Loading...
BNM RMiT · PCI DSS · ISO 27001
Firewall-as-a-Service Malaysia
Enterprise next-generation firewall hardware, fully managed on a 36-month lease. SSL inspection, IPS, sandboxing, and SD-WAN — with zero capex and a hardware refresh at month 30.
Threat Landscape
The perimeter is still the most exploited attack surface
Despite years of "perimeter is dead" commentary, the internet-facing edge remains the most common initial access vector in Malaysian enterprise breaches. The 2024 Malaysia Cyber Security Threat Landscape Report by CyberSecurity Malaysia identified external-facing services — remote desktop, VPN, and web applications — as the dominant initial access path. An unmanaged or poorly configured perimeter firewall creates a predictable attack surface that threat actors enumerate routinely with automated scanning tools that cost nothing to operate.
Three threat scenarios that a managed NGFW directly mitigates: (1) Exploitation of unpatched CVEs in perimeter services — a managed firewall with IPS detects and blocks exploit attempts within minutes of signature release, whereas an unmanaged appliance may sit unpatched for weeks or months. (2) Encrypted-tunnel abuse — adversaries increasingly route command-and-control, data exfiltration, and lateral movement through HTTPS. Without SSL inspection, a traditional firewall is effectively blind to the majority of modern threat traffic. (3) Misconfigured access lists — firewall rules accumulate over years; unused rules expand the allowed-traffic surface without anyone noticing. Quarterly policy review as part of the managed service continuously reduces this exposure.
The managed leasing model solves not just the hardware procurement problem but the operational problem. Most SMEs and mid-sized organisations in Malaysia cannot maintain a dedicated firewall operations team. The result is a technically capable piece of hardware running a stale configuration that no one is actively monitoring. nCrypt's 24/7 management converts a passive appliance into an active control.
Why Lease
The total cost case for leasing your firewall
A Sophos XGS 2100 or Fortinet FortiGate 60F — the most common SMB firewall models — carries a list price in the RM 8,000–25,000 range for the hardware alone. Add three years of subscription licences for IPS, web filtering, and sandboxing (typically 30–40% of hardware cost per year), and the all-in three-year cost of buying outright is often RM 35,000–70,000. That figure is before any management cost — if your IT team manages the device internally, add the allocated staff time; if you hire a managed service provider, add their fee on top.
Under the lease model, the SMB monthly range is RM 1,200–1,800, covering the appliance, all licences, and nCrypt 24/7 management. Over 36 months that is RM 43,200–64,800 — comparable to buying outright, but with management included, firmware handled, a hardware refresh at month 30, and no capital commitment. The comparison improves further for Mid-Market and Enterprise configurations where the management cost of in-house operations is proportionally larger.
For organisations subject to BNM RMiT obligations, the audit pack included in every bundle has tangible value — it saves meaningful preparation time before each regulatory review. See also our managed security leasing overview for the full category comparison, and our SOC service if you need monitoring capability beyond the firewall layer. For comprehensive perimeter and application security, consider pairing with WAF-as-a-Service and NAC-as-a-Service.
Frequently asked questions
How does Firewall-as-a-Service help Malaysian organisations meet BNM RMiT requirements?
BNM RMiT Section 10 requires financial institutions to implement perimeter controls that enforce network segmentation, inspect encrypted traffic, and generate audit-grade logs. A managed next-generation firewall — running SSL/TLS inspection, IPS, web filtering, and sandboxing — maps directly to these controls. nCrypt supplies an RMiT-aligned audit pack with each bundle, covering policy evidence, change logs, and a quarterly review attestation that regulators and auditors accept as control evidence.
What is the difference between a next-generation firewall and a traditional firewall?
A traditional stateful firewall makes forwarding decisions based on IP address and port. A next-generation firewall (NGFW) adds application-layer awareness — it identifies the application regardless of port, inspects encrypted HTTPS traffic using SSL inspection, detects and blocks exploits using an intrusion prevention system, sandboxes suspicious files before they reach endpoints, and enforces user-identity-based policies. The difference is not incremental; NGFW is the current minimum viable perimeter control for any organisation handling regulated data.
Will the firewall inspection slow down our internet connection?
Modern NGFWs are hardware-accelerated — SSL inspection, IPS, and sandboxing run on dedicated ASICs rather than general-purpose CPUs. Throughput impact on Sophos XGS and Fortinet FortiGate units at typical office workloads is under 10% in our measured deployments. We size the appliance to your actual throughput requirements during the week-1 site survey, not against headline marketing specs.
Can the managed firewall protect our SD-WAN branches?
Yes. Both Sophos and Fortinet support SD-WAN natively. Branch offices receive a smaller appliance — sized to branch user count and throughput — that is centrally managed from the HQ management console. SD-WAN policy, including application-based path selection and WAN failover, is included in the bundle configuration. Branches can be added mid-term as a contract amendment.
What is included in 24/7 firewall management?
24/7 management covers continuous monitoring of firewall health and alert queues, alert triage with escalation for high-severity events, emergency policy changes within a 1-hour SLA for critical business needs, firmware updates on a tested patch cycle, quarterly policy reviews where unused rules are removed and access lists are re-certified, and an annual rule-base optimisation. Monthly reports cover top-blocked categories, top-talker IPs, IPS trigger summaries, and any policy changes made in the period.
How does the month-30 hardware refresh work in practice?
At month 30 we procure a replacement appliance — same model or the current-generation equivalent if a new platform has been released. We pre-configure it offline using an export of your current policy, ship it to your site, run a parallel test for 48 hours, then cut over. The old appliance is returned to the vendor under RMA. You experience no downtime and no policy disruption. The replacement is included in the monthly fee — there is no additional cost.
Hardware-as-a-Service · 36-month bundle
Enterprise firewall hardware, fully managed. From RM800/month.
Sophos XGS or Fortinet FortiGate — appliance, licences, 24/7 management, and refresh-at-month-30 in one monthly bill.
What's included in the bundle
NGFW appliance sized to your branch / HQ
All security licences (IPS, AV, sandboxing, web filter)
24/7 monitoring & change management
Quarterly policy reviews
Hardware refresh at month 30
Vendor SLA passthrough
Who this is for
- ✓Multi-branch retailers consolidating perimeter security
- ✓BNM-licensed FIs needing RMiT-aligned perimeter controls
- ✓Healthcare networks segmenting PHI traffic
- ✓SaaS startups graduating from cloud firewalls to hybrid
Deployment timeline
Week 1
Site survey, sizing, rule-base import from existing firewall
Week 2
Appliance delivery, staged cutover, parallel run
Ongoing
24/7 monitoring, monthly tuning, quarterly reviews
Sample bundles by company size
SMB
RM 1,200 – 1,800 / month
Single Sophos XGS 2100 or Fortinet FortiGate 60F, ~50 users, single site
MidMarket
RM 2,500 – 5,000 / month
HA pair at HQ + 2-3 branch boxes, ~200 users
Enterprise
RM 6,000 – 15,000+ / month
HA pairs at multiple data centres, SD-WAN, centralised management, 500+ users
Aligned to your regulatory obligations
BNM RMiTPCI DSSISO 27001
Frequently asked questions
Need a one-off engagement instead of a leased bundle?
See our consulting service →Get a Firewall leasing quote
Share your user count, locations, and current stack. We'll respond within 24 hours.
Ready to size Firewall for your environment?
Three minutes in the calculator. A precise quote emailed within 24 hours.
Financing available via our partner financial institutions. Indicative monthly figures based on standard 36-month terms; final pricing subject to credit assessment and signed master service agreement.