SSE vs. Premise-Based Firewalls

In 2021, Gartner completed the SASE puzzle by introducing SSE as a standalone solution. SSE (Security Service Edge) is the network security portion of SASE (Secure Access Service Edge). Some companies don’t need the Access (mainly SD-WAN) portion of SASE, so SSE is what they should be looking at.

The SASE Formula: SD-WAN + SSE = SASE

Most of the time, when we get clients looking at SSE, they want to move away from an environment with premise-based firewalls. But do they really need to? Let’s talk about it!

Features Included in On-Prem Firewalls

The list of features for on-prem firewalls vs. SSE is one of the main differentiators between the two. Technically, SSE includes FWaaS (firewall as a service), so SSE includes a lot of the features listed below, and more.

These can vary from provider to provider, but here are the common features within a premise-based next-generation firewall:

  • Application Control
  • Deep Packet Inspection
  • Filtering (URL, DNS, Content, Geography)
  • Anti-Malware/Anti-Spam/Antivirus
  • Intrusion Detection and Prevention
  • SSL Decryption and Inspection
  • User and Group Control

Features Included in SSE

If you’d like a full breakdown of each of these features and the types of companies that benefit from them, take a look at this post next.

Just like firewalls, SSE solutions vary from provider to provider. Here are the common features within SSE:

  • CASB (Cloud Access Security Broker)
  • SWG (Secure Web Gateway)
  • FWaaS (Firewall as a Service)
  • ZTNA (Zero Trust Network Access)
  • RBI (Remote Browser Isolation)
  • DLP (Data Loss Prevention)
  • WAAPaaS (Web Application and API Protection as a Service)

Network Configuration Differences

Aside from a difference in features available, the architecture of each setup is the other big difference between SSE and on-prem firewalls. On-prem firewalls are…well…on-prem. They are devices that sit at a specific location. It can be a branch office, headquarters, or a data center. In order to utilize the security features within the firewall, all traffic must pass through it. This means regardless of where it’s going, all traffic must travel to a location with a firewall first.

Typically, if a company has a distributed workforce (i.e., they have employees based in different regions of the US, or globally), they will have a firewall hub in each region. With this setup, for example, someone working in Washington might be able to use a firewall hub in Seattle or Portland, instead of all their traffic “hairpinning” through the Midwest or East coast. Excessive “hairpinning” can drastically increase latency and hinder end user experience for critical applications.

On the other hand, SSE is cloud-based. These providers have built out cloud-based POPs that house all the security functionality described above. Now, instead of traffic heading for a firewall hosted in a data center or branch site, all traffic will go through the POP closest to the user, then to wherever it needs to go (public internet, cloud/SaaS applications, a data center with on-prem applications, etc.).

Some SSE providers even have a network backbone (i.e., “middle mile”) connecting their POPs, which can significantly cut down on latency for long-haul traffic. For example, if I’m sitting in Washington and I need to access an application that is hosted in Virginia, I can connect to a POP in Seattle and ride the network backbone to the POP closest to my application, instead of relying on the public internet that whole distance. This middle mile becomes even more beneficial when looking at international environments. The public internet throughout the US is relatively reliable in most regions, but that’s not always the case overseas.

These POPs are typically deployed globally, although, this is a great question to ask any potential SSE provider!

Scenarios That Make Sense for Premise-Based Firewalls

Since on-prem firewalls are limited in nature when it comes to location of employees and security features, there are only a couple of specific scenarios where it would make sense to stick with these.

  1. Companies who have employees living in specific geographic regions and not traveling for work. Ideally these employees are close to an office location that serves as a firewall hub.
  2. Companies that are using premise-based applications hosted in a data center that also hosts the firewall. Ideally, these applications would be hosted in the same region(s) as the employees.

If the on-prem applications and firewalls are close to the users, then on-prem firewalls might make sense for that environment. Examples of industries that often fall into this category include manufacturing, regional credit unions, universities, etc. You’d still get more network security functionality with SSE, but the benefit might not outweigh the cost for companies using this setup.

Scenarios That Make Sense for SSE

In today’s working environment, SSE can increase the security posture of almost any company. Here are a few specific scenarios where SSE makes sense:

  1. A hybrid or remote workforce: Since SSE is cloud-based, it doesn’t matter where a user is physically working from. They can access the security functionality at the POP closest to them. If they travel for work, they can even switch between POPs, always accessing the most efficient option.
  2. Companies that are moving toward more cloud and SaaS-based applications. With features like CASB, SWG, and more, connections to these applications and the public internet are secured. Read more about these features here!

Conclusion and Market Trends

After the Covid pandemic, we all saw a huge change in the workforce. More and more companies are letting their employees work remotely, or at least in a hybrid setup. In my opinion, this is why SASE and SSE took off like they did. They were introduced to the market at the perfect time.

In addition to a remote workforce, we’re also seeing more and more companies ditching on-prem applications and moving most of their workload to the cloud, or to SaaS applications such as Microsoft 365, Salesforce, Zendesk, Zoom, RingCentral, and more.

Taking these two undeniable trends into consideration, SSE tends to be a fit for most of the clients we’re talking to. We can think about SSE as the next evolution of an on-prem firewall. It includes the features that you’ll find in a traditional firewall, and so much more. Of course, there will always be scenarios where an on-prem firewall still makes sense, but the vast majority of clients that come to us with network security needs end up choosing one of the many SSE platforms that we represent.

If you’d like to learn more about SSE or SASE, or you’d like to chat about a specific scenario and see if it’s a fit for SSE, fill out this form and we’ll be in touch shortly.