animind - Fotolia
Jon Oltsik, an analyst with Enterprise Strategy Group Inc., in Milford, Mass., said next-generation firewalls -- touted as the next big thing a few years ago -- have lost their luster. NGFWs grabbed the attention of security professionals with Layer 3 and 4 packet filtering, deep packet inspection and enhanced network security services. But today, the excitement is wearing off and raising questions about whether NGFWs are on track to be seen as a legacy firewall technology.
NGFWs, Oltsik said, are losing traction as a result of software expansion and microsegmentation tools. NGFWs also tend to sacrifice line speed to consolidate security gateway appliances, like Secure Sockets Layer (SSL) decryption or web security gateways, and tend to cause some management confusion, as they cross over between networking and security teams.
Software-as-a-service providers in the cloud also tend to challenge the benefits of NGFWs. Oltsik conceded that many NGFW challenges apply only to advanced organizations, and he added that major vendors like Fortinet and Check Point probably don't face any immediate market danger. "The services that make up NGFWs are still necessary, and central management and operations is always worthwhile, but the thought of forcing all these things into some perimeter-based god box is looking more and more like a [legacy firewall]," Oltsik said.
Zentera offers secure Cloud over IP
Ethan Banks, writing in Packet Pushers, looked at Zentera's new Cloud over IP product, which is only available through other vendors with whom Zentera partners. Banks described Cloud over IP as an agent-driven platform that links together hosts with a network-based SSL overlay. The goal of the product is to provide connectivity and security across multiple cloud providers, particularly for hybrid infrastructures.
According to Banks, Zentera offers customers an edge gateway that creates proxy SSL tunnels to ease perimeter firewall administration tasks. The offering includes a centralized controller that connects with agents at different endpoints. The agents are deployable on virtual machines, servers running Linux and Microsoft, as well as containers.
When workloads shift, Zentera moves security policies as well, and the vendor offers "application interlock," which controls which applications access a communications-over-IP network. Banks added that the offering also includes analytics features, such as traffic inspection, which is limited to the first packet in a flow. After a flow is authenticated with the security policy, it is allowed to proceed.
Read more of Banks' take on Zentera's Cloud over IP offering.
Cisco debugs NX-OS
Ivan Pepelnjak, writing in ipSpace, gave a shoutout to Cisco and the steps it took to rectify a bug that caused NX-OS to drop configuration commands. After Pepelnjak complained about the glitch, Nicolas Delacroix, a Cisco technical marketing engineer, responded. Delacroix attributed the bug to old Linux TTY device drivers, which were introduced in 2009. It had been present for years, but became more visible in time because of a shift to model-based device configuration that added delays to the configuration path.
To resolve the dropped packets, Cisco needed to work around version issues that prevented its engineers from directly upgrading the Linux kernel used by NX-OS. Instead, Cisco engineers backported a fix for the bug into the TTY device driver. According to Delacroix, Cisco will ship the repaired device drivers with NX-OS updates to be released later this month. In the meantime, Pepelnjak recommended engineers explore temporary fixes, such as running NX-API.
Explore more of Pepelnjak's thoughts on Cisco's debugging efforts.
Understanding next-generation firewalls in the enterprise
Cisco expands SDN on Nexus switches
Looking into hybrid cloud management tools