Next-generation firewalls that businesses use to protect data centers or their network perimeter also offer other important features.
One of the main ones is Ethernet-layer tagging. IT security professionals can tag data and assign relevant security policies to the information. The security policy travels with the data no matter where it ends up on the network.
“Many evasions by hackers occur because they come in at some point in the network — maybe through a user’s host, or they were spun up within a virtual machine in a data center,” says Dave Stuart, senior director of marketing and network security with Cisco Systems. “If the threat already evaded perimeter protections, it won’t get detected anywhere later along the path.”
The Cisco TrustSec policy management platform can apply tags for use by NFGWs. “Our solutions recognize those data tags in downstream and upstream security functions,” Stuart says. “So if a piece of data arrives that’s been tagged for intrusion inspection at the doorstep of our next-gen firewall, TrustSec makes sure that inspection takes place.”
Similarly, administrators can streamline operations by tagging trusted traffic to bypass inspection checkpoints, he adds.
Another feature is application-layer controls. These safeguards regulate individual or groups of software titles that security managers deem too risky for running on the enterprise network. “With web pages being such a common delivery mechanism for malware, firewalls need to be able to understand and control applications through such technologies as content filtering, web URL filtering and malware detection,” says Joel Snyder, senior partner at Opus One, an IT consulting firm specializing in networking and security.
Firewalls also provide intrusion detection/prevention technology. Provided as stand-alone products in the past, these NGFW tools analyze malware signatures and network anomalies to identify common attacks and help protect unpatched systems or misconfigured applications, Snyder says. NGFW intrusion prevention capabilities also protect against SQL injections, an exploit where attackers insert malware into database statements. “That takes a load off the security staff, because it doesn’t have to review network logs to identify attacks,” he explains.
Security experts say firewall success requires a combination of picking the right feature set and deploying the technology with optimum performance in mind. Network performance, including keeping any added latency to a minimum, is a key deployment consideration. For example, throughput rates for NGFWs, which layer on advanced security features, can look alarmingly slow compared to traditional firewalls, which primarily monitor IP addresses and port numbers.
NGFWs may run as virtual machines or as dedicated appliances, with specialized application-specific integrated circuits (ASICs) or high-performance processors. Multithreading and asynchronous parallel processing can contribute an additional speed boost. In addition, some solutions may devote one processor for application control and intrusion prevention, while a separate processor screens for viruses and performs other duties.
Another important feature to consider is how individual models import the user information needed to make decisions about possible threats. “Some next-gen firewalls sniff Active Directory logs, which is great, except not everyone in the organization may be logged into Active Directory,” Snyder says. “Other models sniff traffic or install an agent on a PC. What’s important to remember is that each of these approaches to user awareness may look great in the demo, but some may be difficult to implement in a real-world environment.”
Onsite testing during the product evaluation process will help determine which approach is right for a particular organization, he adds.
The good news for enterprises starting the selection process is that intense competition in the NGFW market is yielding attractive prices for tools that offer excellent performance. “As NGFWs are maturing, we’re seeing purchase price and value becoming increasingly common as ways to distinguish products,” says Eric Parizo, senior analyst with Current Analysis.
Once IT managers choose among the various design and performance options, they should begin rollouts with a testing period designed to evaluate the solution’s impact on production operations. For example, some managers set new NGFWs so they monitor network traffic patterns, but don’t take any action if anomalies arise. This reduces unnecessary actions against false positives that stall benign traffic. Over time, intrusion detection and other capabilities are gradually turned on as administrators gain a clear understanding of traffic patterns.
Ongoing performance tuning is also important to ensure that enterprises get the full benefit of an NGFW. For example, while application-level controls keep risky software away from enterprise networks, the application landscape changes continuously. “If you don’t have a rule for managing an application that was just released, you’re not going to get the advantage of application-level controls,” Snyder says. “Security managers must always be aware of what people are actually doing on the network, and make sure policies are updated to control what programs will be allowed and which ones will be blocked.”
Even the best firewalls can only do so much to protect an enterprise, which means organizations need other pieces to create a broader ecosystem. This requires IT managers to orchestrate the various pieces as a smoothly running system. To achieve this objective, some vendors are providing tools for unified management. This enables managers to apply consistent policies across the entire attack continuum by invoking access controls, intrusion detection and other rules through a central interface.
For example, when Cisco FirePOWER detects threats, it can send instructions for automated responses to Cisco’s Identity Services Engine (ISE). “Most organizations just can’t keep pace with the volume of new threats if they only have a manual strategy for dealing with such a dynamic IT environment,” Stuart says. “With FirePOWER and ISE, defenses essentially become self-hardening to keep pace with rapidly changing exploits.”
Aruba’s ClearPass Policy Manager brings automation to user authentication. It not only affirms the credentials of each individual who tries to log onto the network, it can associate the person with the particular type of device he or she uses and then apply appropriate policies. For example, a smartphone user may be given access only to the Internet but not internal applications. The same user with a security-hardened notebook might receive full privileges to internal resources.
“There’s real value in truly knowing someone’s identity,” says Trent Fierro, director of product marketing for security solutions at Aruba Networks. “When the system knows a particular person using a particular device is connecting to the network, it can send that information to the NGFW so granular policies can be applied for that specific situation. Instead of setting rules for large groups of people, it can set them according to tasks individuals need to perform.” In addition, ClearPass can take action based on information received from an NGFW. “When the firewall detects an anomaly, it can ask ClearPass to bounce that device off the network,” Fierro says.
While solutions exist today that successfully integrate security products within individual vendor portfolios, orchestrating solutions within multivendor environments remains a challenge. Application programming interfaces are one common integration method, but may work reliably only among vendors that have close partnerships.
Alternatively, enterprises may write scripts to cobble components together. “But the scripts may become very brittle, which means the security architecture is not adaptable to changing business requirements, new applications and initiatives like moving to the cloud,” Stuart points out.