Patrick Sweeney makes the case for next-generation firewalls (NGFWs) that provide security without killing network performance.
By Patrick Sweeney
IT managers in corporate and mid-size businesses have to balance both network performance and network security concerns. While security requirements are critical to the enterprise, organizations should not have to sacrifice throughput and productivity for security. Next-generation firewalls (NGFWs) have emerged as the solution to this thorny problem.
Earlier-generation firewalls pose a serious security risk to organizations today. Their technology has effectively become obsolete as they fail to inspect the data payload of network packets circulated by today's Internet criminals. Many vendors tout Stateful Packet Inspection (SPI) speeds only, but the real measure of security and performance is deep packet inspection throughput and effectiveness. To address this deficiency, many firewall vendors adopted the malware inspection approach used by traditional desktop anti-virus solutions: buffer downloaded files, then inspect for malware. The downside to this method not only introduces significant latency, it also poses significant security risks, since temporary memory storage can limit the maximum file size.
Defining Next-Generation Firewalls
In basic terms, a next-generation firewall applies deep packet inspection (DPI) firewall technology by integrating intrusion prevention systems (IPS), and application intelligence and control to visualize the content of the data being accessed and processed.
Gartner defines an NGFW as "a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks."(*See note below.) At minimum, Gartner states an NGFW should provide:
- Non-disruptive in-line bump-in-the-wire configuration
- Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.
- Integrated signature based IPS engine
- Application awareness, full stack visibility and granular control
- Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
- Upgrade path to include future information feeds and security threats
- SSL decryption to enable identifying undesirable encrypted applications
The evolution of Next-Generation Firewalls
The SPI generation of firewalls addressed security in a world where malware was not a major issue and web pages were just documents to be read. Ports, IP addresses, and protocols were the key factors to be managed. But as the Internet evolved, the ability to deliver dynamic content from the server and client browsers introduced a wealth of applications we now call Web 2.0.
Today, applications from Salesforce.com to SharePoint to Farmville all run over TCP port 80 as well as encrypted SSL (TCP port 443). A next-generation firewall inspects the payload of packets and matches signatures for nefarious activities such as known vulnerabilities, exploit attacks, viruses and malware all on the fly. DPI also means that administrators can create very granular permit and deny rules for controlling specific applications and web sites. Since the contents of packets are inspected, exporting all sorts of statistical information is also possible, meaning administrators can now easily mine the traffic analytics to perform capacity planning, troubleshoot problems or monitor what individual employees are doing throughout the day. Today's firewalls operate at layers, 2, 3, 4, 5, 6 and 7 of the OSI model.
What the enterprise requires
Organizations are suffering from application chaos. Network communications no longer rely simply on store-and-forward applications like email, but have expanded to include real-time collaboration tools, Web 2.0 applications, instant messenger (IM), and peer-to-peer applications, Voice over IP (VoIP), streaming media and teleconferencing, each presenting conduits for potential attacks. Many organizations cannot differentiate applications in use on their networks with legitimate business purposes from those that are not business-critical and simply draining bandwidth or plain dangerous.
Today, organizations need to deliver critical business solutions, while also contending with employee use of wasteful and often dangerous (from a security perspective) web-based applications. Critical applications need bandwidth prioritization while social media and gaming applications need to be throttled or completely blocked. Moreover, organizations can face fines, penalties and loss of business if they are in noncompliance with security mandates and regulations.
In today's enterprise organizations, protection and performance go hand-in-hand. Organizations can no longer tolerate the reduced security provided by legacy SPI firewalls, nor can they tolerate the network bottlenecks associated with some NGFWs. Any delays in firewall or network performance can degrade quality in latency-sensitive and collaborative applications, which in turn can negatively affect service levels and productivity. To make matters worse, some IT organizations even disable functionality in their network security solutions to avoid slowdowns in network performance.
Organizations large and small, in both the public and private sector, face new threats from vulnerabilities in commonly-used applications. It's the dirty little secret of the beautiful world of social networks and interconnectedness: they're a breeding ground for malware and Internet criminals prey on every corner for their unsuspecting victims. Meanwhile, workers use business and home office computers for online blogging, socializing, messaging, videos, music, games, shopping, and email. Applications such as streaming video, peer-to-peer (P2P), and hosted or cloud-based applications expose organizations to potential infiltration, data leakage and downtime. In addition to introducing security threats, these applications drain bandwidth and productivity, and compete with mission-critical applications for precious network bandwidth. Importantly, enterprises need tools to guarantee bandwidth for critical business relevant applications and need application intelligence and control to protect both inbound and outbound flows of traffic, while ensuring the velocity and security to provide a productive work environment.
The NGFWS benefit
Next-generation firewalls can deliver application intelligence and control, intrusion prevention, malware protection and SSL inspection at multi-gigabit speeds, scalable to support the highest-performance networks.
The most robust NGFWs enable administrators to control and manage both business and non-business related applications to enable network and user productivity, and they can scan files of unlimited size across any port and without security or performance degradation. The number of simultaneous files or network streams does not limit high-end NGFWs, so infected files do not have a chance to slip through undetected when the firewall is under heavy load. In addition, NGFWs can apply all security and application control technologies to SSL encrypted traffic, ensuring that this does not become a new malware vector into the network.
IT administrators selecting a deep packet inspection firewall need to be aware that there are multiple approaches to processor architectures in the world of NGFWs. Some have chosen general-purpose processors and separate security co-processors. Still others have chosen to design and build ASIC (Application-Specific Integrated Circuits) platforms. The key for IT administrators is to ensure that the NGFW solution they choose is absolutely scalable to their projected network performance requirements, and which delivers the most robust performance, most useful network analytics and insight, and ease of implementation and administration.
*Note: "Defining the Next-Generation Firewall," Gartner RAS Core Research Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210 04102010.
Patrick Sweeney is Vice President, Product Management, for Dell SonicWALL.