IT managers in corporate and mid-size businesses have to balance both network performance and network security concerns. While security requirements are critical to the enterprise, organisations should not have to sacrifice throughput and productivity for security. Next-generation firewalls (NGFWs) have emerged as the solution to this thorny problem.
Earlier-generation firewalls pose a serious security risk to organisations today. Their technology has effectively become obsolete asthey fail to inspect the data payload of network packets circulated by today’s Internet criminals. Many vendors tout Stateful Packet Inspection (SPI) speeds only, but the real measure of security and performance is deep packet inspection throughput and effectiveness. To address this deficiency, many firewall vendors adopted the malware inspection approach used by traditional desktop anti-virus solutions: buffer downloaded files, then inspect for malware. The downside to this method not only introduces significant latency, it also poses significant security risks, since temporary memory storage can limit the maximum file size.
The evolution of next-generation firewalls
The SPI generation of firewalls addressed security in a world where malware was not a major issue and web pages were just documents to be read. Ports, IP addresses, and protocols were the key factors to be managed. But as the Internet evolved, the ability to deliver dynamic content from the server and client browsers introduced a wealth of applications we now call Web 2.0.
Today, applications from Salesforce.com, SharePoint to Farmville all run over TCP port 80 as well as encrypted SSL (TCP port 443). A next-generation firewall inspects the payload of packets and matches signatures for nefarious activities such as known vulnerabilities, exploit attacks, viruses and malware all on the fly. DPI also means that administrators can create very granular permit and deny rules for controlling specific applications and web sites. Since the contents of packets are inspected, exporting all sorts of statistical information is also possible, meaning administrators can now easily mine the traffic analytics to perform capacity planning, troubleshoot problems or monitor what individual employees are doing throughout the day. Today’s firewalls operate at layers, 2, 3, 4, 5, 6 and 7 of the OSI model.
What the enterprise requires
Organisations are suffering from application chaos. Network communications no longer rely simply on store-and-forward applications like email, but have expanded to include real-time collaboration tools, Web 2.0 applications, instant messenger (IM) and peer-to-peer applications, Voice over IP (VoIP), streaming media and teleconferencing, each presenting conduits for potential attacks. Many organisations cannot differentiate applications in use on their networks with legitimate business purposes from those that are not business-critical and simply draining bandwidth or plain dangerous.
Today, organisations need to deliver critical business solutions, while also contending with employee use of wasteful and often dangerous (from a security perspective) web-based applications. Critical applications need bandwidth prioritisation while social media and gaming applications need to be throttled or completely blocked. Moreover, organisations can face fines, penalties and loss of business if they are in noncompliance with security mandates and regulations.
In today’s enterprise organisations, protection and performance go hand-in-hand. Organisations can no longer tolerate the reduced security provided by legacy SPI firewalls, nor can they tolerate the network bottlenecks associated with some NGFWs. Any delays in firewall or network performance can degrade quality in latency-sensitive and collaborative applications, which in turn can negatively affect service levels and productivity. To make matters worse, some IT organisations even disable functionality in their network security solutions to avoid slowdowns in network performance.
Organisations large and small, in both the public and private sector, face new threats from vulnerabilities in commonly-used applications. It’s the dirty little secret of the beautiful world of social networks and interconnectedness: they’re a breeding ground for malware and Internet criminals prey on every corner for their unsuspecting victims. Meanwhile, workers use business and home office computers for online blogging, socialising, messaging, videos, music, games, shopping and email. Applications such as streaming video, peer-to-peer (P2P), and hosted or cloud-based applications expose organisations to potential infiltration, data leakage and downtime. In addition to introducing security threats, these applications drain bandwidth and productivity, and compete with mission-critical applications for precious network bandwidth. Importantly, enterprises need tools to guarantee bandwidth for critical business relevant applications and need application intelligence and control to protect both inbound and outbound flows of traffic, while ensuring the velocity and security to provide a productive work environment.
The NGFWs benefit
Next-generation firewalls can deliver application intelligence and control, intrusion prevention, malware protection and SSL inspection at multi-gigabit speeds, scalable to support the highest-performance networks.
The most robust NGFWs enable administrators to control and manage both business and non-business related applications to enable network and user productivity, and they can scan files of unlimited size across any port and without security or performance degradation. The number of simultaneous files or network streams does not limit high-end NGFWs, so infected files do not have a chance to slip through undetected when the firewall is under heavy load. In addition, NGFWs can apply all security and application control technologies to SSL encrypted traffic, ensuring that this does not become a new malware vector into the network.