Essential Guide

Browse Sections


This content is part of the Essential Guide: How to conduct a next-generation firewall evaluation
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are next-generation firewalls critical enterprise security tools?

Marketing hype calls next-generation firewalls a must-have enterprise security tool, but the truth is, not every organization needs one. Get help evaluating your enterprise NGFW needs.

Firewalls have been on the "must-have" security technology list since the early to mid-'90s, when businesses were just getting onto the Internet. But does your company really need a next-generation firewall (NGFW)?

Firewalls have evolved considerably over the years. Early firewalls came in just a few varieties: simple packet filters, stateful packet filters (e.g., Check Point Software Technologies' multilayer stateful inspection) and application proxies (e.g., TIS Gauntlet and Raptor Systems Eagle). Stateful packet-filtering firewalls were excellent at enforcing lower-level policies like blocking ports or source and destination IPs, but they weren't application-aware at a granular level. However, at that point they didn't need to be.

In the mid-'90s, port 80 was used for basic HTML traffic, while port 443 was used for HTML tunneled through SSL. Today, anything and everything can run through ports 80 and 443 -- Twitter, Pinterest, instant messages, email, video chat -- you name it; if you can do it on the Internet, chances are high that you are doing it through ports 80 or 443. To manage complex Web, social media and data use, companies need firewalls that can enforce application- and identity-aware policies at a very precise, deep-packet inspection level. For example, a company may approve Facebook use but not allow Zynga gaming. Or it might permit Twitter use but prohibit posts containing sensitive data. Or maybe only the company's CEO and members of the board are allowed to use Google chat, while everyone else can use Gmail. Point is, simply blocking all Internet or Facebook use isn't a viable business option today the way it was in the old days.

A good rule of thumb is that the more complex the policy, the more complex the rule on the firewall will be.

If some of this sounds similar to the technology features in your corporate intrusion-prevention system (IPS), you're right. Most current next-generation firewalls provide a combination of traditional firewall stateful packet filtering, along with the more precise Layer 7 application- and identity-based policy enforcement that was the hallmark of an IPS.

But as anyone who has administered a firewall or IPS can tell you, the ability to enforce complex policies on the device is only as good as a company's ability to write that policy in the first place. Application proxies faced slower adoption than packet filters in the 1990s, partly because they were slower but also because they were harder to configure and manage. A good rule of thumb is that the more complex the policy, the more complex the rule on the firewall will be. So, before they get "oversold" on all the capabilities and promises of next-generation firewalls, organizations should ask themselves if they are really ready to put in the planning time and ongoing management effort required to get all the advantages such a device provides.

Another factor to consider when evaluating an NGFW adoption is the type of reporting that will be required for compliance purposes and to support audit activities. Many newer regulations and mandates require that companies be able to prove somehow that access to sensitive data is provided only on a need-to-know basis to authorized individuals. An identity-aware NGFW that controls access to the repositories housing that data can run reports showing which users accessed the systems and when. However, an NGFW is not the only way to monitor and reports on that access. Organizations may be using database monitoring or other access control mechanisms for managing and reporting that access already.

Only your IT and management teams can answer the "do we need an NGFW" question definitively. But at a high level, if your company already has an IPS in place and the current firewall appliance is meeting business and compliance needs, then the answer -- at least for the short term -- may be no. But if you never adopted an IPS and are looking for something a little more precise and granular than your older firewall -- or if your firewalls are due for a refresh cycle -- it could be time to look into going next-gen with your enterprise security tools.

The business and technology benefits of next-generation firewalls

Below are five of the top benefits NGFWs can bring to an enterprise:

  • Speed and availability: An NGFW keeps the business traffic running and supports "five nines" availability of critical applications and services.
  • Port independent traffic: New and proprietary applications that travel over nonstandard ports can be accommodated in the rule base without sacrificing security.
  • Granular application-aware policy enforcement: An NGFW supports business agility because it can block features and functions (e.g., Google chat) without having to block the entire website.
  • Identity-aware policy enforcement: Allows for user flexibility; can block access only for certain users, on a business need-to-know basis.
  • Identity-aware policy access: Policies from centralized repository stores like Active Directory can be accessed by the NGFW to save admins time and ensure normalization across devices.

As noted above, only your IT and management teams will be able to conclusively answer the "do we need an NGFW in our enterprise" question. However, understanding these five NGFW business and technology benefits may make the decision a little easier. For example, if your enterprise is in the process of a firewall refresh and knows it needs an appliance for enforcing granular application- or identity-aware policies, putting a next-generation firewall on your "to consider" list is a good idea. However, if your enterprise has tools that provide these benefits, adding an NGFW to its security strategy may be overkill.

About the author:
Diana Kelley is the executive security advisor at IBM Security Systems and a co-founder of N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director at research firm Burton Group. She has 25 years of IT experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

Next Steps

Are next-generation firewalls going mainstream? Gartner's Magic Quadrant thinks so

Learn how next-generation firewalls prevent application-layer attacks

This was last published in September 2014

Dig Deeper on Network device security: Appliances, firewalls and switches

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Do you think a next-generation firewall is a must-have security tool for enterprises? Why or why not?