RSA: Trio Of Next-Gen Firewalls Try To Keep Up With Evolving Threats

Much of the attention at this week's RSA Conference 2012 will be on the next-generation firewall (NGFW) and how it is getting more sophisticated as the threats to computer networks get more sophisticated. A number of vendors will be making NGFW announcements during the conference in San Francisco, but not all solutions advertised as next-generation firewalls are created equal, says one analyst.

"As with any term, once the marketing department gets hold of it, things can spread pretty dramatically," states Eric Hanselman, research director for networks at The 451 Group. Intrusion protection system/intrusion detection system (IPS/IDS), VPN and Web application firewall technologies are all common features of a NGFW, but some vendors are also toutingn features such as SSL acceleration and WAN acceleration as NGFW components, too.

Hanselman says the core functionality of a NGFW should be protecting the network from outside or inside threats. Everything else may be nice to have but not a core function. He uses an automotive analogy. "A next-generation car would include things like ABS and more sophisticated traction control--things that are related to the driving of the car, as opposed to things like air conditioning or a better sound system," he says.

A December 2011 Gartner report on NGFWs portrays a nascent but quickly expanding market for the technology. Gartner estimated that when the books are closed on 2011, the firewall market, including NGFW, will bring in $6.3 billion, up from $5.9 billion in 2010 and $5.4 billion in 2009. There is considerable opportunity for more growth: Gartner noted that while less than 5% of Internet connections are currently protected by NGFWs, by 2014 that number will grow to 35%.

The Gartner Magic Quadrant assessment of the NGFW market shows a number of vendors clumped together in the Niche Players lower-left quadrant. Only two firms are identified as Leaders in the upper right quadrant: CheckPoint Software Technologies and Palo Alto Networks, which introduced a NGFW solution for branch offices last fall .

Companies introducing NGFW solutions at RSA include Stonesoft, a niche player according to Gartner, which is introducing the Stonesoft Security Engine. The company describes the product as a "transformable" NGFW because it can be programmed by the operator as a traditional and/or next-gen firewall, a Layer 2 firewall, or a traditional or next-gen IPS. It can also be programmed to deliver VPN or universal threat management (UTM) protection.

The Security Engine features "contextual awareness" to enhance protection, says Matt McKinley, director of the product management team for Stonesoft in the United States. That means the firewall can assess the security of a connection based on the application, the end user and a deep inspection of the packets traversing that connection.

With this product, available sometime in April. Stonesoft is trying to address some of the problems enterprises encounter trying to deploy NGFW, McKinley says. "I think there are some significant shortcomings in terms of scalability and availability in the rush to get all the features that are required for a next-generation firewall and next-generation IPS. I see the focus shifting in that direction toward adaptability, scalability, advanced threat protection and ... being able to make more intelligent decisions," he says.

Also taking a bow at RSA is Netronome, which will be introducing a Network Flow Management (NFM) software framework for NGFW designers who are basing their designs on flow processors. The company says the framework will deliver IPSec, IPS and SSL inspection capabilities in a NGFW.

Fortinet is also making NGFW news at RSA with the FortiGate-3240C, a security appliance that addresses multiple threats and exerts granular control over more than 1,900 discrete applications. The appliance also provides real-time protection against current and emerging advanced persistent threats (APTs), says the company. Also new is the FortiGate-5101C, a security blade that integrates the latest FortiASIC processors to accelerate the performance of FortiGate-5000 Series ATCA-compliant systems, including the FortiGate-5140B.

Fortinet says the introduction of its latest next-generation firewall products, to be available in the second quarter, really changes the dynamics of how large enterprises, service providers and carriers apply high-performance security in their networks. The enormous throughput and scalability of these systems give organizations new freedom to develop and enforce a broad range of aggressive security policies that apply highly granular control over users, applications and devices without compromising network performance, it states.

Sourcefire's offering in the NGFW market, introduced in December 2011, also offers contextual awareness. Tufin Technologies introduced Version 6.0 of its Tufin Security Suite in September 2011. Version 6.0 lets IT security administrators directly set and define NGFW policies from their management tools. F5 Networks introduced a new data center firewall appliance last month.

Firewalls have to adapt to the expanding threat landscape that networks face, says The 451 Group's Hanselman. Take SQL injections, for example. With a SQL injection, a query provides an attacker with access to a SQL database for seemingly legitimate reasons. The attacker is then able to gain access to other parts of the database and the network to gain wider control of it. The intruder could use that access to execute SQL commands to introduce malware, commandeer resources to launch an attack or to steal data from the target.

A NGFW would closely scan typical HTTP traffic, but be able to separate out SQL commands that may be suspicious. "A NGFW would scan your HTTP traffic for SQL commands, which have a particular format, and ... it would know that when it saw a set of SQL commands, then it would suddenly realize that, 'Hey, this isn't OK,'" he says.

Hanselman cites the Juniper Networks SRX and the Cisco Systems ASR as appliances that closely scrutinize traffic for such abnormalities.

RSA Conference 2012 is expected to draw about 20,000 attendees to San Francisco's Moscone Center Feb. 27 through March 2.

Learn more about Strategy: Securing Flat Networks by subscribing to Network Computing Pro Reports (free, registration required).