This article can also be found in the Premium Editorial Download "Information Security magazine: Next-generation firewalls play by new rules."
Download it now to read this article plus other related content.
Firewalls started their journey to the next generation at about the same time as the Star Trek TV series. While the products have advanced, many IT security experts are still stuck with the original firewalls that handle ports and protocols.
Modern enterprises need a deeper understanding of the applications that operate across their networks. Newer security appliances offer deep packet inspection, finer-grained controls and application awareness to help organizations police their network perimeters. Despite the appeal of these newer platforms, "next generation" labels can't begin to describe the range of technology, features and support issues involved when companies migrate to modern firewalls. These appliances are now offered by a host of established vendors including Check Point Software Technologies, Cisco Systems, Dell, Fortinet, Juniper Networks, Palo Alto Networks, Sourcefire (acquired by Cisco in July), Stonesoft (acquired by McAfee in May) and WatchGuard. F5 Networks entered the fray in 2012, when its Big IP product line of application delivery controllers received ISCA Labs certification.
"Most modern firewalls really have some next-generation aspects to them, including integrated intrusion prevention (IPS) and better application controls," said Gartner research director Eric Maiwald. "This is the standard of today's firewalls and all of the major security vendors claim to have a next-generation story." But claims aren't always accurate, and understanding how to evaluate and migrate to next-gen platforms is crucial.
Fine-tuning application awareness
You need a full understanding of when to use application IDs in your firewall rule sets. You need to know what protocols are being used by which apps, and when using a classic port/protocol approach is appropriate, and when it isn't.
Andy Hubbard, Neohapsis Labs security consultant
Certainly, finer-grained application controls are a big reason to switch to next-gen firewalls. "The day after we migrated to a Palo Alto Networks firewall, the advantages were obvious to our network operations," said Neohapsis Labs security consultant Andy Hubbard, who worked with the technology in a former position as IT manager for a California hospital chain. "After we deployed Palo Alto, we immediately found four botnets and a couple of other rogue servers on our network. We were also able to protect special medical devices with ease once we figured it out."
And while having better application awareness and intelligence is a nice benefit of next-gen gear, it doesn't come without some effort. "You need a full understanding of when to use application IDs in your firewall rule sets," said Hubbard. "You need to know what protocols are being used by which apps, and when using a classic port/protocol approach is appropriate and when it isn't."
Still, it wasn't a painless process, and Hubbard had migration issues with his older Check Point firewalls. "It took us four months to do the migration, with most of the time related to issues involving having a large group of people coordinating their efforts because each was responsible for a different part of our network," he said. "We also had outdated documentation of our network that didn't help matters. Like many businesses, we grew organically over time and our documentation had lagged behind. So make sure you update this before you start any migration process, and get your house in order."
The ability to add application awareness was also a primary motivation to upgrade for the Hawaii branch of Brigham Young University (BYU). The university has certain apps, such as ones for student enrollment, that only run at specific times of the year. Neal Moss, the systems and network IT analyst in charge of the project, was interested in setting these enrollment systems up with proper protection. He spent several months running his older Cisco ASA 5500 Adaptive Security Appliances and Palo Alto Networks firewall platforms in parallel to make sure that the new firewall was working. This was his third firewall migration, so he knew what to expect. "I just took my time to make sure that the various rule sets were configured properly, and gradually opened up the old firewall until I could pull it offline completely," he said.
Complementing applications awareness is the ability to add domain or IP reputation management to the firewall actions. This is done through a combination of placing sensors across the Internet and whitelisting and blacklisting domains or IP source addresses as potential malware. "Domain reputation tools aren't perfect," said Tim Crawford, a former CIO and now a strategic advisor at AVOA in Silicon Valley. "Really, this is just one dimension to overall threat prevention."
BYU-Hawaii uses a different take on domain reputation. After getting severely hacked last year, the university wanted something that could isolate its servers into separate security zones and it looked at several next-gen firewalls for this feature. "This way the database server and application server are in separate zones and they can only talk to each other. If our servers are compromised, our databases are still intact," said Moss.
Difficult to rip and replace
How existing firewalls are used -- or more accurately, misused -- can also cause migration issues. In some cases, businesses have come to rely too heavily on their firewalls, often as their sole piece of network routing infrastructure with no edge routers in place. "This makes it difficult to rip and replace them," said Hubbard.
Implementing next-gen firewalls can raise issues with technology replacement, network setting changes and security policies. Migrating the entire enterprise firewall collection is a complex process with "lots of moving parts" said Hubbard. "There are some counterintuitive things and differences between the two systems, such as Network Address Translation design and Quality of Service rules." Traditional firewall administrators are used to thinking of blocking incoming threats, whereas for next-generation admins, "you look at the outbound interface more closely," Hubbard notes.
Even with anti-virus and antimalware screening, our new firewall is amazingly fast. The upgrade was well worth it.
Neil Moss, systems and network IT analyst, Brigham Young University
One example of this, according to Gartner's Maiwald, is how "some companies use an IPS as a way to monitor the health and well-being of their firewalls, so they have evolved with separate staffs to handle each device. This makes for a less compelling case for integrating them," he said.
Complexity issues can work in favor of sticking with your incumbent vendor and upgrading to the latest next-gen features. This is what Chris LaBleu, IT director at Houston-based Texas Heart Institute, did with his Cisco ASA firewalls. He moved to the Cisco ASA CX Context-Aware Security models because he trusted Cisco and "didn't want any downtime," he said. " Plus, we aren't adding a new piece of gear to our existing Cisco infrastructure such as switches and VPNs, and we have staff that is already trained on how to use them," explains LaBleu. "There isn't much of a learning curve to come up to speed on the CX next-gen features."
Some of this complexity has nothing to do with the actual technology, however. "The issue with application control isn't a technical issue, but that IT managers have to understand its implications and consequences," said Maiwald. "You could inadvertently block your employees' access to Facebook games. Ideally, IT should coordinate closely with human resources and management to ensure that the intended policies are deployed correctly," he advises.
And then there is the overall cost. "Some companies can't justify the added expense of the features, and the more virtualized environments of today's networks adds to the complexity of their information security structure," said Crawford. "The traditional firewall technologies simply don't scale to the cloud."
However, depending on your licensing requirements, it could actually cost less: At BYU-Hawaii, replacing their older firewall and antimalware licenses actually ended up being cheaper. "We are saving a bundle on maintenance fees now," Moss said.
Unified platform alternatives
One alternative to moving to next-gen firewalls is to deploy unified threat management (UTM) tools that combine firewalls with IPS and antivirus protection. In recent years, UTMs from Juniper Networks, Check Point Software and others have improved, incorporating the same security features that used to be only found on the most expensive models across their entire UTM lines.
However, UTMs have their own drawbacks including throughput issues, especially in larger networks. "When the antivirus component of a UTM is turned on, there is a significant drop in the overall throughput of the device," Maiwald said.
Hubbard agreed: "UTMs can add a lot of latency and are harder to troubleshoot to find the misconfigured component, plus they have some complex licensing steps, too."
But some next-gen firewalls can offer surprisingly good throughput. BYU's Moss was amazed to see the performance when he upgraded his firewalls. "Even with antivirus and antimalware screening, our new firewall is amazingly fast," he said. "The upgrade was well worth it."
LaBleu also found that sizing his Cisco ASA CX units to handle the level of Internet traffic was key to keeping latency low. "Don't get an undersized box if you have a lot of Internet traffic," he advised.
The biggest obstacle to moving to next-gen firewalls is just fear of the unknown. "Inertia is probably the biggest sticking point for why people haven't upgraded their firewalls," said Hubbard.
LaBleu agreed: "When you put anything new in place, you are always nervous, but the next-gen firewalls are a great investment."
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.
Send comments on this column to firstname.lastname@example.org.
This was first published in September 2013