Next-Generation Firewalls: A Step in the Right Direction, but it’s Not a Black or White Decision

Protecting an organization from risk is still the main reason we have firewalls in place today, but with the advent of Next-generation firewalls (NGFWs) the traditional manner in how we secure the enterprise with firewalls is changing. With the emergence of web 2.0 we need to be able to protect ourselves from evolving threats that wouldn’t be stopped with traditional “Old School” firewalls, but as always everything new comes with its own sets of challenges. By utilizing a NGFW, organizations can leverage its features to plug holes in their infrastructure, but at the same time open themselves up to new risk.

The Beauty of the Next-Generation Firewall

Next-generation firewalls give you increased visibility and insight of what’s happening in your network. No longer are we looking to block by source IP/destination IP and port alone, but by adding the intelligence to filter by application type, user identity, and reputation adds an enormous and granular advantage into your firewall security policy.

Attackers are aiming for data and will continue to climb the stack to the application layer to get it. Being able to differentiate in a policy by application is becoming crucial within a modern day’s business. These firewalls must be able to tell the difference between what’s being offered through an HTTP or HTTPs connection. It’s what’s on these pages that matters now (video, social networking, mail, games), not that just port 80 or 443 are open. Application signatures help identify thousands of applications and put controls around them down to the user level themselves. For example,  social networking is booming and successful companies need to embrace it, but at the same time not every user should have the ability to POST to a social network.

With application control you’ll be able to define a firewall policy that drills down to what groups of users can do with a particular application, allowing for better security and a business advantage. No longer do you need to shut off Facebook for the entire company, when you can allow people to view it without adding content. Also, with the ability to have reputational and user identity added to the rules of your system an administrator can tailor their environment to a baseline and get a better understanding of what normal traffic is for a site, group or user. An admin can quickly define policy in the network and create security policy based off real-time events that are happening via this knowledge.

With Great Power Comes Great Responsibility

Every time someone comes knocking on your door trying to sell a magic box you should be careful. Next-generation firewalls are an amazing improvement in the evolution of firewall technology, but without first grasping a few concepts about NGFWs you could actually put yourself at greater risk. The line from the movie Spider-Man, “With great power, comes great responsibility” can be transferred over when examining how to manage next-gen firewall policies. You really need to make sure that the granular changes you’re making are going to reduce risk into your environment. If you’re allowing certain applications into your organization you need to be sure that these applications aren’t malicious or have the potential to be malicious. The apps that are being used can offer a great deal of risk and carry malware. No longer are you blocking on the port level, but by the app itself. You must be able to figure out what these apps are and block or allow depending on the profile of the app user identity.

Remember, firewalls are not only used to block data, they’re used to allow data through it. 

Verify that when you’re making a change to the firewall with these additional attributes you understand the full impact of what would be allowed – these changes are no longer black and white. As the rulesets and features increase, so does the complexity. Also, the more you add on the firewall the more it’s going to weigh the resources of the box. Inspecting every packet and session ingressing/egressing the network can put a huge strain on performance. The more granular you get with the inspection the deeper the firewall has to look into data, which could produce latency. Since NGFWs try to combine everything (Firewall, IPS, AV, web filtering, etc.) to save money and become an all-in-one shop, you might be putting more strain than needed on your system.

This leads me to my last point of having your security in layers. By using a next-gen firewall as your be-all-end-all, magic security box you can definitely find yourself in hot water. Just because one system is great at one particular feature in the NGFW, doesn’t mean that they’re the best-of-breed everywhere. Having multiple layers of security has always been a good idea and by ripping out your infrastructure to have it all replaced with a NGFW can be slightly concerning.  Some NGFW installations are using just parts of the NGFW behind an existing firewall or IPS to see what’s getting through, as well as to use this device as their app-layer and identify management security system. Adding all these features together does save money, but is it the right thing to do? That depends on your infrastructure and the systems you currently have in place.

So in conclusion… next-generation firewalls do have clear advantages over traditional firewalls, but in order to get the full benefit of these systems, an administrator needs to truly know their environment, the security systems they’re managing, the holes it might fill or cause and how to use it effectively. Just like anything new you’ll have to get a feel on what the system can do and then verify if it’s the right fit for your organization.