Next Generation Firewalls 101

Upcoming Events

Solid state is showing up at every level of the storage stack -- as a memory cache, an auxiliary storage tier for hot data that's automatically shuttled between flash and mechanical disk, even as dedicated primary storage, so-called Tier 0. But if funds are limited, where should you use solid state to get the best bang for the buck? In this Network Computing webcast, we'll discuss various deployment options.

Register Now!

Interop Las Vegas 2013
May 6-10, 2013
Mandalay Bay Conference Center
Las Vegas

Attend Interop Las Vegas 2013 and get access to 125+ workshops and conference classes, 350+ exhibiting companies and the latest tech.

Register Now!

Posted by Frank J. Ohlhorst
March 01, 2013

Traditional stateful inspection firewalls have effectively become obsolete because of two significant limitations. First, they don't inspect the data payload of network packets. Second, while more and more network traffic uses Web protocols--including legitimate business applications, non-business applications, and attacks--traditional firewalls don't have the fine-grained intelligence to distinguish one kind of Web traffic from another and enforce business policies, so it's either all or nothing.

Over time, security vendors have added new approaches, including intrusion prevention and deep packet inspection, to detect malware or exploits in network traffic. These approaches tend to be packaged either in separate devices, or in Unified Threat Management (UTM) systems that perform multiple security functions in a single platform.

More Insights

However, there are drawbacks to these approaches. Adding more devices can also add more latency, as packets are passed from one appliance to the next. Each new device also adds operational overhead because they need to be monitored and managed separately.

As for UTMs, they tend to use separate internal engines to perform individual security functions. This means a packet may be examined several times by different engines to determine whether it should be allowed into the network. That round-robin approach adds latency, which may affect network performance or overwhelm the UTM.

In addition, many of the malware detection techniques use the same principles as desktop anti-malware software; the device must buffer downloaded files and then inspect the whole file for malware, which may limit the maximum file size that can be processed.

In general, with a UTM, security administrators must work to find an acceptable balance between performance and protection.

Enter Next Generation Firewalls (NGFWs). This category of product attempts to address the traffic inspection and application awareness drawbacks of stateful inspection firewalls, without hampering performance.

The most significant difference between NGFWs and traditional firewalls is that NGFWs are application-aware; they use a variety of techniques to identify applications, including Web applications. Thus, instead of allowing all traffic coming in via typical Web ports, a NGFW can distinguish between specific applications (for instance, Hulu vs. Salesforce.com) and then apply policies based on business rules.

NGFWs also use deep packet inspection techniques to examine traffic for anomalies and known malware. However, these devices are optimized so that packets only need to be examined once, rather than processed through multiple engines.

Gartner defines an NGFW as "a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks." At minimum, Gartner states an NGFW should provide:

- Non-disruptive in-line bump-in-the-wire configuration

- Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN) and so on

- Integrated signature-based IPS engine

- Application awareness, full stack visibility and granular control

- Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.

- Upgrade path to include future information feeds and security threats, and SSL decryption to enable identifying undesirable encrypted applications

Application Control

As mentioned earlier, NGFWs are application-aware. They use a variety of techniques, including predefined application signatures, header inspection and payload analysis to determine specific applications. The NGFW stores a library of approved applications and allows those to traverse the network, while examining the data packets for any anomalies. Along with predefined applications, NGFWs can also "learn" new applications by watching how the applications behave. The NGFW creates a baseline of normal behaviors, and can alert administrators if the application deviates from normal.

Application identification is critical for helping organizations regain control over the chaos of Web traffic. Today, organizations need to deliver critical business solutions, while also contending with employee use of wasteful and often dangerous (from a security perspective) Web-based applications. Critical applications need bandwidth prioritization while social media and gaming applications need to be throttled or completely blocked. Moreover, organizations can face fines, penalties and loss of business if they are in noncompliance with security mandates and regulations.

With application identification, companies can create and enforce a variety of application policies, such as only allowing a particular class of applications (for example, streaming video or social networking) during non-business hours. Companies can also block applications outright, or limit bandwidth consumption on particular applications and give priority to business applications, including real-time applications such as VoIP.

Inspector Gadget

In addition to application awareness, a NGFW performs full packet inspection by inspecting the payload of packets and matching signatures for known vulnerabilities, exploit attacks, viruses and malware.

Many NGFWs rely on high-performance hardware to perform packet inspection and other functions, such as SSL decryption. This hardware can provide a performance boost over appliances built with off-the-shelf processors, but it also means potential customers can expect to pay a higher price for a NGFW than a UTM. NGFW vendors will also claim that NGFWs can perform full inspection without introducing latency, but potential customers should investigate that claim to their own satisfaction.

Full inspection of packets also means that lots of information can be gathered about traffic. In turn, that information can be used to normalize what are considered standard communications and make anomaly detection much more effective. The gathered data can also be used for statistical analysis, as well as forensics – giving administrators a full picture of what is going on in regard to traffic. That enables administrators to perform capacity planning, troubleshoot problems or monitor what individual employees are doing throughout the day.

Understanding Flat Networks

A flat network or fabric provides more paths through the network and can maximize bandwidth and better support a highly virtualized data center. We'll look at standards-based approaches to designing a flat network, including TRILL and SPB, as well as proprietary implementations. We'll also discuss the implications of moving to a flat network and provide guidance to help you decide if this approach is right for your data center.

3 Paths To Network Convergence

Separate data and storage networks might have been necessary when Fast Ethernet was pitted against speedy, special-purpose Fibre Channel, but Ethernet's evolution has obviated most of the performance differences. We'll examine the trends behind network convergence, share exclusive research, and outline three deployment scenarios for those who want to merge data and storage networks.

Long-Distance LAN

Connecting two data centers for always-on applications is a tricky business. Perhaps the most critical decision is how to link themL keeping the application and virtualization software synchronized requires very low latency between the two data centers.We walk you through the challenges and evaluate the pros and cons of solutions such as VPLS and MLAG, as well dark fiber and dense wave division multiplexing.

Networking In A Virtualized World

Virtualization is rapidly evolving into a core element of next-generation data centers. This expanded role places new strains on the network. This report explore the technical issues exposed by virtualized infrastructure and looks at standards, technologies and best practices that can make your network ready to support virtualization.

Premium Content

Cost-effective Network Architecture: Establish a Fit for Purpose Infrastructure

Real-time communications and collaboration is a game-changer for enterprise network architecture. Today�s enterprise network needs to be a highly focused resource capable of providing a mobile and diverse workforce with efficient, effective access to the tools and applications that drive productivity. Because traditional, general purpose network architectures were not designed to address Unified Communications, new network strategies are needed. This white paper unveils Avaya�s Fit for Purpose infrastruc�ture capabilities that combine performance on the most demanding real-time applications with compelling economics.

Debunking the Myth of the Single-Vendor Network

Gartner recently conducted research to test the theory behind the single-vendor network. They collected information from hundreds of client interactions and performed detailed interviews of nine organizations that introduced a second vendor into their network environments. This white paper details the study, presents the key findings and provides recommendations based on the research. Download this paper today to understand why using a duel-vendor or multivendor solution is a practical approach to building a network.

Podcast: Transformations in the Enterprise Data Center

In this question and answer podcast, Zeus Kerravala, Senior Vice President at Yankee Group, discusses transformations that the enterprise data center has undergone in recent years, the impact these trends have on end users and how you should prepare now for the next major data center transition. Plus, Kerravala reveals the current limitations of the data center and explains how the virtual data center puts additional strain on the network.

The Evolution to Next Generation Networks: Cloud Computing and Virtualization with Ease

Attend this round table discussion with Zeus Kerravala, Senior Vice President and Distinguished Research Fellow, Yankee Group to review the requirements for next generation networks, network virtualization and cloud computing.
Attend this event and learn:
- Why the evolution to a virtualized data center is "the most significant IT transformation since the Internet was born"
- Top trends that are impacting how networks are built
- Key needs and drivers motivating companies to transition to virtualized infrastructures
- Tips for evaluating vendors and solutions
Plus, you�ll have the opportunity to hear what your peers ask the experts and benefit from their expert insights and response. Register today.

Video: Empower the Cloud through Network Virtualization

Join Gartner Vice President, distinguished analyst, Mark Fabbi as he discusses CIOs' biggest networking challenges - increasing operational efficiencies and adaptability with fewer resources and less time. Fabbi reveals tools and highlights best practices to help you transform your data center to create a true competitive advantage.

Research and Reports

FEATURED RESEARCH

State of Server Technology

FEATURED STRATEGY

The Long-Distance LAN

Register for Network Computing Pro

Find hundreds of reports featuring research from your peers, and best practices from top IT pros.

Video

Network Computingwww.networkcomputing.com

Upcoming Events

A Network Computing Webcast:
SSDs and New Storage Options in the Data Center

March 13, 2013
11:00 AM PT / 2:00 PM ET

Interop Las Vegas 2013
May 6-10, 2013
Mandalay Bay Conference Center
Las Vegas

Subscribe to Newsletter

Vendor NewsFeed