Enterprises demand next-generation firewalls with IPS, app visibility

By Shamus McGillicuddy, News Editor, SearchNetworking.com 30 Oct 2009 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

The days of the first-generation firewall are numbered as enterprises begin to demand more from these venerable network security devices than just standard port and protocol protection.

Many vendors and analysts talk about next-generation firewalls, devices that integrate traditional firewall capabilities with other network security capabilities, particularly application layer intrusion prevention system (IPS) functions.

In a recent research note, Gartner analysts John Pescatore and Greg Young estimated that 1% of all enterprise Internet connections today are secured with next-generation firewalls. They believe that by 2014 that ratio will increase to 35%, with 60% of all new firewall purchases being next-generation products.

Defining next-generation firewalls

Many vendors tout their firewalls as next-generation products, but not all next-generation firewalls are created equal. Definitions of the technology vary, but most experts agree that deep integration of multiple network security capabilities in a single appliance is essential.

Forrester Research senior analyst John Kindervag said he looks at the next-generation firewall as what unified threat management (UTM) should be.

The next-generation firewall is a gateway device that looks at a packet from more than just a simple Layer 3 perspective to determine whether it should be allowed through a port. It looks at Layers 3 through 7 and gains an application-level understanding of the packet, which allows it to make many more sophisticated decisions. The key to doing this successfully is looking at the packet just once, as opposed to passing it from one function of a device to another.

"A lot of products have to open the packet up at the firewall. And if [the packet] is allowed, it reassembles the packet and sends it to the IPS, where it looks … at Layer 7 instead of Layer 3," Kindervag said. "The next-generation firewall is going to blur the distinction between UTM, firewalls, IPS -- all these point technologies that we have -- and it will be able to do it within a single CPU, within a single clock cycle [and] within a single path or flow, so that it has low latency. It has cost-effectiveness and it's replacing maybe multiple devices. It has application awareness and identity-of-the-user awareness, so it can provide much more threat intelligence."

Next-generation firewalls can consolidate network security operations

Consolidation of network security devices was an important factor in John Shaffer's decision to switch from Juniper Networks firewalls to Palo Alto Networks firewalls. Shaffer, director of global systems and technology for Greenhill and Company, a mergers and acquisitions financial advisory firm, said he had always loved Juniper's firewalls because of their ease of use and their VPN capabilities. But the IPS features that Juniper touts as next-generation just weren't robust enough for him.

"I've been looking at different tools to deal with malware and spyware from different vendors, and it might have been any vendor that had specific boxes for that," Shaffer said. "Tipping Point has [its] box, and Blue Coat has [its] box. So you're looking at taking all these different boxes and having to manage them separately. It becomes a little complicated. We were concerned about being able to block webmail. How do we block it, from a compliance standpoint, from coming into the organization? Standard firewalls don't do that, so you need something else.

"Finding a vendor that consolidated those functions into a single unit, for someone like us, who has a fairly small IT department [fewer than 10 staff members], that is really big," Shaffer continued, "because there is a lot of work involved in keeping these things up and going."

He decided to deploy Palo Alto firewalls in his network because of the IPS capabilities and the application visibility they provide. He said there are standalone IPS boxes out there that might have better capabilities than his Palo Alto firewalls, but chances are he wouldn't be able to use them to their fullest extent because of his limited resources. One IT administrator managing a firewall, a Web filtering gateway and an IPS box separately won't have enough time to optimize all three boxes, whereas he can get the most out of Palo Alto's IPS features because it is easier to manage IPS and basic firewalling in one box.

"Palo Alto's application visibility gives you a much more in-depth view of what's going on [and] what types of applications are out there," Shaffer said. "But you're not 100% guaranteed that you're not going to get something that comes through. If you have people that travel, you're not guaranteed that people are not going to get something outside the network and then bring it back in. I want to continually block more threats as much as possible, but I guess it's a fine line. If you block too much, then the things that you want to work don't."

Kindervag said Palo Alto is one of the more successful next-generation firewall vendors on the market because the startup's products are relatively new. Being a newer vendor means it doesn't have as much legacy code to deal with. Its hardware and software is purpose-built for next-generation features. More established vendors have older code bases and older hardware architectures to work with, and they're not going to start from scratch.

Watch out for next-generation firewall hype

Some of the more traditional firewall vendors are starting to move toward next-generation devices, Kindervag said.

"Juniper, by moving to JunOS, has the opportunity to create some interesting plays," he said. "I don't know if they're fully done with that yet. Their transition from ScreenOS to JunOS is not yet … complete."

In the meantime, enterprises should be wary of vendors' claims that they are producing next-generation firewalls. Everyone has his own definition, and enterprises might find that their standards exceed those of some vendors.

"I think it's hard to cut through the marketing hype right now," Kindervag said. "You have to look at a couple things: You have to look at the hardware architectures. Go underneath the hood and [ask] … does it have a processor fast enough to process all these packets all the way through Layer 7 in near real time? Because we don't want latency to destroy applications like VoIP."

If a firewall vendor is using a traditional server style piece of hardware with general-purpose processors, the enterprise should be skeptical that the vendor can get the compute power necessary to look at a packet from multiple layers and perform the analysis necessary to complete all the next-generation functions enterprises are looking for.

"The second thing you look at is how elegant the software is," Kindervag said. "If it's hard to configure and hard to manage and seems old school, it probably is old school. If you have to do a lot of things behind the scenes with command line, it's probably pretty darn old code, because no one creates code with that kind of interface anymore."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Tags: Network and endpoint security tools and technologies,  VPNs and remote access solutions,  Application and Web threat defenses,  Hacking countermeasures,  Network Security Tactics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network and endpoint security tools and technologies Vulnerability management gets in-house treatment at AXA Business Services Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security VPNs and remote access solutions Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats UTM buying essentials for India Inc. Spencer's ensures business continuity with backup VPN What is the difference between a VPN and remote control? How to secure SSL following new man-in-the-middle SSL attacks SSLstrip hacking tool bypasses SSL to trick users, steal passwords The Shortcut Guide to Extended Validation SSL Certificates What ports should be opened and closed when IPsec filters are used? Can Trojans and other malware exploit split-tunnel VPNs? Application and Web threat defenses How to address HIPAA data encryption security challenges Noted cryptographer on SSL, encryption and cloud computing Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary