You are here: Home / SOLUTIONS / NEXT GENERATION FIREWALL

NEXT GENERATION FIREWALL

Traditional firewalls and separate complementary firewall helpers like Intrusion Prevention, URL Filtering, and Proxy Systems are too expensive, too complicated, and simply do not sufficiently reduce today’s risks created by social networking, SaaS collaboration services, and the hundreds of other Internet based applications and services people are using.

Users simply going to web sites or using social networking or collaboration applications are at risk of attacks such as keyloggers and spyware, backdoor or Command/Control, or SQL Injection attacks which represent over 50% of the Threat Action Types that cause breaches of credit card information, personal information, trade secrets and other intellectual property.

Gartner and Forrester are both using the term “next-generation” firewall to describe a network security solution. Here is Gartner’s description of a Next-Generation Firewall:

To meet the current and coming generation of network security threats, Gartner believes firewalls need to evolve yet again to what we have been calling “next-generation firewalls” (see “Toolkit: Evaluating Information Security Budgets, 2007 Update”). For example, threats using botnet delivery methods (see “Case Study: Early Detection of PCs That Have Been Compromised via Botnet Clients”) have largely been invisible to first-generation firewalls.

As service-oriented architectures and Web 2.0 grow in use, more communication is going through fewer ports (such as HTTP and HTTPS) and via fewer protocols, meaning port/protocol-based policy has become less relevant and less effective. Deep packet inspection intrusion prevention systems (IPSs) do inspect for known attack methods against operating systems and software that are missing patches, but cannot effectively identify and block the misuse of applications, let alone specific features within applications.

Gartner has long used the term “next-generation firewall” to describe the next stage of evolution to deal with these issues. Gartner defines a network firewall as an in-line security control that implements network security policy between networks of different trust levels in real time. Gartner uses the term “next generation firewall” to indicate the necessary evolution of a firewall to deal with changes in both the way business processes use IT and the ways attacks try to compromise business systems.

As a minimum, an NGFW will have the following attributes:

  • Support in-line bump-in-the-wire configuration without disrupting network operations.
  • Act as a platform for network traffic inspection and network security policy enforcement, with the following minimum features:
    • Standard first-generation firewall capabilities: Use packet filtering, network address translation (NAT), stateful protocol inspection, VPN capabilities and so on.
    • Integrated rather than merely colocated network intrusion prevention: Support vulnerability-facing signatures and threat-facing signatures. The IPS interaction with the firewall should be greater than the sum of the parts, such as providing a suggested firewall rule to block an address that is continually loading the IPS with bad traffic. This exemplifies that, in the NGFW, it is the firewall correlates rather than the operator having to derive and implement solutions across consoles. Having high quality in the integrated IPS engine and signatures is a primary characteristic. Integration can include features such as providing suggested blocking at the firewall based on IPS inspection of sites only providing malware.
    • Application awareness and full stack visibility: Identify applications and enforce network security policy at the application layer independent of port and protocol versus only ports, protocols and services. Examples include the ability to allow Skype use but disable file sharing within Skype or to always block GoToMyPC.
  • Extrafirewall intelligence: Bring information from sources outside the firewall to make improved blocking decisions, or have an optimized blocking rule base. Examples include using directory integration to to tie blocking to user identity, or having blacklists and whitelists of addresses.

Cymbel recommends Palo Alto Networks as the network security cornerstone of its next-generation defense-in-depth architecture for the following reasons:

1. Application-based Traffic Classification enables a Positive Enforcement Model

Unfortunately the network security industry has polluted the terms “next-generation” and “application-aware” firewalls. Simply adding application awareness as a separate module is not a bad thing, but it’s not a firewall unless it supports a Positive Enforcement Model (allow what’s needed and block everything else).

Palo Alto Networks is the only firewall today which provides Application-based Traffic Classification (ATC), i.e. the ability to define which applications are allowed and block all others including unknown applications. In addition, Palo Alto Networks monitors all 65K+ ports all the time, i.e. classifies traffic by application regardless of port or protocol.

Palo Alto Netowrks’ application-based Positive Enforcement Model enables you to reduce the organization’s attack surface which goes a long way to mitigating the risks of modern malware. Also you do not have to worry about new third party applications being developed which you want to keep out of your organization. They are automatically blocked if they are not specifically allowed even if Palo Alto does not have signatures for them!

The traditional firewall manufacturers provide traditional Port-based Traffic Classification (PTC) with a separate application identification module which blocks only the applications you specify. This is a Negative Enforcement Model which is how an Intrusion Prevention System works (which is not a firewall at all). This approach requires the manufacturers to constantly add application signatures because if there is no signature, there is no way to identify the application and block it. Also of note Palo Alto Networks provide PTC for backwards compatibility.

2. Single-Pass enables lower latency and higher performance

No matter how many features you turn on, PAN performs them all in a single-pass leveraging custom designed hardware. Adding application detection to a Port-based Traffic Classification firewall in a multi-pass process reduces performance, increases latency, and unnecessarily complicates policy management.

3. Unified policy management reduces policy management costs

PAN provides a single unified policy management interface for all aspects of PAN’s functionality including users, applications, threat prevention, and URL filtering. Because of this and the PAN-enabled shift to policy definition and deployment based on user groups and applications, policy management costs are reduced and IT’s ability to more rapidly and securely respond to business needs is enhanced.

4. Policy management flexibility improves IT’s responsiveness to business needs

PAN’s policy options go well beyond basic allow/deny and block malware. For example, in a single policy rule you can allow an application for a specific Active Directory group, with SSL decryption, threat prevention monitoring, and traffic shaping. This will enable IT to be more responsive to the business while improving security.

Links to Explore

Palo Alto Networks is the only true next-generation firewall on the market today with Application-based Traffic Classification enabling a Positive Enforcement Model at the application level.