Next-Generation Firewall Buying Guide
Given the rise of Web 2.0 and targeted malware, first-generation firewalls are not effective in dealing with current and emerging threats. Next-generation firewalls can detect application-specific attacks and enforce application-specific security policies.
When Gartner coined the phrase "next generation firewall," it captured a then-nascent approach to traffic classification and control. Given the rise of Web 2.0 and targeted malware, "the stateful protocol filtering and limited application awareness offered by first-generation firewalls are not effective in dealing with current and emerging threats," wrote analyst John Pescatore. "Next-generation firewalls (NGFWs) can detect application-specific attacks and enforce application-specific granular security policy."
Flash forward two years: Many firewall vendors have now embraced this NGFW approach, at least to some degree. But the devil is in the details--NGFWs are not just newer versions of deep packet inspection or proxy firewalls. Nor are they unified threat management appliances or Web application firewalls.
To meet Gartner's criteria, an NGFW must classify traffic by application and identity, not (just) port or IP address. Furthermore, it must do so at a granularity sufficient to control user/group access to application features (e.g., Lisa can give WebEx presentations but not share her desktop). Finally, it must use integrated, updateable threat awareness (IPS) to defeat application attacks that sailed right through those old "allow port 80" rules.
But there's no true standard for NGFW, making it easy for marketeers to slap this label on just about any newish firewall product. In this buyer's guide, we examine key capabilities and features that should be considered when shopping for an NGFW. Although the needs of each enterprise differ, we look at questions all organizations should ask when choosing a firewall to enforce identity-based, application-level policies and stop Web 2.0 threats.
From packet inspection to application control
Earlier stateful packet inspection (SPI) firewalls classified packets flowing between interfaces using header fields such as protocol type, IP address, and TCP/UDP port. Firewall rules (security policies) determined packet disposition--for example, permit or deny TCP sessions, enforce bandwidth caps, or map (NAT) private IPs onto public ones.
Proxy firewalls then emerged to intercept requests to standard ports, sending them through application-specific engines that split sessions in half, peering into that gap to enforce more granular rules. For example, an SMTP proxy can receive an entire mail message and scan it for spam before deciding whether to pass, tag, or discard it. But that SMTP proxy only handles traffic addressed to port 25. Webmail bypasses that proxy, as do SMTP packets tunneled through other open ports to evade the proxy.
As more traffic slipped through open ports (especially 80), firewalls drilled deeper into data payload to verify application type. But applications that found resistance on port 80 learned to hop around, searching for other open ports. Others used SSL/TLS to obscure payload, sent via port 443 or another encrypted application port. Many were legitimate programs using firewall traversal to overcome home and hotspot network hurdles. But greyware, botnets, and trojans also learned to exploit these "pinholes"--leading to Gartner's conclusion that IP/port firewalls were increasingly ineffective.
The impact of Web 2.0
An application usage report just published by Palo Alto Networks examined over 28 exabytes of traffic, obtained from 1,253 networks across the globe. Within this massive sample, more than 40 percent of applications used SSL (25%) or hopped ports (16%). Traffic often obscured by SSL included Twitter, Facebook, and Gmail; common port-hoppers included IM, P2P, photo sharing, and video streaming.
This study illustrates the impact that Web 2.0 is having on network traffic. A firewall that cannot deliver insight into or control over these streams is missing a lot of traffic. Worse, this phenomenon is not limited to social networking and personal apps. This blind spot is growing in both magnitude and importance as enterprise applications continue to migrate onto web delivery platforms and public/private clouds.
NGFWs increase visibility in two ways. First, instead of assuming packets correspond to an application based on port, NGFWs use fingerprinting to identify applications. Second, NGFWs can use proxy techniques to decrypt, inspect, and then re-encrypt payload otherwise hidden by SSL. These approaches may not cover every case, but they can substantially improve firewall effectiveness.
Keeping pace with emerging threats
Another factor contributing to the rise of next-gen firewalls is the ever-changing threat landscape. To battle more network attacks, traditional firewalls were paired with discrete security systems--IPS appliances, URL filter proxies, anti-spam gateways. To reduce deployment cost and complexity, some vendors bundled those security services into UTM firewalls.
But a UTM firewall based on IP/port can still have application coverage gaps. Moreover, while UTM firewalls excel at enforcing broad policies on entire networks (e.g., block all HTTP to phishing URLs), they are not optimized to apply many granular user/group rules. When policy violations or intrusions are attempted, UTM firewalls usually report and respond to incidents by IP address rather than fingering infected or malicious users.
Such limitations become troublesome as threats grow more sophisticated and targeted. Low-and-slow intruders have learned how to avoid coarse IPS rules. Mass-mail phishing continues, but spear-phishing specific high-value targets poses greater risk. Techniques most often used to deliver malware, such as infected PDFs and Java, exploit application content that businesses must let through the firewall. Defeating these contemporary threats means looking deeply at everything, in context, without crippling the network.
Not your father's firewall
Given an understanding of older firewall weaknesses and the evolution in applications and threats that exposed them, it's time to consider whether and how an NGFW might help your organization.
For starters, an NGFW need not replace your existing firewall. Many organizations have made significant investments in older firewalls, from training and policy development to log analysis and NOC practices. For this reason, NGFW vendors say that it is common for new customers to initially deploy NGFW products behind existing (perimeter or workgroup) firewalls, often as a "bump in the wire."
Conceptually, this is like the old screen-and-choke architecture, where "screening" routers used coarse filters to reduce traffic passed on to "choke" firewalls. Here, NGFWs drill more deeply into payloads permitted through existing firewalls, stopping residual threats and enforcing more granular policies. After gaining confidence and experience with a new NGFW, the older firewall may eventually be phased out. So, start by planning your topology and expected throughputs (near and long term). Doing so will help you find right-sized NGFW products for each location.
Next, consider your NGFW security policy: the kinds of applications that workers must reach, the specific application functions that should be permitted or denied, and under what conditions (e.g., Active Directory group membership, time of day).
Although NGFWs can understand thousands of common business and personal applications, their level of visibility and control over each varies. Start your search armed with important use cases, specific threats you want to neutralize, and abstract user/group/application rules you need to enforce. This will help you weed out NGFW products that are not up to snuff for your organization.
Finally, map your overall requirements onto individual product capabilities and features. Summarizing Gartner's criteria ("Defining the Next-Generation Firewall"), every NGFW must act as a platform for network traffic inspection and security policy enforcement with the following minimum features:
- Standard first-generation firewall capabilities: NGFW is an incremental improvement over earlier firewalls. All table-stakes capabilities should still be present, including traffic classification, stateful protocol inspection, network address translation, policy administration, event monitoring and logging, etc. Avoid loss of functionality when choosing an NGFW--especially if you expect to retire your existing firewall. However, realize that some capabilities may be accomplished in more efficient ways. For example, some NGFWs apply application signatures after classifying traffic by port, while others classify only by application signature only.
- Application awareness and full stack visibility: NGFWs must be capable of classifying traffic by matching application signatures (fingerprinting) independent of the port and protocol numbers carried by packet headers. Furthermore, NGFWs must be capable of enforcing security policy at the application layer--for example, allowing Facebook but not Farmville within Facebook. Choose an NGFW product that not only supports your required applications (including encrypted applications) but can exert control over application features at your desired level of granularity. If you require proprietary applications, understand how they will be classified and controlled.
- Integrated rather than collocated IPS: Unlike some loosely coupled UTM firewalls, NGFWs must employ intrusion prevention in a tightly integrated fashion to mitigate both application layer vulnerabilities and threats. Although this requirement can be a bit difficult to quantify, the goal is to detect threats as part of traffic classification--using a single engine and inspection pass to match application signatures, threat signatures, and perhaps anomalous behavior, in context. To ensure accurate, current detection, consider how any NGFW vendor gathers and applies new threat intelligence--for example, update frequency and use of trend/risk analysis.
- Leverages external intelligence: An NGFW should utilize information obtained from external sources to expand its rule base or improve its decision-making. Ideally, this should be more than receiving frequent threat and application signature updates. For example, an NGFW might consider IP reputation when deciding how quickly or how long to block a suspect application flow. To deliver identity-aware control, choose an NGFW that not only integrates with your user database (e.g., Active Directory), but can efficiently apply policies at a group or user level--for example, enabling different traffic dispositions to facilitate business-appropriate exceptions.
Beyond these NGFW features and capabilities, consider the following characteristics:
- Manageability: This is an important characteristic for any product. Factors like purchase price, maintenance fees, installation effort, policy tuning, and routine maintenance all impact total cost of ownership (TCO). However, expect most administrative time to be spent fine-tuning policies and understanding their impact. For example, how will the NGFW handle a new, unknown application or application feature? What steps are required to create a new policy to control that application, and how can that new rule be tested to assess consequences without business impact?
- High Availability and Scalability: Like older enterprise-class firewalls, NGFWs offer high-availability and scalability options, including load balancing and physical redundancy (e.g., hot-swappable power supplies, fans). For scalability, look carefully at performance metrics--firewall connection rates and throughputs are often measured without IPS or encryption enabled. Consider whether a given product's capacity can be expanded easily (e.g., by adding licenses or blades) to protect NGFW investment as traffic loads grow or when screening firewalls are retired.
- Reliability: In the end, perhaps the most important criteria for any firewall--first or next generation--is its ability to reliably enforce policy and withstand attack (including evasion techniques). To evaluate this, it can be helpful to examine independent test results, such as the "Network Firewall Group Test Q2 2011" published by NSS Labs.
These are just some of the features and capabilities found in next-generation firewalls. Vendors participating in the NGFW market include Astaro, Check Point, Cisco Systems, Fortinet, Juniper Networks, McAfee, Palo Alto Networks, and SonicWALL. To illustrate this category, EnterpriseNetworkingPlanet will profile several NGFW product lines over the coming weeks, including Check Point Power-1 Security Gateways, Palo Alto Networks PA Series firewalls, and SonicWALL E-Class Network Security Appliances. Stay tuned ...
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.