Next-generation firewalls should include intrusion prevention (IPS), the ability to decrypt and inspect SSL sessions in real time, and the ability to visualize and control application traffic as it crosses the network.
By Patrick Sweeney
Investing in the right type of firewall has become top priority for many businesses as they recognize that stateful firewalls are simply not effective in today’s advanced-threat environment. The issue is that older, stateful firewalls can no longer hold up in today’s world where billions of intrusions per year can easily overwhelm older firewalls. Firewalls that were once considered cutting-edge, with features like site-to-site VPN, secure remote access, and flexible deployment, are now considered so basic that organizations today have come to expect them to be included at little or no additional cost.
Today’s firewalls need to be more than just a shield keeping out potentially dangerous data -- it also needs to be able decipher the information intelligently.
What a next-generation firewall should offer
That is where today’s next generation firewalls come in as they include a tightly-integrated intrusion prevention system (IPS), the ability to decrypt and inspect SSL sessions in real time, and the ability to visualize and control application traffic as it crosses the network. Looking at this industry shift toward more robust security technology, it becomes evident that the NGFW market has matured to meet the threat environment of today.
Many firewall vendors now claim to offer these solutions, however organizations should be aware that not all NGFWs are equal. As a starting point, NGFWs should be able to deliver a basic level of deep security to ensure that every byte of every packet is fully inspected while still maintaining the high performance and low latency the network requires.
That means today’s next-generation firewalls must have a scalable multi-core hardware architecture and a deep level of inspection engine that can ascertain all traffic regardless of port or protocol and to detect and block threats before they enter your network, without introducing bottlenecks. To get a better sense of which vendors provide such cover, NSS Labs provides an objective, in-depth look into NGFW effectiveness.
Modern attacks employ several complex techniques to avoid detection as they sneak quietly into corporate networks to steal intellectual property. These attacks are often encoded using complicated algorithms to evade detection by intrusion prevention systems. Once the target has been exploited, the attacker will attempt to download and install malware onto the compromised system. In many instances, the malware used is a newly evolved variant which traditional anti-virus solutions can’t detect.
Here’s the culprit – SSL encryption: Advance attacks often rely on SSL encryption to hide the malware download or even to disguise command and control traffic that is sent by the attacker from halfway around the world. In order to effectively combat these emerging threats, organizations require a higher level of deep security that includes an IPS with advanced anti-evasion capabilities, the ability to decrypt and inspect every SSL-encrypted connection crossing the network (on any port) and network-based malware protection that leverages the power of the cloud.
SSL decryption and inspection is arguably the single most important feature required to provide truly deep security. According to recent research (NSS Labs, 2013), as much as 35% of corporate network traffic is encrypted using SSL. This means that organizations that are not inspecting SSL traffic are effectively blind to a third of the traffic on the network. Further, attacks that utilize SSL will have a 100% success rate in this type of scenario. In order to combat these sophisticated attacks effectively, organizations need the ability to inspect all traffic on any port, regardless of whether that traffic is SSL-encrypted or not.
In addition to hiding their attacks using SSL encryption, criminals often try to circumvent the IPS by obfuscating advanced attacks using complex algorithms designed to evade detection. Some network security vendor products may not perform adequate data normalization to decode threats before the IPS has a chance to examine them. This enables encoded threats to compromise corporate networks without being noticed.
The final component required to provide deep security against today’s modern threats is network-based malware protection that leverages the power of the cloud to create a richer, deeper and multi-layered solution so that millions, rather than just a few thousand, of malware signatures can be scanned in real-time as is the case when the protection is limited to the onboard system memory of the firewall.
With all these layers in place, NGFWs take the depth of security to entirely new levels-levels needed in today’s next generation security landscape.Patrick Sweeney has over 20 years experience in high tech product management, product marketing, corporate marketing and sales development. Mr. Sweeney is Dell SonicWALL’s Executive Director, Product Management for Dell SonicWALL, where he oversees its Network Security, Content Security, Business Continuity and Policy & Management product lines.