Imagine you run a business with multiple locations, and instead of securing each branch properly, you decide to centralize security at your head office. At each location, you place a security guard who has one job: pass messages back and forth to the head office without doing anything to actually secure the premises. Even worse, these guards are constantly drunk, meaning they can be unreliable, slow, and sometimes completely oblivious to security threats. This is exactly what happens when businesses deploy a hosted firewall in a data centre while relying on routers with IPSEC tunnels to connect their edge locations.

Many IT teams falsely believe that this is a robust security solution. In reality, it introduces massive vulnerabilities, performance issues, and completely ignores the fundamental principle of defense-in-depth. Let’s break down why this approach is fundamentally flawed and why a true Secure Edge SD-WAN is the only way forward.

The Myth: "A Hosted Firewall Protects Everything" The logic behind a hosted firewall with IPSEC tunnels goes like this:

Keep all security enforcement at the data centre.
Have all branches connect securely via IPSEC tunnels.
Let the central firewall inspect all traffic.
Job done! Right?

Wrong. Here’s why:

Lack of Local Security – Your router at the edge is just an IP tunnel endpoint. It does nothing to inspect or enforce security policies before traffic reaches your core firewall.
Single Point of Failure – If your central firewall is down or congested, your entire network security collapses.
Performance Bottlenecks – Backhauling all traffic through the data centre creates latency and bandwidth issues.
No Intelligent Routing – IPSEC tunnels do not provide dynamic path selection or performance-based routing.
Zero Local Threat Mitigation – If an attacker compromises a branch office, there is no security mechanism stopping lateral movement.

The Reality | Security at the Edge is Essential

With the growing sophistication of cyber threats, security must be distributed and not reliant on a single, centralised point. SD-WAN with Secure Edge fixes every flaw of the hosted firewall model:

Localised Security Enforcement – SD-WAN ensures that security rules are applied at the edge, blocking threats before they reach the core network.
Zero Trust Network Access (ZTNA) – Ensures that only legitimate users and devices can communicate across locations.
Application-Aware Traffic Routing – Intelligent routing ensures critical applications take the best paths, reducing congestion and improving performance.
Distributed Threat Mitigation – Intrusion prevention, malware filtering, and DNS security are handled locally, meaning a compromised branch won’t infect the entire network.
Scalability – Unlike rigid IPSEC tunnels, SD-WAN can dynamically adapt to new locations and changing business needs.

Wrap | Time to Fire the Drunken Guards

A hosted firewall with IPSEC tunnels is a relic of the past. It’s the equivalent of hiring security guards who can’t see threats, make poor decisions, and rely on a single headquarters to do all the real security work. This model is inherently flawed and leaves businesses exposed, slow, and vulnerable.

The future is SD-WAN with Secure Edge, where security enforcement happens at the branch level, ensuring that threats are stopped before they ever reach the data centre. It’s time to retire the old model and embrace a security strategy that actually works.

🚀 Moral of the Story: Don’t trust drunk security guards (aka, routers with IPSEC tunnels). Invest in Secure Edge SD-WAN instead. 🔥

🍾Why a Hosted Firewall with IPSEC Tunnels is Like Hiring Drunken Security Guards 🥴

Subscribe to my newsletter

Ronald Bartels

Ronald Bartels