Next Generation Firewalls

Augmented security

By Yardi Blog Staff on Apr 13, 2012 in Technology

The primal contest between computer user security and the external threat environment will shift with next generation firewalls. Significantly upgraded over the previous state-of-the-art, next-gen firewalls offer improved visibility into the contemporary Web-based network landscape and a much-enhanced capacity to detect advanced threats. But is this truly a generational performance enhancement, or just the same ol’ technology with an added dash of marketing magic? Let’s take a closer look.

Traditional firewall performance includes stateful port/protocol inspection, network address translation (NAT), and virtual private network (VPN) integration. Typical services also include directory support (via Active Directory or similar) that  authenticates and authorizes applications based on users and user groups. Also common is reputation-based filtering blocks applications that have earned a rep for naughty behavior. This helps discourage phishing attempts, virus infiltration, and additional malware sites and applications.

Regardless of the vendor, next-gen firewalls include the following features:

Application ID & filtering: This area is where next-gen firewalls really make a difference. Instead of the traditional all-or-nothing port opening approach, next-gen firewalls scan and filter traffic based upon the specific applications. Malicious applications that use non-standard ports to spoof countermeasures can be stopped dead in their tracks.

SSL and SSH inspection: Enhanced inspection technology means next-gen firewalls can put SSL and SSH encrypted traffic under the microscope. Decrypted traffic is inspected, filtered, and then re-encrypted. Advanced malicious apps that utilize encryption as a detection countermeasure are no longer a threat.

Intrusion prevention: Enhanced versatility and robust traffic inspection abilities provide all the functionality of a stand-alone intrusion prevention system. Most next-gen firewalls include full intrusion detection and prevention capability.

In short, next-gen firewalls blend a full-service suite of performances – firewall, intrusion prevention, and additional security capabilities – into a single, efficient, high-performance appliance. The move to application-based filtering allows an unprecedented level of fine-tuning and threat protection.

Where do next-gen firewalls go from here?

Since 2007 when Palo Alto Networks introduced the core feature sets that define what we consider today as a next generation firewall, the technology has been embraced by the marketplace. According to a joint study by Infiniti Research and TechNavio Insights, next-gen firewalls accounted for 5-10 percent of total firewall appliances in 2010. That figure is predicted to jump to 35 percent by 2014.

For businesses the attraction is twofold. Application-based controls and enhanced security are the must-haves, but that those arrive with overall cost savings and reduced management overhead is the icing on the cake. Performance bugs are still being ironed out. This level of added security comes at a performance price, and many businesses are unwilling to compromise connections per second and optimal traffic rates. True next-gen firewalls also require purpose-built appliances – simply modifying older equipment does not deliver the same performance. As these issues are resolved and the technology matures, the market will continue to grow.

It won’t take long for the threat environment to answer with new challenges and exploits… it never does. But for a while at least, next generation firewalls have convincingly achieved the upper-hand in managing individual user and network security.