Skip Links

How we tested next-generation firewalls

By , Network World
May 07, 2012 12:04 AM ET

Network World - We tested next generation firewalls by looking at seven separate areas that we felt would be important to network managers trying to deploy these products in enterprise networks.

We evaluated the basic firewall functionality of each product by examining the features for building security policy, VPNs, applying NAT and QoS, enabling dynamic routing, and supporting high availability. We tried to build VPNs with other IPSec-based firewalls and tried to synchronize each device with Cisco IOS BGP routers running both IPv4 and IPv6 protocols. We looked at global management features, where the vendor provided a global management system, and evaluated other enterprise areas of concern, such as VLAN and link aggregation support. We also looked at IPv6 support separately.

We investigated visibility features in the firewalls and any reporting or global management system provided by the vendor to see how well each product gave a view into the traffic flowing through the network. Since this is a next-generation test, we focused more on application identification than simple traffic statistics. We looked at differences between "on-box" and "external" reporting systems, and evaluated areas such as debugging and long-term reporting.

Next-gen firewalls: Off to a good start

When we tested next-generation firewall control features, we tried to understand the model for applying application identification and control features. Since next-generation firewalls all use categories to help group applications, we tried to evaluate whether these categories made sense and were at an appropriate level of granularity. Within applications, we looked for features such as the ability to block different sub-applications and directions (upload/download or read/post).

We looked into the application layer controls (such as blocking applications) and variations offered by different vendors, such as applying QoS on a particular application. We also looked at other next-generation features, such as controlling traffic based on username or group, IP address reputation, or geographic region.

Because SSL decryption is an important part of application visibility, we configured SSL decryption using our own certification authority and looked at how well this decryption worked. We evaluated important PKI features, such as handling of self-signed certificates and revoked certificates. We also looked at the features that each firewall offers to configure SSL decryption, such as exempting some traffic. Where these features existed, we tested them as well.

To test next generation application identification and control, we identified 40 separate applications in nine separate areas. We included commonly mentioned applications for next generation firewalls (such as Facebook, peer-to-peer networks, streaming video, and public webmail servers), along with enterprise applications (such as Microsoft Exchange, Terminal Services, VoIP, and Sharepoint). We also used very simple evasion to see if the next generation firewall could be easily fooled, and we scored those tests separately. We did not use elaborate evasion techniques.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News