Due to changes in the way web-based / cloud applications are written, traditional port-based, stateful inspection firewalls no longer can sustain the Positive Control Model, the purpose of a firewall. A new type of firewall is required that can monitor all applications on all ports at all times at specified performance levels. In 2009, Gartner coined the term, Next Generation Firewall, for this capability. Unfortunately vendors are using the term, whether their products can re-establish a Positive Control model or not.

Since Internet usage became popular in the mid-90’s, the firewall has been the primary network security technical control. While several alternative firewall technologies originally competed, “stateful inspection” came to dominate the market by the late 90’s. And to this day is still the most popular firewall technology, although, as I will discuss further on, completely inadequate considering today’s usage of the Internet and cyber predators’ goals and methods.

By the early 2000’s, it became clear that stateful inspection firewalls by themselves could not provide adequate protection because of the increasing complexity of the threat landscape and the proliferation of web-based productivity applications specifically designed to bypass the stateful inspection firewall. Therefore a variety of additional network security solutions came to market such as Intrusion Detection and Protection Systems, and Proxies for URL Filtering and Data Loss Prevention. This added dramatically to capital, administrative, and operational costs. By the late 2000’s, enterprises began to realize that this combination of firewalls and “firewall helpers” were not effectively mitigating the risks they were intended to.

Users simply going to web sites or using social networking or collaboration applications are at risk of attacks such as keyloggers and spyware, backdoor or Command/Control, or SQL Injection attacks which represent over 50% of the Threat Action Types that cause breaches of credit card information, personal information, trade secrets and other intellectual property.

In October 2009, Gartner released a research report on a new type of network security control – the “Next Generation Firewall”. (Please contact me for a copy using the form on the side panel of this page)

Here is Gartner’s description of a Next-Generation Firewall:

To meet the current and coming generation of network security threats, Gartner believes firewalls need to evolve yet again to what we have been calling “next-generation firewalls” (see “Toolkit: Evaluating Information Security Budgets, 2007 Update”). For example, threats using botnet delivery methods (see “Case Study: Early Detection of PCs That Have Been Compromised via Botnet Clients”) have largely been invisible to first-generation firewalls.

As service-oriented architectures and Web 2.0 grow in use, more communication is going through fewer ports (such as HTTP and HTTPS) and via fewer protocols, meaning port/protocol-based policy has become less relevant and less effective. Deep packet inspection intrusion prevention systems (IPSs) do inspect for known attack methods against operating systems and software that are missing patches, but cannot effectively identify and block the misuse of applications, let alone specific features within applications.

Gartner has long used the term “next-generation firewall” to describe the next stage of evolution to deal with these issues. Gartner defines a network firewall as an in-line security control that implements network security policy between networks of different trust levels in real time. Gartner uses the term “next generation firewall” to indicate the necessary evolution of a firewall to deal with changes in both the way business processes use IT and the ways attacks try to compromise business systems.

As a minimum, an NGFW will have the following attributes:

  • Support in-line bump-in-the-wire configuration without disrupting network operations.
  • Act as a platform for network traffic inspection and network security policy enforcement, with the following minimum features:
    • Standard first-generation firewall capabilities: Use packet filtering, network address translation (NAT), stateful protocol inspection, VPN capabilities and so on.
    • Integrated rather than merely colocated network intrusion prevention: Support vulnerability-facing signatures and threat-facing signatures. The IPS interaction with the firewall should be greater than the sum of the parts, such as providing a suggested firewall rule to block an address that is continually loading the IPS with bad traffic. This exemplifies that, in the NGFW, it is the firewall correlates rather than the operator having to derive and implement solutions across consoles. Having high quality in the integrated IPS engine and signatures is a primary characteristic. Integration can include features such as providing suggested blocking at the firewall based on IPS inspection of sites only providing malware.
    • Application awareness and full stack visibility: Identify applications and enforce network security policy at the application layer independent of port and protocol versus only ports, protocols and services. Examples include the ability to allow Skype use but disable file sharing within Skype or to always block GoToMyPC.
  • Extrafirewall intelligence: Bring information from sources outside the firewall to make improved blocking decisions, or have an optimized blocking rule base. Examples include using directory integration to to tie blocking to user identity, or having blacklists and whitelists of addresses.

Cymbel recommends Palo Alto Networks as the network security cornerstone of its next-generation defense-in-depth architecture for the following reasons:

1. Application-based Traffic Classification enables a Positive Control Model

Unfortunately the network security industry has polluted the terms “next-generation” and “application-aware” firewalls. Simply adding application awareness as a separate module is not a bad thing, but it’s not a firewall unless it supports a Positive Conbtrol Model (allow what’s needed and block everything else).

Palo Alto Networks is the only firewall today which provides Application-based Traffic Classification (ATC), i.e. the ability to define which applications are allowed and block all others including unknown applications. In addition, Palo Alto Networks monitors all 65,535 TCP and UDP ports all the time, i.e. classifies traffic by application regardless of port or protocol.

Palo Alto Netowrks’ application-based Positive Control Model enables you to reduce the organization’s attack surface which is the first step in mitigating the risks of modern malware. Implementing a Positive Control Model means you do not have to worry about new third party applications being developed which you want to keep out of your organization. They are automatically blocked if they are not specifically allowed even if Palo Alto does not have signatures for them!

The traditional firewall manufacturers provide traditional Port-based Traffic Classification (PTC) with a separate application identification module which blocks only the applications you specify. This is a Negative Control Model, which is how an Intrusion Prevention System works (which is not a firewall at all). This approach requires the manufacturers to constantly add application signatures because if there is no signature, there is no way to identify the application and block it. Also of note, Palo Alto Networks provide PTC for backwards compatibility.

2. Single-Pass enables lower latency and higher performance

No matter how many features you turn on, Palo Alto Networks performs them all in a single-pass leveraging custom designed hardware. Adding application detection to a Port-based Traffic Classification firewall in a multi-pass process reduces performance, increases latency, and unnecessarily complicates policy management.

3. Unified policy management reduces policy management costs

Palo Alto Networks provides a single unified policy management interface for all aspects of PAN’s functionality including users, applications, threat prevention, and URL filtering. Because of this and the PAN-enabled shift to policy definition and deployment based on user groups and applications, policy management costs are reduced and IT’s ability to more rapidly and securely respond to business needs is enhanced.

4. Policy management flexibility improves IT’s responsiveness to business needs

Palo alto Networks’ policy options go well beyond basic allow/deny and block malware. For example, in a single policy rule you can allow an application for a specific Active Directory group, with SSL decryption, threat prevention monitoring, and traffic shaping. This will enable IT to be more responsive to the business while improving security.

5. Tightly integrated Threat Prevention

The same underlying technology that enables Palo Alto Networks to detect evasive applications enables superior threat detection. And because Palo Alto Networks is inline at critical choke points in the network and virtualized data center it is able to prevent both incoming known threats and outgoing spyware (including Command & Control) communications. For unknown threats, Palo Alto provides Wildfire, a cloud-based sandbox environment that is tightly integrated with the on-appliance Threat Prevention.

If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.