How to conduct a next-generation firewall evaluation
A comprehensive collection of articles, videos and more, hand-picked by our editors
Editor's note: This is the first of a two-part series on the benefits of next-generation firewalls. Here, we explore...
how an NGFW helps enterprises achieve consolidated security. In part two, we discuss more benefits of NGFWs.
While it's fairly easy to build a high-level case for the business benefits of a next-generation firewall, the true test of an NGFW's effectiveness is whether the technology, features and implementation meet or exceed those benefits for the purchasing organization. "Marketing-speak" can be a little confusing, so it's helpful to break down the technical requirements into specific use-cases.
Does your organization need the technical features an NGFW offers? If yes, are there go/no-go decisions to be made based on how those features are implemented? For example, a company may decide that it must have an NGFW because application-aware policies have to be enforced at the perimeter. The organization then needs to determine how granular that application awareness must be. Does it mean the ability to block mail traffic in an HTTP stream? How about in an HTTPS stream? Does it need to block Gmail traffic but not Hotmail or Outlook traffic? Does the NGFW's application-awareness feature need to also include data leak prevention, such as the ability to look for and block or strip out certain words and strings (like Social Security or credit card numbers) to prevent sensitive data from leaving the organization?
Every organization should draw up a comprehensive list of technical requirements before making a purchase decision. Be sure to do this first with your business and firewall teams, before even looking at vendors' products. This will help ensure that the decisions being made are geared toward business needs and not toward the vendor-supplied functions. Once the list of technical requirements has been built, use it as the basis of the request for proposal for the vendor selection process.
NGFW's No. 1 benefit: Consolidated security, firewall and IPS
Perhaps one of the greatest benefits of moving to an NGFW is the ability to achieve consolidated security by combining administrative and policy resources for traditional intrusion prevention system (IPS) and firewall functions into a single product and console. Though early proxy-based firewalls were application aware, many modern stateful protocol inspection network firewalls traded in that application awareness for network layer throughput speed, leaving higher-level attack detection to a separate IPS.
Technology advances have made it possible to bring these two functions together at wire speed without losing throughput. However, it matters how these two functions work and how they interact with each other. If your organization is already using an IPS, enumerate its technical features and make sure the next-generation firewall can match them. For example, does your IPS monitor bot or unknown attack activity? Is it used to prevent exploits or limit vulnerability to zero-day attacks or before a patch can be applied? If so, the NGFW needs to provide the same level of protection.
If your organization has not deployed an IPS, define what you want the IPS features in the next-generation firewall to do. In addition to the questions above, consider if you want the NGFW to provide active blocking of suspicious attacks. Should that blocking be automatic or manually implemented in the rule base? A combination of the two? Since IPS functionality is a great way to learn about attacks, it's worth assessing how your IPS and firewall functions will integrate in the NGFW. For example, can the IPS initiate an alert when there's potentially exploitative attack traffic? Can it also provide a recommendation for a new firewall rule to block or prevent that attack?
Consolidated security is just one of the many benefits a next-generation firewall has to offer. Click through to part two to learn how next-generation firewalls help thwart unknown attacks, enable identity awareness, and improve security for mobile and remote users.
About the author
Diana Kelley is the executive security advisor at IBM Security Systems and a co-founder of N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has 25 years of IT experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
Getting clarity on next-gen firewall features
Beyond the Page: Next-gen firewalls