Skip Links

Is a next-generation firewall in your future?

Slow drift toward application-aware firewall/VPN with intrusion prevention and filtering

By , Network World
December 01, 2010 03:43 PM ET

Network World - The traditional port-based enterprise firewall, now looking less like a guard and more like a pit stop for Internet applications racing in through the often open ports 80 and 443, is slowly losing out to a new generation of brawny, fast, intelligent firewalls.

Best practices for cleaning up your firewalls rules base | FAQ: What you should know about Next Generation Firewalls

The so called next-generation firewall (NGFW) describes an enterprise firewall/VPN that has the muscle to efficiently perform intrusion prevention sweeps of traffic, as well as have awareness about the applications moving through it in order to enforce policies based on allowed identity-based application usage. It's supposed to have the brains to use information such as Internet reputation analysis to help with malware filtering or integrate with Active Directory. 

But how long will it take for the NGFW transition to truly arrive?

Start-up Palo Alto Networks is regarded as the first vendor to have donned the mantle of NGFW with its line of multi-purpose application-aware security appliances in 2007 and today has more than 2,200 customers. Vendors Fortinet, Cisco, Check Point, McAfee and Barracuda Networks, among others, have been expanding or re-tooling their firewall products as well to fit the image. In addition, IPS vendor Sourcefire has said it will have an application-aware firewall with IPS out next year. But despite all this, actual use of these advanced firewalls today is still very low, according to Gartner which has touted NGFW for the past few years.

"Today we believe that less than 1% of interconnections secured today are using NGFW," says Gartner analyst Greg Young. But he predicts that number will hit 35% by 2014.

But NGFW — not quite a scientific term but more than just pure marketing — remains unsettled. There have not yet been any independent third-party lab tests of so-called NGFW products, several vendors point out. ICSA Labs is discussing a possible NGFW test of various products, says Fortinet, but part of the challenge is nailing down a clear definition of what NGFW is. Gartner, which has its own definition of the gear, acknowledges "some vendors have application control, some are more advanced in IPS," says Young, adding, "The majority of the enterprise firewall vendors are at the early stages of this. Palo Alto is dragging established vendors into it."

The terminology issue is made more confused by the term Unified Threat Management (UTM), a phrase coined by IDC analyst Charles Kolodgy, who says UTM has roughly the same meaning as NGFW. But Gartner argues UTM should apply to security equipment used by small-to-midsized businesses, while NGFW is supposed to be for the enterprise, defined as 1,000 employees and up.

But despite this clash of idioms and the existence of only a tiny installed base using a presumed NGFW, security vendors do appear to recognize that demand for consolidated multi-purpose enterprise security appliances is likely to rise. 

"The market trends are moving in that direction," says Patrick Bedwell, vice president of product marketing at Fortinet, which last week announced the Fortigate-5001B security blade for its 5000 series appliance family that can reach up to 40Gbps, a wide jump over a previous product limit of 8Gbps. "Legacy firewalls can't keep up. The focus needs to be on application control as threats are getting more complex."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News