State of the Firewall: Even More Q&A with Our Panelists

Continuing our follow-up from the State of the Firewall in 2013 webcast, our panelists addressed questions such as “What’s the difference between UTM and NGFW?” and “Besides cost savings, what’s the greatest value that a NGFW provides?” In this post, our panelists responded more in a rapid-fire Q&A session to a variety of questions posed by audience members…

How compatible are NGFWs with custom or in-house applications? Do they “learn” what is acceptable with these applications through some kind of base-lining process or is manual intervention needed?

Ryan Liles, Director of Testing Services, NSS Labs

This may vary from vendor to vendor, but NSS hasn’t tested the capabilities of these devices to “learn” the networks they’re installed in without manual intervention. The recommendation has always been to install them in a passive monitoring mode, watch what they alert on, and then have custom exclusions written for unique applications.

Patrick Bedwell, VP of Products, Fortinet

NGFWs do not natively include the ability to ‘self-learn’ the behavior of custom apps. It requires manual intervention to identify the unknown application traffic in order for the NGFW to properly identify and manage the application.

What impact will the trend of social media webpages like
Facebook moving towards https have on the ability to block “specific”
traffic or traffic patterns?

Pankil Vyas, Manager – Network Security Center, General Motors

You will need SSL interception capabilities on your NGFW.  The most common problem in this type of implementation is to manage the whitelist/blacklist sites.  For regulatory reasons corporations do not want to intercept SSL connections to employee benefits/payroll/personal banking sites.

Many organizations now require secure file transfers (SFTP or FTPS)… how can a next-gen firewall inspect that traffic if the data is encrypted?

Patrick Bedwell, VP of Products, Fortinet

NGFWs can decrypt and inspect encrypted data via the installation of server certificates / private keys on the NGFW.

Can the panelists comment on NGFW functionality for the newer protocol version?

Patrick Bedwell, VP of Products, Fortinet

Absolutely.  One reason why you don’t hear much from most NGFW vendors about IPv6 is that they have not built in the dual-stack support and feature & performance parity necessary to provide the same level protection for IPv6 as they deliver for IPv4 traffic. In other words, they hope you don’t have a requirement to support IPv6 because they can’t support it today.

Why this is an issue is threefold:

1. You likely have IPv6 traffic in your network whether you know it or not. Many devices and OS have supported native IPv6 enabled, and can send and receive IPv6 traffic by default.
2. If your security infrastructure doesn’t offer dual-stack support, it can’t inspect the data and enforce policies (it can only forward packets), meaning you’ve got a significant blind spot in your security strategy.
3. Dual stack support doesn’t mean feature parity, and most vendors only support IPv6 in software. Supporting IPv6 is just the first significant step—vendors have to invest the R&D resources to ensure that their products can deliver the same features/functions in both protocols, and also invest in the custom processors to deliver hardware-based acceleration of the IPv6 data to avoid becoming a security bottleneck.

How quickly, realistically, can an organization expect to apply the Next-Gen Firewall capabilities to a legacy ruleset?

Pankil Vyas, Manager – Network Security Center, General Motors

IPS is probably the easiest. Application control might be also quickly implemented if the organization has proper logging and analysis done on the legacy ruleset.

What’s the next step for firewalls beyond NGFWs?

Patrick Bedwell, VP of Products, Fortinet

Perhaps the NNGFW (next-next-generation firewall)? In all seriousness, the NGFW will evolve, and the term will at some point be replaced. Vendors have to keep adding new features to keep pace with the changing networking environment. One area that we at Fortinet have launched is client reputation, which provides a set of behaviors that the FortiGate device uses to calculate a reputation score. The value of this is that a change in behavior by a device (whether sudden or over an extended period of time) will trigger an alert, providing a real-time method to identify the bad actors in your network at any time, as well as identity potentially compromised systems.

Nimmy Reichenberg, VP of Strategy, AlgoSec

Two trends we are certainly seeing are: 1) More consolidation – firewalls will get better at consolidating network security functions, not just IPS, but also URL filtering and advanced malware detection, and are likely to add more capabilities. 2) Virtual (Hypervisor-based) Firewalls – while adoption is limited currently, firewalls that can inspect VM to VM traffic will become more prevalent, as organizations will virtualize their environment to the point where workloads that differ in their security requirements are executed on the same physical machine.

Pankil Vyas, Manager – Network Security Center, General Motors

I think NGFW is still not mature, Data Loss Prevention is just scratching the surface of NGFW.  IPv6 will bring some more challenges in firewall space. Content examination within protocols, digital marking for DLP, authentication function for bidirectional connection to support mobile devices are probably some areas of interest.

Thanks to our panelists for responding to these questions. For more commentary on where the firewall is headed, check out our “Evolution of the Firewall” blog.