Does the term “next-generation firewall” have any significant meaning, or is it just marketing hype? What are some...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
new features of firewalls that vendors tend to put under the “next generation” umbrella, and do these features have any value to enterprises?
I can understand your skepticism of marketing material when it comes to new network products. Excessive hyping of products by marketing departments has taught many people to question the validity of various claims and to read the small print to understand what a product can actually do. The “next generation” tag for the current crop of new firewalls isn’t warranted in my opinion, unlike application-layer firewalls, for example. When they first appeared, they were quite different from their predecessors, packet-filter firewalls, having the ability to operate on all layers of the protocol stack. They certainly were a milestone in the evolution of firewalls.
Current next-generation firewalls don’t have any truly ground breaking functionality; they is a more mature version of the existing generation. However, if you want to classify them in the firewall family tree, they do have some features that can be of value to large enterprises, particularly visualization and improved levels of granular control.
Firewalls such as SonicWALL's E-Class and McAfee's Firewall Enterprise offer better visual insight into how a network is being used and how rule changes impact productivity and security. The effects of rule changes are reported back via live graphs. This visualization of network traffic makes implementing complex rules that perform as intended much easier, because observing information such as bandwidth utilization or sites visited can be done in real-time.
This is an important feature, as improved levels of granular control mean rules can be applied to specific applications rather than trying to rely on controlling generic ports or protocols. Firewalls have traditionally been based on a block or allow model, protecting TCP ports and blocking URLs. Next generation firewalls allow you to grant bandwidth priority to critical applications such as Microsoft SharePoint and Salesforce.com while enforcing rules such as “LinkedIn but no Facebook,” and “LinkedIn only uses less than 5% of connections and bandwidth during business hours.” This level of control allows more flexibility. Enterprises can still effectively enforce security policies without fully preventing employees from using certain Web applications and losing out on the potential benefits of SaaS and other cloud and mobile apps.
Given this level of insight and control, you should test a next-generation firewall to ensure it can handle your current and future network traffic loads. For high-volume networks, it probably still pays to use low-level network firewalls to first filter and catch the port-scanning, denial-of-service and other low-level network attacks, and leave these latest firewalls to provide security for and control acceptable use of today's complex Web applications. This way, the right balance between performance and in-depth analysis can be achieved.
Related Q&A from Michael Cobb
Open source NoSQL MongoDB database faced 30,000 insecure instances. Expert Michael Cobb explains the misconfiguration that led to this, and how to ...continue reading
A new Veracode report offers details on common mobile application security risks. Expert Michael Cobb explains these flaws, and what developers can ...continue reading
Juniper firewall products were found to have two backdoor vulnerabilities. Expert Michael Cobb explains how a cryptographic algorithm and hardcoded ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.