The firewall is one of the most fundamental network security control mechanisms, and over the last two decades, the firewall has evolved from a simple packet-filtering device to a complex system capable of monitoring the state of numerous network traffic sessions simultaneously. Yet even with more advanced features and higher throughput than ever before, firewalls are having an identity crisis. The threat landscape is changing rapidly, and traditional filtering for ports and IP addresses is no longer adequate. For this reason, many organizations are turning to next-generation firewalls (NGFW) that offer new capabilities.
NGFW must-have features
When you're looking to buy a next-gen firewall, either as a replacement for existing firewalls or intrusion detection systems, or as a standalone security control point, there are several features you'll need for maximum effectiveness. These include the following:
- Application identification and control. The most important feature of any NGFW is the ability to properly parse, decode and analyze application traffic for anomalies and known threats based on signatures. Many of the most critical business applications are engineered with subtle policy variations to permit different types of functionality. Firewalls need to be able to understand those subtleties to make proper policy decisions. Any effective next-gen firewall must permit granular application policy development and monitoring, as well as updates to the parsing and processing engine that allows the device to evaluate rules and apply them consistently -- even as traffic patterns change over time.
- Protocol dissection and anomaly detection. Any next-gen firewall should be able to rapidly break down protocols into their component parts. Many attackers employ complex tunneling techniques to embed command traffic or sensitive data within other protocols. As a result, next-gen firewalls need to determine whether ICMP, HTTP and other traffic types are genuine or fabricated to carry attacker data.
- User identification. All enterprise-class next-generation firewall platforms should be able to connect to a variety of directory sources like Active Directory and correlate activity in the environment to individual user identities. Ideally, the system should be able to map an IP address to a system name as well as to the user logged into that system. Role-based policies on the firewall can then be applied to the specific users detected. That allows the firewall to determine whether the traffic exhibits any unusual traits related to protocols and application attributes even as it tracks usage patterns expected from certain users and groups. In this case, the most important consideration for potential buyers to consider is the platform's support for user repository types.
- Speed and performance. As an inline device parsing and filtering traffic, another key attribute of any NGFW evaluation should be speed. Given the intense processing and analysis of packets coming through any next-gen firewall device, traffic latency is a major concern. Many products boast sustained speeds of 10 Gbps and more, and these should be tested thoroughly with real production traffic if at all possible before making a purchasing decision.
Can't get enough on next-gen firewalls?
Check out Dave Shackleford's Network Classroom on how to use NGFWs for modern network security architectures and where they fit in with what you already have.
NGFW nice-to-have features
While not critical "must have" features, the following features are in the nice-to-have category and are included in some NGFW products:
- URL filtering. Some firewalls can perform URL-based content filtering and site reputation analysis. Although not likely to be as robust and feature-rich as standalone content filtering products from Websense, BlueCoat Systems and other vendors, URL filtering adds another dimension of application and traffic analysis to the inspection already being performed.
- SSL termination and inspection. Attackers are intelligent, and they are building malware and attack toolkits that use encrypted channels like Secure Sockets Layer (SSL) to carry sensitive data and bot commands. Some organizations may consider this a "must have" requirement in a next-gen firewall platform, but many businesses either aren't yet ready to inspect SSL or can't for privacy-related reasons.
- Virtual malware sandbox. Some of the newer NGFW platforms offer integrated malware sandboxing and analysis, which may be useful in detecting more advanced malware infections.
Additional areas to consider include ease of use and implementation, integration with other tools and technologies in the environment, and the ability to format events and logs from the devices.
The bottom line
NGFW platforms are becoming more and more capable all the time, and they can augment or replace more traditional firewall technologies in most environments today.
Check Point 12610 review
Fortinet FortiGate 3950B review
Palo Alto PA-5060 product review