News Stay informed about the latest enterprise technology news and product updates.

For enterprise firewalls, performance outweighs security functionality

Some network administrators fear too many security features can cause bottlenecks, slowing the network or worse, shutting it down altogether.

Scott Swenka, an IT security consultant at a midwestern healthcare firm, has been a longtime user of Sidewinder, the Secure Computing firewall that was rebranded by McAfee when it acquired the vendor in 2008. Swenka said he was concerned when McAfee acquired Secure Computing, but, he said, McAfee has remained committed to supporting Sidewinder. 

“Look for performance with a firewall and when you add things it can become bloated.”

Scott Swenka, IT security consultant at Midwestern healthcare firm


"Until now they haven't really added any new features," Swenka said."The admin interface and naming standards are the same."

McAfee released Firewall Enterprise 8 last week, integrating it with the company's global threat intelligence service. The latest version improves on the Sidewinder application-layer inspection capabilities and adds reputation features to the firewall, enabling it to use geo-location to block threats. The firewall is sold as an appliance and can be deployed as a software-based firewall virtual appliance. It works with McAfee's ePolicy Orchestrator, the company's flagship centralized management console, for management and policy control.

One of Swenka's biggest fears is that McAfee could add too much integration with its existing products. Having the firewall integrate with Active Directory to become 'user aware" is helpful and can make the device more powerful, but integrating it with other McAfee products could complicate a product that already works extremely well on its own, he said. 

Enterprise firewalls;

How to implement virtual firewalls in a complex network infrastructure: If your enterprise has a complex network infrastructure, it might be necessary to implement virtual firewalls or multiple security contexts.

PCI compliance requirement 1 - Firewalls: PCI experts Diana Kelley and Ed Moyle review Requirement 1 of the Payment Card Industry Data Security Standard, which includes a mandate for stateful inspection firewalls.

Front-end/back-end firewalls vs. chassis-based firewalls:Network security expert Mike Chapple explores the different characteristics of devices using a front-end/back-end topology and chassis-based firewalls. 

Should enterprises be running multiple firewalls? While there may be scenarios where a single firewall is an appropriate architecture for an organization it's equally true that many environments may benefit from the use of more than one.

"I look for performance with a firewall and when you add things it can become bloated," he said

The firewall was once very basic, used to scan IP packets for unwanted traffic, using a firewall rule-base, which determines what services can flow into the company network. IDC estimates that today 85% of enterprises use firewalls. According to IDC, the devices have evolved to address the rising number of attacks using malicious code.

McAfee was in the firewall business long before its acquisition of Secure Computing. When McAfee was called Network Associates, the vendor sold off its PGP encryption and Gauntlet firewall product lines in 2001. The PGP encryption business became PGP Corp. McAfee's rival, Symantec announced last week that it would acquire PGP. Gauntlet was acquired by Secure Computing and reacquired by McAfee in 2008.

Pete Lindstrom, a research director at Spire Security, said the firewall market has become commoditized in some ways. The traditional market includes networking giants Cisco Systems Inc., Juniper Networks Inc. and security vendor Check Point Software Technologies Ltd. Many vendors are adding security features into routers, turning them into unified threat management (UTM) devices, he said. Several vendors in the market include network security appliance vendors Fortinet Inc., Sonicwall Inc. and WatchGuard Technologies Inc. Microsoft also sells its Internet Security and Acceleration Server and Forefront Threat Management Gateway.

Mainstream firewalls are difficult to evaluate because most have the same functions, Lindstrom said.

"Vendors need to have folks understand technical ins and outs of their extended features, because virtually all firewalls have extended security features now," Lindstrom said. "I think performance almost always tops all other needs in the firewall, because the network guys don't want the network to be bottlenecked."

Swenka said that he's learned that basic security devices like the firewall usually come down to dollars and cents for companies. For example, a networking giant like Cisco can use its market share to provide firewall devices to its networking customers at a discount. Companies also tend to standardize on a particular provider, Lindstrom said. Firewall rule bases often only work on a single vendor platform, so making a switch can be a difficult process. 

The trend from a technology perspective, Lindstrom said, is to push gateways closer to their application-related resource, rather than out to the Internet connecting point. Many organizations have a big core firewall, but some are implementing firewalls at the device level or the server level, tying them into the company's hosted intrusion prevention system (HIPS) related technologies.

Dan Ryan, McAfee's executive vice president and general manager of network security said the goal over time is to completely integrate the firewall into the McAfee product portfolio. Ryan, who served as CEO of Secure Computing, before it was acquired, said McAfee has been working on integration issues. The goal has been to find ways to improve firewall detection capabilities without forcing organizations to add more rule sets, which can make management difficult for organizations, he said.

"We've got to get it so there's common policies across protocols," Ryan said. "I think we're doing a good job working to get to that point."

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.