This content is part of the Essential Guide: Picking the best firewall software, hardware or application
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Choosing a next-generation firewall: Vendor comparison

Next-generation firewalls are becoming a must. Read our comparison of application-aware firewall options available from the leading firewall vendors.

Many firewall vendors offer next-generation firewalls, but they argue over whose technique is best. A next-generation firewall is application-aware. Unlike traditional stateful firewalls, which deal in ports and protocols, next-generation firewalls drill into traffic to identify the applications traversing the network. With current trends pushing applications into the public cloud or to be outsourced to Software as a Service (SaaS) providers, a higher level of granularity is needed to ensure that the proper data is coming into the enterprise network.

Each vendor has its own approach to building application awareness into a firewall. asked each of the leading firewall vendors to explain how their next-generation firewalls differ from the competition. Here is what we learned. 

 Astaro uses an application signature database from its partner Vineyard Networks to deliver application awareness to its Astaro Security Gateway. Through this partnership, Astaro's firewall can distinguish different applications running from the same website and apply Quality of Service options to prioritize and allocate bandwidth to these applications.  The latest version of Astaro Security Gateway enhances the presentation of this information to the firewall administrator. It offers a network-wide view that allows administrators to quickly define security polices based on the real-time situations. The key, according to Astaro, is to enable IT to react to new threats by seeing what is happening and fine tuning the firewall quickly and easily.

Astaro is also focused on identifying new, unknown application types as soon as new applications start hitting customer networks. Planned for an upcoming release, the system would allow administrators to opt-in and anonymously submit unknown packet types for review by Astaro engineers. The company will use the compiled data to identify these applications and add them to the signature database.

 Check Point Software has developed the AppWiki application library, which the company claims can identify over 5,000 applications and 100,000 social networking widgets. These application signatures are pulled into the company’s Check Point Application Control and Identity Awareness Software Blades. The software also integrates with Active Directory to identity the user and endpoint, allowing administrators to customize granular security policies. Check Point also offers the ability to educate users in real time. Agent software on the user's PC, UserCheck, will pop up a window when the user violates security policy. The window explains the violation and guides users through remediation. This software also lets users provide feedback to administrators, streamlining the process of customizing security policies in response to user needs.  

 Cisco Systems has announced plans to add new levels of application visibility into its Adaptive Security Appliance (ASA), as part of its new SecureX security architecture. Cisco claims that this new architecture will not only address application awareness, but also user and device identification, as it rolls out features throughout 2011. Details on how Cisco acquires that application visibility remain sketchy for now.

•  The application control functions of Fortinet’s FortiGate devices use protocol decoders and decryption of network traffic to identify applications. The company’s FortiGuard Labs team maintains an application signature database, adding signatures for new applications as well as updating signatures for new versions of existing applications. The application database enables Fortinet’s products to separate disparate applications from a single site, such as Facebook or Google, and allows separate policies for each. Fortinet claims that its products have a performance and integration advantage over its competitors because all of its technologies are developed in-house.

 Juniper Networks uses a suite of software products, known as AppSecure, to deliver next-generation firewall capabilities to its SRX Services Gateway. The application-aware component, known as AppTrack, provides visibility into the network based on Juniper’s signature database as well as custom application signatures created by enterprise administrators. With AppTrack providing visibility, the AppFirewall and AppQoS components of the suite provide the policy enforcement and traffic control of the applications. Juniper also claims a high level of scalability in its platform, with the ability to deliver application protection at up to 100 Gbps speeds.

 McAfee, recently acquired by Intel,  uses its McAfee AppPrism technology for application discovery and awareness in McAfee Firewall Enterprise. AppPrism identifies thousands of applications, regardless of port or protocol, backed by application signatures developed in-house by McAfee’s own Global Threat Intelligence team, the company claims. AppPrism also provides a high level of application control, allowing administrators to disable just the riskier portions of an application. For example, administrators can use the technology to block the file sharing capabilities of an instant messaging application without blocking a user's ability to chat. McAfee claims its next-generation firewall has an edge because its application-awareness technology is a core part of its firewall architecture and all components, including application signatures, all of which are internally developed.

 Palo Alto Networks says it was the first vendor to deliver next-generation firewalls and the first to replace port-based traffic classification with application awareness. The company’s products are based on a classification engine known as App-ID. App-ID identifies applications using several techniques, including decryption, detection, decoding, signatures and heuristics. Individual App-IDs for a given application can rely on any combination of these techniques in a single bundle, allowing the engine to identify all versions of an application, as well as all of the platforms the application runs on. App-ID, as the core of Palo Alto’s firewalls, is always running, so it can identify when an application performs a function, such as a file transfer, and it can apply policy to that specific function. The company also notes that App-ID is extensible, so that as new techniques become available, they can be incorporated into the classification engine.

• For SonicWALL, the formula for application awareness in its Next-Generation Firewall is a combination of Deep Packet Inspection (DPI) and an ever-expanding signature database that can currently identify and control upward of 3,500 applications and application functions. SonicWALL's Reassembly-Free Deep Packet Inspection (RFDPI) scans every packet across every protocol and interface. On the signature side, the the SonicWALL Research Team continually generates new signatures, which are automatically delivered and implemented without requiring extra work from the network administrator. In addition, IT shops can create their own signatures as needed.

SonicWALL's firewall solution also includes a Visualization Dashboard and Real-Time Monitor, which enables administrators to see specific applications on the network, including information on who is using them and to what extent they're being used. The idea is to use this information for policy setting and troubleshooting.

This was last published in March 2011

Dig Deeper on Network Security Monitoring and Analysis