Hybrid Mesh Firewall Management with Indeni

With the emergence of cloud and firewall as a service (FWaaS), network firewalls are evolving into hybrid mesh firewalls. In this magazine article (page 114), I discussed hybrid mesh firewall management requirements. Hybrid mesh firewalls have various deployment types to secure on-premise cloud environments and remote users with firewalls. Cloud firewalls and FWaaS introduce the concept of different administrative domains. Each administrative domain provides a separation of management across multiple organizations. This adds complexity making troubleshooting especially challenging. When a user accesses an application, it crosses multiple administrative domains. When something goes wrong, imagine the finger pointing that can potentially happen. So, even though FWaaS is not your direct responsibility, you need a similar level of visibility as you do with your on-premise firewalls. You should always be aware of the availability of the firewall service.

In this blog, we’ll discuss how Indeni supports your hybrid mesh firewall deployment in a multi-vendor environment across different administrative domains. We’ll cover key monitoring and automation requirements.

Hybrid Mesh Firewall Monitoring & Automation

For each deployment type, we’ll explore the management requirements. We’ll look at how Indeni supports Hybrid Mesh Firewalls.

#1 – Conventional On-Premise Firewalls 

You manage and control your on-premise firewalls. From a single management console, you expect to see operational data relating to your data center and remote firewalls to get a sense of the big picture. 

Today, Indeni supports all leading firewall vendors. From an intuitive GUI, you can easily navigate to critical information about your firewalls. You can quickly identify issues in your environment. Indeni is known for its proactive alerts. Indeni has an uncanny ability to identify lurking issues that can become bigger problems. With advance notifications of hidden issues, you can avoid costly disruptions.

Issues are segmented by categories so you can easily identify the type and severity of the issues. The categories include:

  • Device health checks, including proactive alerts and recommended remediation steps to quickly restore services. For some of the common and high impact issues, we can kick off automated investigative steps that are normally run manually to determine the root cause of the problem. This automation not only drastically reduces the time spent on troubleshooting issues, but also reduces the total time that the problem can affect your environment
  • High Availability readiness such as identifying misconfigurations to ensure the switchover is seamless in the event of a failure and ensuring HA best practices are adhered to 
  • Ensuring critical external services are reachable such as NTP, DNS, Identity servers, management servers, rating services, black/white lists, threat intelligence feeds, etc.
  • Identifying security risks, including regulatory compliance, common vulnerabilities and exposures
  • Ensuring vendor and industry best practices are followed to minimize problems
  • Advanced notifications for easily forgotten ongoing maintenance tasks to avoid service disruptions
  • Ensuring organization standards are followed for audit purposes and problem avoidance 

#2 – Cloud Firewalls 

If the cloud firewalls are under your administrative domains, you can use the Indeni management console to manage them. Firewall vendors support a variety of form factors including appliances and virtual machines for public cloud deployments. Indeni can support many different form factors and cloud-based firewalls. 

In a typical hybrid cloud deployment, the management server is deployed in the private data center along with your on-premise firewalls. You also have your cloud-based firewalls in the public cloud. For these cloud-based firewalls, it is important that a trusted connection is always maintained between your cloud firewall and its management server, whether it’s to ensure firewall policies are updated in a timely manner or configuration updates are pushed to the cloud firewalls. One of the unique capabilities of Indeni is that we’re purpose built for firewalls. Therefore, we understand that firewalls require many critical external services to properly do their job. In this case, ensuring connectivity to the firewall manager is a basic feature of Indeni. 

One of the advanced features of cloud-based firewalls is auto-scaling. Firewall instances in a public cloud can scale up or down in response to changes in demand. Indeni supports auto-scaling for certain firewalls. We periodically query the firewall manager to learn about new firewall instances in a scale out event. Upon detection of a new device, we dynamically add it to the system for monitoring and automation. When we detect a scale-in event, we remove the device from the system.  

If the cloud firewalls are not under your administrative domains, they are considered as FWaaS. We’ll discuss how Indeni supports FWaaS in the next section.

#3 – FWaaS 

FWaaS is a network security technology referring to a cloud firewall that delivers firewall capabilities similar to your on-premise firewalls. These firewalls are managed by your service providers. They can be offerings from your cloud service providers or security vendors.  Although you don’t manage them, you want to ensure the provider’s firewalls are working. You expect them to detect issues before they cause disruptions. More importantly, you need to ensure the necessary components on your side that are connecting to the service are working to avoid finger pointing.

With FWaaS, your users can access applications in the data center, public cloud and SaaS securely from anywhere. FWaaS sits between a user and an application. It inspects all the traffic and controls which applications are available to the user, regardless of whether the application is behind your on-premise firewalls, deployed in a public cloud or a SaaS application. 

FWaaS typically leverages an on-premise component, often called connector, to connect your applications and the service. A connector provides the secure authenticated interface between your applications and the FWaaS. The connectors are deployed in the data center and the public cloud. To connect the data center and the FWaaS, you establish either GRE or IPSec tunnels to connect the two locations. Today, Indeni has comprehensive support to monitor both GRE and IPSec tunnels. Indeni can also monitor the performance of these connectors. With FWaaS, the first thing you want to ensure is that these on-premise components are working as intended. You can learn more about our support here.

Summary

As you continue your hybrid cloud journey to secure your on-premises and multi-cloud environments, you can use Indeni as a single management console to provide the visibility you need for your hybrid mesh firewalls. We will continue to enhance our hybrid mesh firewall visibility and automation requirements to simplify your management needs. We invite you to share your requirements with us [email protected]


An avatar of the author

Ulrica de Fort-Menares is the Vice President of Product Management for Infrastructure Assurance.

Related content

Banner announcing BlueCat's acquisition of LiveAction, displaying both logos and the phrase "We're about to get bigger."

BlueCat acquires LiveAction to drive network modernization and optimization

BlueCat’s acquisition of LiveAction will allow customers to expand their view beyond DNS and dive deeper into the health of their network.

Read more

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

BlueCat has acquired LiveAction

It’s official! BlueCat has acquired LiveAction’s network observability and intelligence platform, which helps large enterprises optimize the performance, resiliency, and security of their networks.