Next-generation firewalls can replace current security technologies across enterprises, both large and small. However, next-generation firewalls, also known as NGFW, are not all that new. The technology that underpins the devices has been around for some time. However, what is new is the integration and thoroughness of the protection offered, thanks to high performance processing and application awareness.
Perhaps "next generation" is not the best moniker for these firewalls, which do much more than just block ports and filter traffic. Nevertheless, the term has stuck and a brand new crop of security appliances are coming on to the market, each sporting the classification of next-generation firewall. So, mystery aside – what exactly is a NGFW, and more importantly, what can it do?
To fully comprehend what a NGFW is all about requires taking a look at how networks are protected. As the internet grew in popularity, network protection became a critical concern for IT managers and firewalls were placed at the edge of the network to prevent external threats from entering internal systems – hence, the name firewall. Those early firewalls used very rudimentary technology to block ports and control what access was allowed. Over time, firewalls evolved and added new capabilities, such as packet examination and malware inspection. Nevertheless, threats evolved as well, making those technologies obsolete as well.
The truth of the matter is that previous generation firewalls pose a serious security risk to today's organizations. Simply put, threats are now able to bypass much of the detection capabilities integrated into previous-generation firewalls. Even more troubling is the fact that undetected threats can wreck all sorts of havoc, without anyone ever knowing about it.
Traditional firewall technology has effectively become obsolete as the the technology fails to inspect the data payload of network packets circulated by today's Internet criminals. What's more is that traditional firewalls add latency to connections and many vendors tout Stateful Packet Inspection (SPI) speeds and capabilities only, not revealing the true measure of performance – which amounts to deep packet inspection throughput and effectiveness.
To address those performance and security concerns, most firewall vendors have implemented additional malware inspection capabilities, akin to what traditional desktop anti-virus solutions are supposed to do. However, that proves far from ideal, because to inspect for malware, the device must buffer downloaded files and then inspect the whole file for malware. That method not only introduces significant latency, it also poses significant security risks. That anti-malware technology relies on firewall based storage and must limit the maximum file size that can be processed.
A NGFW differs greatly from the packet inspection/anti-malware methodology used by traditional firewall vendors. In simple terms, a NGFW applies deep packet inspection (DPI) firewall technology by integrating intrusion prevention systems (IPS), and application intelligence and control. That allows the device to "visualize" the content of the data being accessed and processed.
Gartner defines an NGFW as "a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks." At minimum, Gartner states an NGFW should provide:
- Non-disruptive in-line bump-in-the-wire configuration.
- Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.
- Integrated signature based IPS engine.
- Application awareness, full stack visibility and granular control.
- Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
- Upgrade path to include future information feeds and security threats SSL decryption to enable identifying undesirable encrypted applications.
The evolution of next-generation firewalls
The SPI generation of firewalls addressed security in a world where malware was not a major issue and web pages were just documents to be read. Ports, IP addresses, and protocols were the key factors to be managed. However, the Internet evolved, the ability to deliver dynamic content from the server and client browsers introduced a wealth of applications we now call Web 2.0.
Today, many applications are accessed via web connections, either by remote users, private cloud users and even internally. Many of those applications require access to TCP port 80 as well as encrypted SSL (TCP port 443), making those applications targets for malware, interception and a host of other nefarious activities.
A next-generation firewall addresses those concerns by inspecting the payload of packets and matches signatures for nefarious activities such as known vulnerabilities, exploit attacks, viruses and malware all on the fly. The inclusion of DPI allows administrators to create very granular permit and deny rules for controlling specific applications and web sites.
Full inspection of packets also means that lots of information can be gathered about traffic. In turn, that information can be used to normalize what are considered standard communications and make anomaly detection much more effective. The gathered data can also be used for statistical analysis, as well as forensics – giving administrators a full picture of what is going on traffic-wise. That enables administrators to perform capacity planning, troubleshoot problems or monitor what individual employees are doing throughout the day.
NGFW and application control
NGFWs offer a significant advantage when it comes to applications – since NGFWs are application aware, the devices can filter anomalous traffic and prevent intrusions, data theft and malware insertion. However, protection is only part of the application story of NGFWs, discovery and control are the other parts.
Many organizations are now experiencing chaos, at least when it comes to applications. Networks have evolved beyond simple store-and-forward applications, such as email. Today, real-time collaboration tools, such as Web 2.0 applications, instant messenger (IM), and peer-to-peer applications, Voice over IP (VoIP), streaming media and teleconferencing have become the primary means of passing data. However, each of those applications has become conduits for potential attacks.
Today, organizations need to deliver critical business solutions, while also contending with employee use of wasteful and often dangerous (from a security perspective) web-based applications. Critical applications need bandwidth prioritization while social media and gaming applications need to be throttled or completely blocked. Moreover, organizations can face fines, penalties and loss of business if they are in noncompliance with security mandates and regulations.
Further complicating the situation is that most organizations cannot differentiate between what is legitimate business use of those applications and what is not. What's more, many organizations do not have any control over those apps on the network and cannot account for what applications are running. Knowing what is running, who is using it and if the usage is legitimate is becoming the mantra of network security professionals and NGFWs are poised to help answer those questions, while adding more control and management to protect corporate assets.
Dealing with new threats
For enterprises, protection and performance must go hand-in-hand. Legacy firewalls simply don't offer enough protection, while hobbled together security appliances create unacceptable bottlenecks – a recipe for disaster. Any delays in firewall or network performance can degrade quality in latency-sensitive and collaborative applications, which in turn can negatively affect service levels and productivity. To make matters worse, some IT organizations even disable functionality in their network security solutions to avoid slowdowns in network performance.
Organizations are facing new threats from vulnerabilities in commonly-used applications, which are exacerbated by the popularity of social networks and interconnectedness solutions, which have become a breeding ground for malware and an ad hoc home for Internet criminals. At the same time, businesses are turning to online blogging, socializing, messaging, videos, music, games, shopping, and email more and more to engage customers, creating an even bigger concern for those looking to secure corporate resources.
Applications such as streaming video, peer-to-peer (P2P), and hosted or cloud-based services are now exposing organizations to potential infiltration, data leakage and downtime. What's more, those same applications are not only introducing security threats; they are also draining bandwidth and productivity while competing with mission-critical applications.
NGFWs can help, simply because they deliver application intelligence and control, intrusion prevention, malware protection and SSL inspection at multi-gigabit speeds, scalable to support the highest-performance networks.
NGFWs enable administrators to control and manage both business and non-business related applications to enable network and user productivity, and they can scan files of unlimited size across any port and without security or performance degradation. The number of simultaneous files or network streams does not limit high-end NGFWs, preventing infected files from slipping through undetected. In addition, NGFWs can apply all security and application control technologies to SSL encrypted traffic, ensuring that this does not become a new malware vector into the network.
NGFWs are clearly the future of protection for enterprise networks, offering a unified method for protecting applications, users and data by looking at what is actually occurring on the network and applying needed policies, as well as scanning for problems concurrently. The key here is to make sure that your NGFW can work with all of your existing applications, as well as be robust enough to deal with future use cases. When selecting a NGFW, administrators should make sure they choose one that is scalable to their projected network performance requirements, and offers network analytics and insight, and ease of implementation and administration.
Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MCNE, MCSE, A+, N+, L+, and Security+.