The days of the first-generation firewall are numbered as enterprises begin to demand more from these venerable...
network security devices than just standard port and protocol protection.
Many vendors and analysts talk about next-generation firewalls, devices that integrate traditional firewall capabilities with other network security capabilities, particularly application layer intrusion prevention system (IPS) functions.
In a recent research note, Gartner analysts John Pescatore and Greg Young estimated that 1% of all enterprise Internet connections today are secured with next-generation firewalls. They believe that by 2014 that ratio will increase to 35%, with 60% of all new firewall purchases being next-generation products.
Defining next-generation firewalls
Many vendors tout their firewalls as next-generation products, but not all next-generation firewalls are created equal. Definitions of the technology vary, but most experts agree that deep integration of multiple network security capabilities in a single appliance is essential.
Forrester Research senior analyst John Kindervag said he looks at the next-generation firewall as what unified threat management (UTM) should be.
The next-generation firewall is a gateway device that looks at a packet from more than just a simple Layer 3 perspective to determine whether it should be allowed through a port. It looks at Layers 3 through 7 and gains an application-level understanding of the packet, which allows it to make many more sophisticated decisions. The key to doing this successfully is looking at the packet just once, as opposed to passing it from one function of a device to another.
"A lot of products have to open the packet up at the firewall. And if [the packet] is allowed, it reassembles the packet and sends it to the IPS, where it looks … at Layer 7 instead of Layer 3," Kindervag said. "The next-generation firewall is going to blur the distinction between UTM, firewalls, IPS -- all these point technologies that we have -- and it will be able to do it within a single CPU, within a single clock cycle [and] within a single path or flow, so that it has low latency. It has cost-effectiveness and it's replacing maybe multiple devices. It has application awareness and identity-of-the-user awareness, so it can provide much more threat intelligence."
Next-generation firewalls can consolidate network security operations
Consolidation of network security devices was an important factor in John Shaffer's decision to switch from Juniper Networks firewalls to Palo Alto Networks firewalls. Shaffer, director of global systems and technology for Greenhill and Company, a mergers and acquisitions financial advisory firm, said he had always loved Juniper's firewalls because of their ease of use and their VPN capabilities. But the IPS features that Juniper touts as next-generation just weren't robust enough for him.
"I've been looking at different tools to deal with malware and spyware from different vendors, and it might have been any vendor that had specific boxes for that," Shaffer said. "Tipping Point has [its] box, and Blue Coat has [its] box. So you're looking at taking all these different boxes and having to manage them separately. It becomes a little complicated. We were concerned about being able to block webmail. How do we block it, from a compliance standpoint, from coming into the organization? Standard firewalls don't do that, so you need something else.
"Finding a vendor that consolidated those functions into a single unit, for someone like us, who has a fairly small IT department [fewer than 10 staff members], that is really big," Shaffer continued, "because there is a lot of work involved in keeping these things up and going."
He decided to deploy Palo Alto firewalls in his network because of the IPS capabilities and the application visibility they provide. He said there are standalone IPS boxes out there that might have better capabilities than his Palo Alto firewalls, but chances are he wouldn't be able to use them to their fullest extent because of his limited resources. One IT administrator managing a firewall, a Web filtering gateway and an IPS box separately won't have enough time to optimize all three boxes, whereas he can get the most out of Palo Alto's IPS features because it is easier to manage IPS and basic firewalling in one box.
"Palo Alto's application visibility gives you a much more in-depth view of what's going on [and] what types of applications are out there," Shaffer said. "But you're not 100% guaranteed that you're not going to get something that comes through. If you have people that travel, you're not guaranteed that people are not going to get something outside the network and then bring it back in. I want to continually block more threats as much as possible, but I guess it's a fine line. If you block too much, then the things that you want to work don't."
Kindervag said Palo Alto is one of the more successful next-generation firewall vendors on the market because the startup's products are relatively new. Being a newer vendor means it doesn't have as much legacy code to deal with. Its hardware and software is purpose-built for next-generation features. More established vendors have older code bases and older hardware architectures to work with, and they're not going to start from scratch.
Watch out for next-generation firewall hype
Some of the more traditional firewall vendors are starting to move toward next-generation devices, Kindervag said.
"Juniper, by moving to JunOS, has the opportunity to create some interesting plays," he said. "I don't know if they're fully done with that yet. Their transition from ScreenOS to JunOS is not yet … complete."
In the meantime, enterprises should be wary of vendors' claims that they are producing next-generation firewalls. Everyone has his own definition, and enterprises might find that their standards exceed those of some vendors.
"I think it's hard to cut through the marketing hype right now," Kindervag said. "You have to look at a couple things: You have to look at the hardware architectures. Go underneath the hood and [ask] … does it have a processor fast enough to process all these packets all the way through Layer 7 in near real time? Because we don't want latency to destroy applications like VoIP."
If a firewall vendor is using a traditional server style piece of hardware with general-purpose processors, the enterprise should be skeptical that the vendor can get the compute power necessary to look at a packet from multiple layers and perform the analysis necessary to complete all the next-generation functions enterprises are looking for.
"The second thing you look at is how elegant the software is," Kindervag said. "If it's hard to configure and hard to manage and seems old school, it probably is old school. If you have to do a lot of things behind the scenes with command line, it's probably pretty darn old code, because no one creates code with that kind of interface anymore."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor