Does the term “next-generation firewall” have any significant meaning, or is it just marketing hype? What are some new features of firewalls that vendors tend to put under the “next generation” umbrella, and do these features have any value to enterprises?
I can understand your skepticism of marketing material when it comes to new network products. Excessive hyping of products by marketing departments has taught many people to question the validity of various claims and to read the small print to understand what a product can actually do. The “next generation” tag for the current crop of new firewalls isn’t warranted in my opinion, unlike application-layer firewalls, for example. When they first appeared, they were quite different from their predecessors, packet-filter firewalls, having the ability to operate on all layers of the protocol stack. They certainly were a milestone in the evolution of firewalls.
Current next-generation firewalls don’t have any truly ground breaking functionality; they is a more mature version of the existing generation. However, if you want to classify them in the firewall family tree, they do have some features that can be of value to large enterprises, particularly visualization and improved levels of granular control.
Firewalls such as SonicWALL's E-Class and McAfee's Firewall Enterprise offer better visual insight into how a network is being used and how rule changes impact productivity and security. The effects of rule changes are reported back via live graphs. This visualization of network traffic makes implementing complex rules that perform as intended much easier, because observing information such as bandwidth utilization or sites visited can be done in real-time.
This is an important feature, as improved levels of granular control mean rules can be applied to specific applications rather than trying to rely on controlling generic ports or protocols. Firewalls have traditionally been based on a block or allow model, protecting TCP ports and blocking URLs. Next generation firewalls allow you to grant bandwidth priority to critical applications such as Microsoft SharePoint and Salesforce.com while enforcing rules such as “LinkedIn but no Facebook,” and “LinkedIn only uses less than 5% of connections and bandwidth during business hours.” This level of control allows more flexibility. Enterprises can still effectively enforce security policies without fully preventing employees from using certain Web applications and losing out on the potential benefits of SaaS and other cloud and mobile apps.
Given this level of insight and control, you should test a next-generation firewall to ensure it can handle your current and future network traffic loads. For high-volume networks, it probably still pays to use low-level network firewalls to first filter and catch the port-scanning, denial-of-service and other low-level network attacks, and leave these latest firewalls to provide security for and control acceptable use of today's complex Web applications. This way, the right balance between performance and in-depth analysis can be achieved.
This was first published in October 2011