Editor's note: This is the second part of a two-part series on the benefits of next-generation firewalls. In the first section, we explained how an NGFW consolidates the administrative and policy resources for traditional intrusion prevention systems and firewalls. Here, we discuss three more benefits.
New applications and unknown attacks
Since we're well past the point where port 25 means mail and port 80 means Vanilla HTML, one of the technical benefits of a next-gen firewall is its ability to identify and manage traffic based on what that traffic does, not just which port it's traveling over. It is critical to consider a couple of things here: How does an NGFW handle traffic on non-standard ports? And what kind of feedback does the NGFW provide regarding that traffic to help admins and the business determine if that traffic is part of normal business traffic or an indication of attack?
One more consideration: How well can the NGFW handle complex rule sets when new applications are added? These days it's not uncommon for a new application -- either external or internal -- to come with a spreadsheet of complex communication requirements that firewall admins must figure out how to translate into working firewall rules. When considering an NGFW, remember to ask whether the NGFW vendor offers support for implementing new applications. Ask, too, whether the firewall can be put into learning mode to help admins visualize the traffic and communication requirements of the new application. Are there vendor-provided templates for common third-party applications and services that companies can use as a baseline when turning on those services?
Attackers today are making use of non-standard ports and getting creative about passing traffic in unique and undetectable ways. For example, a current favorite attack channel is sending command-and-control traffic over port 53, a port that's open on almost all firewalls because it is used for the domain name system. It is critical to consider how a potential next-gen firewall inspects traffic for these unknown attacks. Can it identify and alert on suspicious activity regardless of whether there is a signature or rule for it?
Another valuable feature of the NGFW is its ability to make policy decisions using identity information. This capability provides far greater policy granularity than traditional firewalls, which were limited to information like IP address or port number alone. If this is a technical requirement for your next-gen firewall, determine what kinds of rules need to be implemented and how identity information will be populated.
Will your organization's NGFW have to work with your existing directory service? Do you have multiple directory repositories, such as a Microsoft Active Directory and an Open Directory instance? Do you need the NGFW to work with any cloud or federated identity services? Will the NGFW have to normalize and correlate directory information from these multiple services? Or will your organization populate identity information manually or from a flat source like a spreadsheet or comma-separated values file?
Remember that with this level of granularity comes complexity. In a large organization there can be thousands of rules for a traditional firewall deployment. Throw application- and identity-aware rules into the mix and this number will increase exponentially. So what kind of support does the vendor have for managing these complex rules? Is there an auditing feature to find and eliminate shadow rules or collisions? And can the NGFW integrate with existing identity management tools to ensure that access is removed for users if their roles change or they leave the organization?
Remote and mobile users
Controlling ingress and egress traffic at a perimeter requires that the traffic cross that perimeter. While mobile and remote users may enter the Internet from untrusted networks -- like Wi-Fi in a coffee shop -- their communication can be protected with a VPN and their access into corporate data stores can be managed by a next-gen firewall. Where things get a little weird is that these devices are also accessing the unfettered Internet, usually from that same untrusted network. If an attacker compromises the device from a rogue Internet site, that device could spread malware into the corporate network through the VPN. Or the attacker could simply access corporate data that is stored or accessed locally on the device.
One way to address this issue is to require that all Internet access from remote and mobile devices get routed back to the corporate network via the VPN. However, this causes throughput issues and can be easily circumnavigated by users, especially at companies with bring your own device programs. If your organization has numerous mobile and remote users, be sure to ask if the NGFW vendor has an agent or other product to secure these users. Also ask if the vendor has partnered with a vendor to provide protection to this user class.
About the author:
Diana Kelley is the executive security advisor at IBM Security Systems and a co-founder of New Hampshire-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has 25 years of IT experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
Next-generation firewalls: Breaking through the hype
View this video to learn more about evaluating next-gen firewalls