Is a next-generation firewall in your future?

Slow drift toward application-aware firewall/VPN with intrusion prevention and filtering

The traditional port-based enterprise firewall, now looking less like a guard and more like a pit stop for Internet applications racing in through the often open ports 80 and 443, is slowly losing out to a new generation of brawny, fast, intelligent firewalls.

Best practices for cleaning up your firewalls rules base | FAQ: What you should know about Next Generation Firewalls

The so called next-generation firewall (NGFW) describes an enterprise firewall/VPN that has the muscle to efficiently perform intrusion prevention sweeps of traffic, as well as have awareness about the applications moving through it in order to enforce policies based on allowed identity-based application usage. It's supposed to have the brains to use information such as Internet reputation analysis to help with malware filtering or integrate with Active Directory. 

But how long will it take for the NGFW transition to truly arrive?

Start-up Palo Alto Networks is regarded as the first vendor to have donned the mantle of NGFW with its line of multi-purpose application-aware security appliances in 2007 and today has more than 2,200 customers. Vendors Fortinet, Cisco, Check Point, McAfee and Barracuda Networks, among others, have been expanding or re-tooling their firewall products as well to fit the image. In addition, IPS vendor Sourcefire has said it will have an application-aware firewall with IPS out next year. But despite all this, actual use of these advanced firewalls today is still very low, according to Gartner which has touted NGFW for the past few years.

"Today we believe that less than 1% of interconnections secured today are using NGFW," says Gartner analyst Greg Young. But he predicts that number will hit 35% by 2014.

But NGFW — not quite a scientific term but more than just pure marketing — remains unsettled. There have not yet been any independent third-party lab tests of so-called NGFW products, several vendors point out. ICSA Labs is discussing a possible NGFW test of various products, says Fortinet, but part of the challenge is nailing down a clear definition of what NGFW is. Gartner, which has its own definition of the gear, acknowledges "some vendors have application control, some are more advanced in IPS," says Young, adding, "The majority of the enterprise firewall vendors are at the early stages of this. Palo Alto is dragging established vendors into it."

Chart of what is a next generation firewall

The terminology issue is made more confused by the term Unified Threat Management (UTM), a phrase coined by IDC analyst Charles Kolodgy, who says UTM has roughly the same meaning as NGFW. But Gartner argues UTM should apply to security equipment used by small-to-midsized businesses, while NGFW is supposed to be for the enterprise, defined as 1,000 employees and up.

But despite this clash of idioms and the existence of only a tiny installed base using a presumed NGFW, security vendors do appear to recognize that demand for consolidated multi-purpose enterprise security appliances is likely to rise. 

"The market trends are moving in that direction," says Patrick Bedwell, vice president of product marketing at Fortinet, which last week announced the Fortigate-5001B security blade for its 5000 series appliance family that can reach up to 40Gbps, a wide jump over a previous product limit of 8Gbps. "Legacy firewalls can't keep up. The focus needs to be on application control as threats are getting more complex."

The FortiGate firewall/VPN security blade is application-aware for about 1,300 applications and can establish granular controls on user behavior with applications, along with timeframe limitations and bandwidth management.

Other vendors are also on the NGFW regimen. McAfee considers the changes it made last June to its Enterprise Firewall v. 8 upgrade to have made it a NGFW.

"We re-worked the application engine so we could detect and fully inspect over 1,000 applications," says Greg Brown, McAfee director of product marketing, network defense. "We made the engine extensible, and there are application updates each week."

McAfee Enterprise Firewall v. 8 reaches 10Gbps. But to head into higher speeds, McAfee partnered with Crossbeam Systems to be able to reach 40Gbps on their platform. McAfee is working to get higher speeds on its own appliances.

And does the do-it-all know-it-all firewall really have an IPS function as effective as a standalone IPS? Brown acknowledges that it's hard to know, and that no independent tests for this have been done, but "the intention is to do as effective a job as a standalone IPS."

In comparison to a "conventional firewall" that mainly looks at IP network ranges, says Brown, the NGFW way of doing things in application control does represent a new technology for most customers.

There's appeal in using capabilities such as integrating Microsoft Active Directory, for instance, to set up user groups in terms of authorized applications. So far, though, most McAfee customers are trying out advanced firewall features gingerly with some applications, not all, to see what impact policy controls have.

Fitness-center chain 24 Hour Fitness, which maintains more than 400 clubs in the U.S. and abroad, is giving the Palo Alto Networks application-aware firewall it deployed last summer a workout.

Justin Kwong, senior director of IT operations and security there, says there's a not only a cost justification in switching to Palo Alto's consolidated architecture, but his staff is getting a much better picture of what's happening using features such as reputation-based filtering.

The company is making use of Palo Alto's integration with Active Directory to set up policy controls regarding applications for employees, but the use is "not that granular yet," says Kwong, noting there's a learning curve regarding application control. In addition, Kwong doesn't believe his organization as yet needs to migrate completely to the NGFW model since the need for application-aware controls may not exist in all parts of the network or data center.

IDC analyst Kolodgy says that view about application-based controls is to be expected, advising, "use it in limited use until you are comfortable with it and then expand its use, which is exactly how IDS transitioned into IPS."

In addition, although the NGFW represents security consolidation, Kwong retains some reservations about that. Kwong says he also plans to continue using open-source IPS as "a second set of eyes" in addition to the Palo Alto IPS functionality. "I'll never consolidate everything in one box," says Kwong, adding "I'm never going to rely solely on one vendor."

And what about the question of how any of the NGFW security applies when users aren't even behind a firewall, such as travelling with laptop or using a mobile device?

"We can expand to the user's machine not on the network," says Chris King, Palo Alto Networks director of product marketing. Palo Alto already has a VPN client that can drag user traffic back to the customer's NGFW point, but early next year Palo Alto will offer what it calls its GlobalProtect smart VPN client which knows where the user is in the world and will direct the client to the nearest gateway. "There's a hierarchy of gateways that manages a list of gateways, and the client knows where the nearest gateway is," King says. This capability enables some level of data-loss prevention, he adds.

Palo Alto also sees the ability to do SSL inspection as a big plus for its package, which opens up inbound and outbound traffic, based on a trusted environment where a user's desktop certificate is shared. "We'd open it to make sure it's an allowed application, then re-encrypt," King said.

Learn more about this topic

Fortinet unveils high-speed security blade for 5000 series

Palo Alto launches next-generation firewall

Next-Generation Firewall Service: what are the necessary pieces here?

Sourcefire to crash next-generation firewall party

Cisco launches high-end security appliance

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies