Alfonso Barreiro explains the security capabilities that Next-Generation Firewalls are supposed to have and offers some tips on what to consider when researching them.
Firewalls commonly serve as the boundary between the Internet and an organization's private network. Traditional firewalls offer protection based on controlling specific protocols and ports, and restricting traffic to and from specific IP addresses. These days however, most attacks are web-based, easily passing through http (port 80) and https (port 443) as most firewalls are unable to identify malicious applications or traffic passing through these ports. The trusted firewall must evolve to effectively defend against these threats.
Enter the Next Generation Firewall
The term "Next Generation Firewall" (NGFW for short) is being used to describe devices that go beyond the traditional firewall functions by adding security capabilities such as intrusion prevention. The concept and the market segment is fairly new, it's creation being widely credited to Palo Alto Networks when they introduced the first of these type of devices. Outside of security vendors, the term has been mostly championed by Gartner, using it to identify devices that have the following capabilities:
- Standard firewall features such as packet filtering, network address translation and VPN capabilities.
- "Integrated" network intrusion prevention.
- An "application awareness", capable of identifying applications and applying controls at the application layer (such as allowing Skype calls but blocking it from performing file transfers).
- The ability to obtain and use "extra firewall" intelligence to improve blocking decisions, such as the use of reputation services or identity services such as Active Directory.
Be aware that just because a vendor uses the term, it doesn't necessarily mean their product will provide this particular set of functions. Vendors keep evolving their products, playing to their respective strengths or adding capabilities to differentiate themselves from the competition.
There is also some confusion with the term UTM (Unified Threat Management, coined by IDC) that also describes a multipurpose security device beyond the traditional firewall. A vendor could offer devices using either term or categorizing them in different segments. The most common segmentation strategy is using UTM to refer to devices aimed at small- to medium-sized organizations and the term NGFW is reserved exclusively for devices aimed at larger enterprises. Since the market and the products keep evolving, it's quite possible that one or both terms will eventually disappear, so perhaps it's more productive to focus on the features and their performance.
Things to consider when evaluating NGFW
Regardless of the terminology, these are complex devices and the lack of a standard can make an apple- to-apples comparison of different products very difficult. To determine whether a device with a particular set of capabilities can help you, you must have a thorough understanding of your organization's needs and perform extensive testing:Architecture: Next generation devices should apply all of their security capabilities on a single inspection, demonstrating true integration of all its components instead of simply bundling different product engines on a single box. A lack of integration could also indicate that there might be trade-offs in security capabilities (it could have reduced IPS detection capabilities for example) in order to compensate inefficiencies or maintain an adequate level of performance. Throughput performance: All the additional capabilities, checks and inspections these devices perform will certainly act as a speed bump to the traffic flow. Make sure that the throughput, once all the security features have been enabled, matches the expectations for your production environment. In your testing also take into consideration that the number and complexity of the policies or rules in the device will also be a factor that can affect its overall performance. Ease of use: A major driver for the adoption of these devices is the promise of reducing the complexity of managing disparate security products. The management interface should reflect this, hopefully being intuitive to use and providing the ability to easily define rules or policies that can be as granular or complex as desired. It's not unusual to find jarring differences in the interface when configuring different capabilities on a device, especially if their integration is lacking.
As with other security products, these new types of firewalls are not silver bullets. Implementing one requires a lot of work in both the initial configuration and its ongoing maintenance. A successful implementation however, could really help in improving your chances against the new generation of network threats.