall deployed in the branch cannot scale to address critical security needs, an alternative strategy must be used. Wholesale appliance upgrades are easy but expensive. Regional security hubs are complex and also costly.

A new approach, called firewall bursting, leverages cloud scalability to offer an easier, more cost-effective alternative to branch office security. (You can find a great table comparing the different Firewall approaches here.)

Costly Appliance Upgrades and Secure Hub Architectures

The existing methods of evolving branch security force IT into a tough trade-off: the cost and complexity of managing appliance sprawl or the complexities of a two-tier network security architecture.

Upgrading all branch firewalls to high-performance, next-generation branch firewalls improve network security, no doubt. Branch offices gain more in-depth packet inspection and more protections to be applied on more traffic. This is a relatively straightforward, but very costly, solution to achieving stronger security.

Aside from the obvious, the firewall upgrade cost, there are also the costs of operating and maintaining the appliance, which includes forced upgrades. Sizing branch firewall appliances correctly can be tricky.

The appliance needs enough power to support the mix of security services across all traffic—encrypted and unencrypted—for the next three to five years.

Alone that would be complex, but the constantly growing traffic volumes only complicate that forecast. And encrypted traffic, which has become the new norm of virtually all Internet traffic, is not only growing but must be first decrypted, exacting a heavy processing toll on the appliance.

All of which means that IT ends up either paying more than necessary to accommodate growth or under provision and risk compromising the company's security posture.

Regional hubs avoid the problems with upgrading all branch firewalls. Instead, organizations continue with their branch routers and firewalls, but backhaul all traffic to a larger firewall with public Internet access, typically hosted in a regional co-location hub.

The regional hub enables IT to maintain minimal branch security capabilities while benefitting from advanced security.

However, regional hubs bring their own problems. Deployment costs increase as regional hubs must be built out at significant hosting expense and equipment cost. And we're not just speaking about throwing up an appliance in some low-grade hosting facility.

Hub outages impact not just one small office but the entire region. They need to be highly available, resilient, run the up-to-date software, and maintained by expert staff.

Even then, there are still the same problems of forced upgrades due to increased traffic volume and encrypted traffic share, this time, though, of only the hub firewall appliances.

The network architecture is also made far more complex, particularly for global organizations. Not only must they rollout multiple regional hubs, but multiple hubs must be deployed in geographically dispersed regions or those regions with a high concentration of branches.

In short, while the number of firewall instances can be reduced, regional hubs introduce a level of complexity and cost often too excessive for many organizations.

Firewall Bursting: Stretching your Firewalls to the Cloud

Cloud computing offers a new way to solve the edge firewall dilemma. With "cloud bursting," enterprises seamlessly extend physical data center capacity to a cloud datacenter when traffic spikes or they exhaust resources of their physical datacenter.

Firewall bursting does something similar to under-capacity, branch firewalls. Edge security processing is minimized where firewall capacity is constrained, and advanced security is applied in the cloud, where resources are scalable and elastic.

The on-premise firewall handles basic packet forwarding, but anything requiring "heavy lifting," such as decryption, anti-malware or IPS, is sent to the cloud. This avoids forced branch firewall upgrades.

Firewall bursting is similar to the regional hub approach, but with a key difference: the IT team isn't responsible for building and running the hubs. Hubs are created, scaled, and maintained by the cloud service provider.

Who Delivers Firewall Bursting Capabilities?

Secure web gateways (SWGs) delivered as cloud services, can provide firewall bursting for Internet traffic. However, since firewalls need to apply the same inspection to WAN traffic, SWGs only offer a partial solution.

Purpose-built, global Firewall as a Service (FWaaS) is another option. FWaaS providers, such as Cato Networks, create a global network of Points of Presence (PoPs), providing a full network security stack specifically built for cloud scalability.

While the PoPs are distributed, they act "together" as a single logical firewall instance. The PoPs are highly redundant and resilient, and in case of outages, processing capacity seamlessly shifts inside or across PoPs, so firewall services are always available.

The PoPs are capable of processing very large volumes of WAN and Internet traffic. Because adding processing capacity either within PoPs or by adding new PoPs is transparent to customers, you don't have to adjust policies or reconfigure your environment to accommodate changes in load or traffic mix.


With firewall bursting customers can keep their current edge firewalls and still improve security. If you are running out of gas on your edge firewalls, you have options.

Beyond the obvious approaches of firewall upgrades and hub-and-branches set up, new innovations like FWaaS are now available.

FWaaS leverages cloud elasticity and scalability to globally extend network security with minimal impact on current network design.

Firewall refresh, capacity upgrades, mergers and acquisition, all represent a great opportunity to look at firewall bursting and FWaaS to evolve your network security beyond the edge.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.