table of contents

• What is a Firewall?
• Issues with on-premise firewalls
• Benefits of Cloud Firewalls
• What is Cato Cloud Firewall?
• Cato Cloud as a Next-Generation Firewall
• summary
• Document request

What is a Firewall?

A firewall is a system or product that is installed between the Internet (outside the company) and the company's internal network and protects internal resources from unauthorized access and cyber attacks by determining and controlling whether or not communication can pass according to pre-determined rules.

The problem with on-premise firewalls

Firewalls have traditionally existed on the boundaries between inside and outside a company, but in recent years, they have come to be criticized for their operational burden and high costs. They need to be physically installed at each location, and different settings for each location need to be entered into the management console of each device. In addition, maintenance requires a visit to the site, which can lead to high costs associated with installation and maintenance.

Other issues that may arise include:

• Possibility of security measures being delayed
• Potential scalability issues

Here are some reasons why each of these issues may occur:

• Possibility of security measures being delayed
  When implementing vulnerability countermeasures, firmware upgrades must be performed manually.
  If an administrator were to upgrade manually, it would take some time to implement the upgrade because the upgrade date would have to be adjusted after the vulnerability countermeasures were announced.
  Additionally, if the work is not done properly due to the time and cost involved, it may become vulnerable to new attacks.
• Potential scalability issues
  With the recent increase in SaaS application usage, traffic volume can increase dramatically as companies expand. In such cases, on-premise firewalls have device performance limitations, which can cause scalability issues.

Benefits of Cloud Firewalls

In order to solve the above problems, with the recent trend towards cloud computing, there has been a growing trend to move on-premise firewall products that were previously used within companies to the cloud and operate them there.

The benefits of cloud-based firewalls include:

• Reduction of operational burden
  Since there is no need to physically install it at each location, this leads to reduced costs and reduced deployment load.
  In terms of operational management, the highly visual management console makes it possible to change settings remotely. Using this management console to centrally manage the settings of each base reduces the burden on administrators.
• Increased security level
  If your firewall is cloud-based, any upgrades or patches required to address vulnerabilities will generally be handled by the vendor, keeping it up to date.
  In addition, a cloud-based firewall can protect not only resources that reside within the company, but also resources that reside on IaaS on the Internet.
• High flexibility
  Firewalls provided through the cloud on the Internet can be operated flexibly, scaling as needed and reducing unnecessary costs.
  It also helps prevent network bottlenecks, since traffic does not have to go through physical devices.

What is Cato Cloud Firewall?

Now let me explain what features Cato Cloud's cloud-based firewall has.
Cato Cloud has three types of firewalls: Internet Firewall, WAN Firewall, and LAN Firewall.

*There is also a function called LAN Firewall that controls communication between hosts within the same location, but since this communication does not go through Cato Cloud, we will not explain it here.

The difference between these firewalls is the type of communications they control.
First, the Internet Firewall is a firewall that controls communications to the Internet from remote access users and branch offices via Cato Cloud.
On the other hand, a WAN Firewall is a firewall that controls remote access users and communications between bases.
Cato Cloud combines these features to cover the following functions that are commonly found in firewalls:

• URL filtering function
• Monitoring Features

*Regarding the NAT function that is found in general firewalls, Cato Cloud does not use the firewall function but a different function called Network Rules to handle this function.

URL filtering function

Like a typical firewall, an Internet/WAN Firewall evaluates communications based on rules, and if the communications match any of the rules, they are controlled according to the rules.

In addition, the Cato Cloud rules allow you to set the following items, and when communication occurs via Cato Cloud, the communication will be evaluated according to the set rules.

• Source
• Device (state of source device)
• App/Category (What kind of destination or application is this communication for?)
• Service/Port (Which port protocol is used for communication)

It is possible to specify a specific base or remote access user as the source, and it is also possible to specify by IP address or group. In addition, it is possible to control internal users on a group basis using group information from Azure AD or an on-premise AD server.
In Device, it is possible to specify the source device by specifying geographical information, installed anti-malware, etc.
App/Category specifies the destination and application, and the destination can be specified by common FQDN, domain, or IP address. Many common applications (Box, Slack, Twitter, etc.) are predefined on the Cato side, and you can specify these.
Additionally, Cato Cloud's firewall supports all ports/protocols.

Each rule controls communications that match the rule by specifying a method to be used, such as Allow or Block, or allowing the communication itself but displaying a warning screen to the user who performed the communication.

Monitoring Features

Cato Cloud's firewall also has a notification function for administrators, just like a general firewall. If communication that matches a specific rule occurs, as shown below, it is possible to send notifications to specified mailing lists, Webhooks, and applications such as Jira and Teams. By using this, administrators can be aware that high-risk communication is taking place.

In addition, when communication matches a rule, a log containing information about the sender, destination, and communication is output. From this output log, administrators can understand which rules match the most communications and consider how to handle them in the future.

Cato Cloud as a Next-Generation Firewall

As explained above, it is possible to perform the same control as a general firewall, but Cato Cloud can also function as a next-generation firewall when combined with other functions it has.

• TLS Inspection
  By using SSL decryption, it becomes possible to check and control the contents of encapsulated communications.
• IPS (Intrusion Prevention System)
  It is possible to detect and block malicious communications, such as cyber attacks and phishing, that pass through Cato Cloud.
• Application Control
  As explained in the previous section, Cato Cloud's firewall enables detailed communication control at the L7 application level.

Summary

• Firewalls, which were traditionally installed on-premise within a company's internal network, are increasingly being moved to the cloud in response to issues and trends that have come to light in recent years.
• The two types of firewalls provided by Cato Cloud can cover many of the functions of general firewalls, and also provide the opportunity to improve security and reduce operational burden by using the cloud.
• Cato Cloud can also combine the firewall with multiple other functions to function as a next-generation firewall.

Document request

This time, we have focused only on the firewall function of Cato Cloud, but Cato Cloud is a product in the security field known as SASE, and is capable of comprehensively providing a variety of functions that are essential for modern corporate networks, such as SD-WAN, ZTNA, and SWG.

If you are considering replacing your existing firewall and would like a detailed comparison of the features of your existing product with Cato Cloud or information about other features of Cato Cloud, please contact us.