The enterprise firewall is the long-established workhorse of network security. But as threats to enterprise security grow more sophisticated, next-generation capabilities are becoming essential to this technology.
"In 2013, adoption of next-generation firewalls passed 50% as the enterprise became increasingly concerned with application-level vulnerabilities and subtle, slow, multi-modal attacks that too often slip past traditional firewalls," says John Burke, CIO and principal research analyst with Mokena, Ill.-based The Nemertes Research Group Inc.
Traditional firewalls still have their place (particularly in carrier-grade environments), but organizations seeking to upgrade their technology are finding that the extra features of next-generation firewalls (NGFWs) are becoming critical, especially in edge devices.
"Next generation" describes either a hardware or software-based firewall security system that is able to not only protect through packet filtering, network address translation and URL blocking, but that has granular controls to allow it to conduct a detailed interpretation of the Web application traffic passing through it. In other words, rather than being stateless and examining each packet only in the context of that packet, the firewall is capable of keeping track of which packets belong with which larger transactions. That's not an easy feat, which makes it difficult to build top-flight products. In addition to application-level awareness, NGFWs offer such features as quality of service, intrusion prevention, SSL and SSH inspection, deep packet inspection and malware detection.
The two products identified as the best in the Enterprise Firewalls category faced fierce competition. Both winners are of the "next generation" variety, and one vendor won the same category with its enterprise firewall appliance in 2013.
Winner: McAfee Next Generation Firewall, McAfee/Intel
McAfee's Next Generation Firewall --part of Intel's McAfee product line as a result of its mid-2013 acquisition of Stonesoft --is described by the company as flexible enough to work with "every budget and network architecture." The product maintains high availability, supports IPv6 and offers active-active clustering and load balancing for up to 16 appliances.
The McAfee Next Generation Firewall received high marks from readers for its ability to block intrusions, attacks and unauthorized network traffic. They also recognized the technology for its logging, monitoring and reporting capabilities. McAfee's Enterprise Firewall won the 2013 Readers' Choice Award.
One aspect of this firewall technology that administrators like is that the system builds other "on-the-wire" security functions --intrusion prevention, VPN, virus scanning and URL filtering --into the same scan that checks for off-kilter packets in sessions. This functionality can cut hops through several security devices out of the equation and thus reduce both management effort and overall network latency.
Winner: PA-7050 series, Palo Alto Networks Inc.
Palo Alto Networks' PA-7050 received top scores from Readers' Choice voters for its ability to identify users via directory integration and for the company's service and support. The firewall's ability to block intrusions, attacks and unauthorized network traffic; its logging, monitoring and reporting capabilities --and the overall return on investment --impressed Information Security readers.
The high marks should come as no surprise: "Palo Alto pretty much defined the category of next-generation firewalls," says Nemertes' Burke.
The PA-7050 is remarkable in many regards but its performance --a concern with next-generation products --sets it apart from the competition because it broke through the 100 Gbps barrier. According to the company, the PA-7050 can protect data centers and high-speed networks at speeds of up to 120 Gbps, with up to 100 Gbps of full threat prevention.
As you'd expect given those speeds, it's aimed squarely at large data centers: Inside the box are more than 400 processors, taking on all the various security and logging functions in distributed fashion. These processors do a lot of sorting in a hurry, applying several classifications to the traffic stream as it arrives --all regardless of port and SSL encryption --earmarking traffic that's not associated with permitted applications for further examination. There's a sandbox capability built in, so that suspicious payloads can be run and tested in the safety of a cordoned-off processing space.
Send comments on this article to firstname.lastname@example.org.
Learn more about the benefits of the next-gen firewall.
How do you evaluate next generation firewalls?