Special Coverage Series

Network Computing

Special Coverage Series

Commentary

Frank J. Ohlhorst
Frank J. Ohlhorst

Next-Generation Firewalls 101

Next-generation firewalls combine application awareness and deep packet inspection to give companies more control over applications while also detecting and blocking malicious threats.

Traditional stateful inspection firewalls have effectively become obsolete because of two significant limitations. First, they don't inspect the data payload of network packets. Second, while more and more network traffic uses Web protocols--including legitimate business applications, non-business applications and attacks--traditional firewalls don't have the fine-grained intelligence to distinguish one kind of Web traffic from another and enforce business policies, so it's either all or nothing.

Over time, security vendors have added new approaches, including intrusion prevention and deep packet inspection, to detect malware or exploits in network traffic. These approaches tend to be packaged either in separate devices or in unified threat management (UTM) systems that perform multiple security functions in a single platform.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

However, there are drawbacks to these approaches. Adding more devices can also add more latency, as packets are passed from one appliance to the next. New devices also add operational overhead because each needs to be monitored and managed separately.

As for UTMs, they tend to use separate internal engines to perform individual security functions. This means a packet may be examined several times by different engines to determine whether it should be allowed into the network. That round-robin approach adds latency, which may affect network performance or overwhelm the UTM.

In addition, many of the malware detection techniques use the same principles as desktop anti-malware software; the device must buffer downloaded files and then inspect the whole file for malware, which may limit the maximum file size that can be processed.

In general, with a UTM, security administrators must work to find an acceptable balance between performance and protection.

Enter next-generation firewalls (NGFWs). This category of product attempts to address the traffic inspection and application awareness drawbacks of stateful inspection firewalls, without hampering performance.

The most significant difference between NGFWs and traditional firewalls is that NGFWs are application-aware; they use a variety of techniques to identify applications, including Web applications. Thus, instead of allowing all traffic coming in via typical Web ports, a NGFW can distinguish between specific applications (for instance, Hulu vs. Salesforce.com) and then apply policies based on business rules.

NGFWs also use deep packet inspection techniques to examine traffic for anomalies and known malware. However, these devices are optimized so that packets need to be examined only once, rather than processed through multiple engines.

Gartner defines an NGFW as "a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks." At minimum, Gartner states an NGFW should provide:

- Non-disruptive in-line bump-in-the-wire configuration

- Standard first-generation firewall capabilities, such as network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN)

- Integrated signature-based IPS engine

- Application awareness, full stack visibility and granular control

- Ability to incorporate information from outside the firewall, such as directory-based policy, blacklists and white lists

- Upgrade path to include future information feeds and security threats, and SSL decryption to enable identifying undesirable encrypted applications

Application Control

As mentioned earlier, NGFWs are application-aware. They use a variety of techniques, including predefined application signatures, header inspection and payload analysis to determine specific applications. The NGFW stores a library of approved applications and allows those to traverse the network, while examining the data packets for any anomalies. Along with predefined applications, NGFWs can also "learn" new applications by watching how the applications behave. The NGFW creates a baseline of normal behaviors, and can alert administrators if the application deviates from normal.

Application identification is critical for helping organizations regain control over the chaos of Web traffic. Today, organizations need to deliver critical business solutions, while also contending with employee use of wasteful and often dangerous (from a security perspective) Web-based applications. Critical applications need bandwidth prioritization while social media and gaming applications need to be throttled or completely blocked. Moreover, organizations can face fines, penalties and loss of business if they are not compliant with security mandates and regulations.

With application identification, companies can create and enforce a variety of application policies, such as only allowing a particular class of applications (for example, streaming video or social networking) during non-business hours. Companies can also block applications outright, or limit bandwidth consumption on particular applications and give priority to business applications, including real-time applications such as VoIP.

Inspector Gadget

In addition to application awareness, a NGFW performs full packet inspection by inspecting the payload of packets and matching signatures for known vulnerabilities, exploit attacks, viruses and malware.

Many NGFWs rely on high-performance hardware to perform packet inspection and other functions, such as SSL decryption. This hardware can provide a performance boost over appliances built with off-the-shelf processors, but it also means potential customers can expect to pay a higher price for a NGFW than for a UTM. NGFW vendors will also claim that NGFWs can perform full inspection without introducing latency, but potential customers should investigate that claim to their own satisfaction.

Full inspection of packets also means that lots of information can be gathered about traffic. In turn, that information can be used to normalize what are considered standard communications and make anomaly detection much more effective. The gathered data can also be used for statistical analysis, as well as for forensics--giving administrators a full picture of what is going on in regard to traffic. That enables administrators to perform capacity planning, troubleshoot problems or monitor what individual employees are doing throughout the day.



Related Reading



Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 

Editor's Choice

Research: 2014 State of Server Technology

Research: 2014 State of Server Technology

Buying power and influence are rapidly shifting to service providers. Where does that leave enterprise IT? Not at the cutting edge, thatís for sure: Only 19% are increasing both the number and capability of servers, budgets are level or down for 60% and just 12% are using new micro technology.
Get full survey results now! »

Vendor Turf Wars

Vendor Turf Wars

The enterprise tech market used to be an orderly place, where vendors had clearly defined markets. No more. Driven both by increasing complexity and Wall Street demands for growth, big vendors are duking it out for primacy -- and refusing to work together for IT's benefit. Must we now pick a side, or is neutrality an option?
Get the Digital Issue »

WEBCAST: Software Defined Networking (SDN) First Steps

WEBCAST: Software Defined Networking (SDN) First Steps


Software defined networking encompasses several emerging technologies that bring programmable interfaces to data center networks and promise to make networks more observable and automated, as well as better suited to the specific needs of large virtualized data centers. Attend this webcast to learn the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging.
Register Today »

Related Content

From Our Sponsor

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

Business executives are challenging their IT staffs to convert data centers from cost centers into producers of business value. Data centers can make a significant impact to the bottom line by enabling the business to respond more quickly to market demands. This paper demonstrates, through a series of examples, how data center infrastructure management software tools can simplify operational processes, cut costs, and speed up information delivery.

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Both hot-air and cold-air containment can improve the predictability and efficiency of traditional data center cooling systems. While both approaches minimize the mixing of hot and cold air, there are practical differences in implementation and operation that have significant consequences on work environment conditions, PUE, and economizer mode hours. The choice of hot-aisle containment over cold-aisle containment can save 43% in annual cooling system energy cost, corresponding to a 15% reduction in annualized PUE. This paper examines both methodologies and highlights the reasons why hot-aisle containment emerges as the preferred best practice for new data centers.

Monitoring Physical Threats in the Data Center

Monitoring Physical Threats in the Data Center

Traditional methodologies for monitoring the data center environment are no longer sufficient. With technologies such as blade servers driving up cooling demands and regulations such as Sarbanes-Oxley driving up data security requirements, the physical environment in the data center must be watched more closely. While well understood protocols exist for monitoring physical devices such as UPS systems, computer room air conditioners, and fire suppression systems, there is a class of distributed monitoring points that is often ignored. This paper describes this class of threats, suggests approaches to deploying monitoring devices, and provides best practices in leveraging the collected data to reduce downtime.

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Rack power of 10 kW per rack or more can result from the deployment of high density information technology equipment such as blade servers. This creates difficult cooling challenges in a data center environment where the industry average rack power consumption is under 2 kW. Five strategies for deploying ultra-high power racks are described, covering practical solutions for both new and existing data centers.

Power and Cooling Capacity Management for Data Centers

Power and Cooling Capacity Management for Data Centers

High density IT equipment stresses the power density capability of modern data centers. Installation and unmanaged proliferation of this equipment can lead to unexpected problems with power and cooling infrastructure including overheating, overloads, and loss of redundancy. The ability to measure and predict power and cooling capability at the rack enclosure level is required to ensure predictable performance and optimize use of the physical infrastructure resource. This paper describes the principles for achieving power and cooling capacity management.