Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

4 Tips For Evaluating Next-Generation Firewalls

Next-generation firewalls have come a long way since their days as cutting-edge technology. Driven by the need for application-aware security and deep packet protection, organizations have increasingly made next generation-firewalls a common part of the weaponry protecting enterprise networks.

Yet despite this, there remain some misconceptions about next-gen firewalls that could complicate life for customers, security experts say. To make the water less murky, Network Computing turned to some security pros to clear up some of the common misunderstandings surrounding next-generation firewall (NGFW) technology.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

1. All NGFWs Are Not Created Equal

"Don't assume that one next-generation firewall is the same as another next-generation firewall," says Brian Monkman, perimeter security programs manager at ICSA Labs. "There is general agreement that next-generation firewalls should be able to run as a bump-in-the-wire, have application awareness, have all of the basic firewall functionality and tightly integrated network IPS capabilities. However, opinions diverge from that point."

Companies need to focus on their enterprise requirements and what functionality they need when shopping for a NGFW, advises Javvad Malik, senior analyst for the enterprise security practice at 451 Research.

"One of the key traits of next-gen firewalls is the identification and control of traffic at the application layer," he says. "However, other features have come to be identified with the popular available product offerings--for example, some form of light network DLP or Web content filtering."

Enterprises should also look for a robust Layer 7 application matching mechanism, advises John Stauffacher, senior consultant at Accuvant.

"Each vendor does it differently, and each vendor supports a different subset of applications/protocols," he says. "Find the one that has support for the applications you use--and can do so with speed and accuracy."

2. Weigh Performance Claims Carefully

"The adage 'your mileage may vary' applies here," said Monkman. "We have seen the performance characteristics on some next-generation firewalls drop down to as low as 50% of the stated capability just by changing the traffic mix the product handles or turning up some of the application inspection functionality. Nothing beats subjecting the product you are looking at to the mix of traffic on your network and the security profile to meet your needs."

[For an introduction to NGFWs, read "Next-Generation Firewalls 101" ]

3. Don't Assume An NGFWs Is a UTM Replacement "I see next-generation firewalls and unified threat management systems as being very different answers to the security problem," says Monkman. "Think of [a NGFW] as a combination of a network IPS and a network firewall with the addition of application awareness. Whereas a UTM is the Swiss army knife equivalent to the stateful inspection firewall--that is, basic firewall capabilities with additional security functionality added. I see both UTMs and NGFWs continuing to be popular and playing important roles together in securing the enterprise."

4. Onboard SSL Decryption May Not Be What You Expect Onboard SSL decryption is a myth at high speed and useless unless you have multiple NGFWs clustered, says NSS Labs Research VP John Pirc. In a report released in February, NSS Labs revealed that when SSL decryption is enabled on many of the most popular next-generation firewalls--including products from Palo Alto Networks, Cisco Systems and Juniper Networks--there is a significant performance hit.

Has your company deployed a next-generation firewall? What's been your experience with the technology? Are there any other misconceptions IT teams should know about before shopping for a NGFW? Share your thoughts in the comments section below.


Related Reading


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers