Security is an ever-important consideration in modern enterprises, and as technologies change companies have to pay attention to investing in them as per their requirements.
“Next-Generation Firewalls (NGFWs) represent the latest advances in gateway security. While they provide you with granular control by going beyond the traditional firewall traffic filtering of ports, helping you filter by application type and user identity, defining groups and providing controlled access, and centralised monitoring, they also increase the complexity of your policies. According to the 2012 state of network security survey, 84% of respondents believe that NGFWs have improved their security,” says Mir Ali, business development manager at Emitac Enterprise Solutions (EES).
“The primary business case for investing in NGFWs is cost-savings since most next generation firewall vendors are combining the functions of a traditional firewall with that of an Intrusion Prevention System (IPS). End users are no longer required to maintain separate firewall and IPS deployments. A single instance of next-gen firewall is now sufficient to maintain the necessary security posture. The cost savings arises from a lower install base and related saving in both CAPEX and OPEX,” says Walid Kamal, SVP – technology security, risk and fraud management, du.
While NGFWs can offer superior protection to enterprises, they have to be chosen with care in order to provide true benefits.
“Organisations must ensure that firewalls, intrusion prevention and application intelligence using deep packet inspection are integrated into next-gen solutions. To ensure adequate performance levels, IT team must selectively implement application-layer inspection features and other advanced filtering capabilities based on their environment and test the setup thoroughly. Additional features may slow up the speed and might therefore impact the performance of the next-gen solution,” says Swapnendu Mazumdar, network infrastructure manager at eHDF (eHosting DataFort).
“A real next generation firewall should classify the application and inspect traffic irrespective of the firewall policy or settings on the policy. Another key component to look out for is how the platform will operate with features turned on – a next generation firewall needs to be able to scale even with application inspection, antivirus and threat inspection as well as deliver strong reporting on the same. At the end of the day the main function of any firewall, including NGFW, is to deliver enforceable visibility,” says Nicolai Solling, director of technology services at helpAG.
NGFWs should also ideally be able to handle encrypted traffic, though it could have an effect on network performance.
“Encryption is a CPU intensive process and has an impact on the firewall performance the moment this feature is enabled. Users should evaluate and choose the one that accommodates desired throughput,” explains Mahesh Vaidya, CEO of ISIT.
Customers should be doubly careful of the way in which they choose the NGFW, since the investment could also entail the replacement of certain legacy network investments.
Maher Jadallah, regional manager for MEA at Sourcefire says, “Organisations today are leveraging NGFW to strengthen their existing security deployments, not often to replace legacy technology. As threats continue to advance and IT departments continue to evolve, we believe that so must our network security defences. Sourcefire is known for its innovation and recognised very early on that IPS needed to evolve to NGIPS to provide effective protection in the face of dynamically changing environments. A NGFW has to do the same thing. Other NGFW solutions force customers to make tradeoffs between control, prevention, performance and manageability.”
“In the case of an SMB or a mid-size organisation then probably they might need to replace existing firewalls and IPS. By doing so the overall TCO (cost of hardware, security services, support, and on-going management) will fare much better. When it comes to large enterprises then the answer is no. What some of our large customers do is deploy a NGFW behind the existing WAN firewall in a transparent mode (by pass mode),” says Florian Malecki, senior product marketing manager for EMEA at Dell SonicWall.
The consistent management of NGFWs can also prove difficult for certain enterprises.
Kamal says, “The management of next-gen firewalls is relatively more complicated and requires on-boarding new skills in the operations teams. The next-gen firewalls perspective of the network is different from traditional firewalls since the deep-packet inspection function in next-gen firewalls provides visibility up to the application layers. The network policies may now be applied using application layer information which requires further understanding of the applications.”
Malecki adds, “It really depends on the deployment, but in general, a good NFGW should not be more difficult to manage than legacy traditional firewalls. Actually it should be easier as a NGFW combines a few stand-alone solutions into one, making life much easier for the user.”
“NGFWs present new capabilities to manage firewall rules. Conventional firewalls relied primarily on IP address and protocols which were static in nature. NGFWs provide capability of central management, extensive logging and reporting. NGFWs go a level higher and can integrate with existing corporate directory system permitting access based on time of day, application, userID etc. Due to such dynamic features, management of the next-gen firewall becomes easier. As these firewalls become more mature, increasing number of advanced security management tools will enter the market making the management easier,” states Mazumdar.
Due to the various elements that need to be considered, and also because of the relative newness of the technology, NGFWs are not yet widely adopted by organisations. According to Gartner, less than 5% of Internet connections today are secured using NGFWs. By the end of 2014, this will rise to 35% of the installed base, with 60% of new purchases being NGFWs.