How to Choose a Next-Generation Firewall


With network activity steadily on the rise, IT solution providers are faced with protecting customers from threats that are growing exponentially. Here are some tips from Sweeney, VP product
management and corporate marketing at SonicWALL, for evaluating and selecting next-generation firewalls for your customers.
— Jennifer Bosavage, editor

Nearly two-thirds of network traffic is Web-based applications. With these applications come new security threats as well as dramatic increases in network bandwidth consumed. Adequately controlling today’s network traffic requires a Next-Generation Firewall (NGFW).

According to Gartner, an NGFW “is a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks.” An NGFW includes all standard capabilities found in a first-generation firewall (e.g., Network Address Translation, packet filtering and stateful packet inspection, among other common networking features). Gartner recommends requiring NGFW capabilities from your vendors when you approach your firewall and/or intrusion prevention technology refresh cycle. But as you evaluate NGFWs, you will notice that some network security vendors claim capabilities that overlap with NGFWs.

So what should you look for in a true enterprise-class NGFW? Consider these criteria:
1. Scanning
2. Application intelligence
3. Performance
4. Manageability
5. Reporting

Scanning
Like first-generation firewalls, NGFWs include stateful inspection capabilities. But what sets them apart from their predecessors is the ability to perform deep packet inspection (DPI). Many NGFW vendors advertise DPI capabilities, but a close examination of their products shows limitations that minimize protection. Many NGFWs have to proxy files in order to scan them for malware at the gateway. This can severely degrade network performance, on some firewalls up to 95%.

Proxy-based firewalls with limited memory can be quickly exhausted by a few large files or a medium number of smaller files transferred simultaneously. When all memory is consumed, these firewalls resort to either passing files through without inspection or blocking all files that cannot be inspected. To avoid bringing the network to halt, some vendors opt to allow packets through without scanning them.

Some vendors also fail to scan large files or certain protocols. Their file scanning capabilities are limited by file size, and they only scan a small portion of protocols for malware. When evaluating NGFWs, look for one that can:
• Scan files of all sizes for viruses, malware, botnets and other threats
• Decrypt, scan and re-encrypt SSL packets
• Scan a wide range of protocols in addition to raw TCP traffic across all ports

Application intelligence
A fundamental benefit of NGFWs is the ability to control applications and optimize what runs on the network. Different NGFWs address these capabilities to various degrees. A viable NGFW should:

• Scan applications against a growing database of signatures
• Provide real-time visualization into the network
• Take custom applications into account
• Extend application intelligence and control to wireless endpoints

An NGFW’s effectiveness is only as good as the number of applications that it can detect and control. A robust signature database for an NGFW should include thousands of unique applications and application components, and update new signatures daily. Moreover, an NGFW should go beyond simply permitting administrators to allow, block or log applications to provide a comprehensive set of application management capabilities such as application bandwidth management.

You also cannot control and optimize what you cannot see. When evaluating NGFWs, you must consider whether they allow you to see application and user traffic in real-time using integrated, on-box visualization, forensic analysis tools and dashboards.
With most NGFWs, it may not be so easy to bring your company’s custom applications under control. A viable NGFW should be able to identify your company’s custom applications and prioritize them over other traffic. In addition, it should allow you to create your own custom signatures based traffic attributes or traffic characteristics unique to your application.

Increasingly, companies are experiencing a proliferation of wireless endpoints on the network edge. If this is the case for your company, consider a NGFW’s ability to provide powerful application intelligence, control and visualization for wireless users. It does little good to control traffic for only wired users while ignoring the large number of users with laptops who rely solely on the wireless network. Look for an NGFW that integrates a wireless switch and controller, allowing the provisioning and management of distributed wireless deployment while providing application intelligence and control to the WiFi edge. Ideally, the NGFW should be able to subjugate all wireless traffic to application intelligence policies to maintain wireless bandwidth efficiency.

Performance

Gartner states that NGFWs “support in-line, bump-in-the-wire configuration without disrupting network operations.” In other words, they introduce minimal latency. The tight integration of IPS with other capabilities is key to making this happen. A single-pass engine enables seamless policy implementation and enforcement without introducing latency or dropping performance to unacceptable levels. This is important because enabling NGFW services should not bring a network to a standstill.

NGFWs using stateful packet inspection have to proxy each file and each network connection in order to enable DPI, thus degrading performance significantly. Instead, choose an NGFW that provides real-time DPI.

Manageability
A scalable and proven distributed management solution is vital to achieving both security and strong ROI as your company begins deploying security to multiple sites.

For instance, some vendors have a management platform but lack large-scale deployments of their distributed management solution. Wide-scale deployment is often a testament to ease of management.
Still other vendors lack a cohesive distributed management platform. This complicates the management process and adds to the solution’s total cost of ownership (TCO).

Reporting
Your NGFW should provide support for NetFlow/IPFix.
NetFlow and IPFix are two industry standards for reporting on network traffic flows to external collectors. Traditionally deployed for switches and routers, NetFlow exports data such as IP address source and destination, source and destination ports, Layer 3 protocol type and class of service. However, both IPFix and NetFlow Version 9 can be extended to export additional data off the network device such as application data, user data and URL data.

NGFWs promise to help companies regain control over their networks through the integration of intrusion prevention, stateful inspection and deep packet inspection capabilities. But vendors’ offerings vary widely in their approach to scanning network traffic. Take the time to confirm that your NGFW delivers what you need.