<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=381191815628942&amp;ev=PageView&amp;noscript=1">

Where Firewalls Fail

Enterprise perimeter protection roots

Firewalls were designed for enterprise perimeter protection to control communication from external, unmanaged addresses. Proven form-factors make firewalls easy to deploy and manage. Next-generation firewalls (NGFWs) have extended beyond addresses to application protocols for better security from newer threats. However, with the dramatic changes in both the threat and IT environment over the years, practitioners and industry experts are questioning the continued reliance and efficacy of traditional address-based controls.

Cloud and virtual environments challenge traditional network security

Virtualized and cloud environments make it difficult to adapt perimeter appliance form factors for several reasons. The network has become an inherently untrusted entity, especially in the public cloud where data and application owners don’t control the environment. Recognizing this concern, Gartner recommends an approach that moves away from a “secure network” of workloads to a network of “secure workloads.” In other words, protection should be placed at the application level, not the network level. Reason being, in dynamic cloud environments, the inflexibility of address-based policies to adapt to changing application needs necessitates overly permissive policies which, in turn, increase risk. Furthermore, traditional firewalls are ill-equipped for constantly varying performance requirements, which is a particular challenge when handling lateral, east-west traffic.

Increased east-west traffic no longer visible to firewalls

Complex, distributed applications generate a high volume of east-west traffic that moves outside of the chokepoints where firewalls live, causing them to lose visibility and control. End-to-end encryption limits deep packet inspection to exacerbate visibility loss. It is difficult to evaluate correctness of policies and network exposure impact due to an environment that is constantly changing because of dynamic scaling, ephemeral workloads, and microservices driven by cloud scaling and containerization technologies.

Evolving attacks bypass traditional controls

Despite attempts to repurpose perimeter firewall technologies to control the inside, attackers have evolved various techniques to move laterally towards their ultimate targets. Piggybacking over existing policies with malicious software, highjacking addresses or sessions, et al; masking communications through encryption, steganography, and other obfuscation techniques; and evading signature-based detection of NGFW are all ways by which existing firewall controls are bypassed or compromised.

"Are Next-Generation Firewalls Legacy Technology?
While network firewalls continue to anchor security, requirements are changing and next-generation firewall functionality is migrating elsewhere."
Jon Oltsik,
CSO Columnist
ESG Sr. Principal Analyst
"Is Public Cloud Adoption Making Traditional Firewall Solutions Less Relevant?
... traditional firewall vendors have so far enjoyed limited success in capitalizing on securing [cloud] workloads, since security in virtual environments requires different approaches."
Gartner
"You Can't Secure Cloud Workloads With Manual Tools, Traditional Tech"
Forrester
Where firewalls fail

A new approach that protects where firewalls fail

To overcome the security challenges posed by the new cloud environments, increased east-west communication, and new attack tactics, Edgewise’s Trusted Application Networking goes beyond the network address constructs and instead focuses on what organizations really want to protect–application workloads and services that communicate. Edgewise automatically recommends and enforces policies based on the secure identity of the applications, users, and hosts which are communicating–not constructs like IP addresses that cannot scale in today’s dynamic computing environments or packet contents, and which attackers have learned to bypass. Learn more.

Product-Icon-19.jpg
Adapt to the cloud with application-centric controls that bring protection alongside the workloads.
Product-Icon-13.jpg
Simplify operational complexity with machine learning.
Icon-01.jpg
Visualize workload risk. Map application topology in real time and assess risk.
Product-Icon-14.jpg
Apply principle of least privilege to allow only required communication paths. Eliminate overly permissive controls.
Icon-Cogs.png
Stop malicious actors from moving laterally by verifying the secure identity of software, users, and hosts before connections are allowed.
Icon-Users.png
Unite diverse technology and business stakeholders with plain English workload-centric policies.
 
Requirements
Edgewise
Firewall
Revealing Risk
Identify communicating software, users, and hosts
Identifies entities initiating connection
Limited to identities in the packets
 
Model workload communication to define intended state
 
 
 
Assess network exposure
 
 
Building Policies
Automatically create policies
 
 
 
Automatically validate policies
 
 
 
Dynamically adjust policies for autoscaling, ephemeral workloads
 
 
 
Portable policies for on premises and cloud
 
 
Protecting application workloads
Enforce address, port, protocol, and content
Address, port and protocol
 
 
Enforce by software identity
 
Application protocol only
 
Enforce by user identity
 
Username in packet, not system user
 
Enforce by host identity
 
 
 
Manage policies at the application level
 
Application protocol only
 
Protect serverless computing infrastructure
 
 
 
Protect public cloud workloads
 
Limited visibility, scalability, manageability
 
 

Edgewise Networks small logoEdgewise Protect

Protects Workloads and Stops Attacks

Stop lateral movement of malicious software that bypasses firewalls. Lock down your cloud and allow only verified applications to communicate over approved pathways. Receive alerts for any anomalous communication.

Eliminates Network Attack Surface

As much as 95% of network pathways are not required for normal business use. Eliminate unneeded application communication paths and protect the rest by mutually validating connections before a single packet is sent.

Immediate Time To Value

Apply workload protection policies in minutes, not days or months. Quickly approve machine-learned and automatically-built policy recommendations.

 
logos