You are on page 1of 4



Firewalls stand at the entrance to corporate networks like
security guards or doormen, referring to a set of rules to
decide what traffc to allow in or out, and what traffc to
keep from entering.
Traditional frewalls are limited to using port-based rules. That
means they block inbound traffc heading to most ports, but
they allow traffc to specifc ports that are used by certain
applications port 80 for http traffc, and port 21 for ftp
traffc, for example.
But an increasing number of organizations are fnding
that port-based frewalls are no longer up to the job of
controlling unwanted traffc, and thats largely due to the
rise of Web 2.0 applications. The problem is that many
applications ones that run on Facebook, for example
run over port 80 (http) or port 443 (https). For example, to
block your employees from using Facebook applications
youd have to block port 80 and 443. That would block the
whole Facebook site, which at least some of your employees
might need for their day-to-day work. More to the point,
blocking ports 80 and 443 would prevent everyone on your
network from accessing any part of the Web.
Key next generation frewall features
Next generation frewalls provide far greater granular control
over traffc coming in and out of your network. They provide
standard frewall capabilities such as packet fltering, network
address translation (NAT), stateful protocol inspection and
VPN capabilities. Many also have the ability to communicate
with external intelligence sources such as reputation systems
to enhance blocking decisions.
In addition, they offer a powerful and advanced feature:
application awareness with full stack visibility.
Next-generation frewall buying guide
Before making a next generation frewall purchasing decision,
its worth considering and understanding the key features that
these systems offer today.
Application awareness and control
These are perhaps the two most important features offered
by next generation frewalls, and for most organizations the
desire to control application usage is the main driver for
purchasing one.
With application awareness, a next generation frewall
lets you see perhaps for the frst time exactly which
applications are being used on your network. This may include
previously undetected, bandwidth-hungry applications such
as streaming video and audio services and even peer-to-peer
fle sharing applications that may be illegal.
More importantly, the next generation frewall also provides
you with a means to control this application usage. By
identifying the applications and enforcing network security
policy at the application layer independently of port and
protocol you can, for example:
Allow Facebook but not Facebook applications such as
Candy Crush Saga
Allow Skype for voice-over-IP but not for fle sharing
Allow webmail attachment downloads but not
attachment uploads
Apply application blacklists or whitelists.
Identity awareness
Without identity awareness, application control can be
something of a blunt instrument that can prevent the use of
applications such as Facebook by blocking everyone on the
network from accessing them.
The reality is most organizations need more fexibility in their
application control decisions. While there may be no legitimate
reason why the majority of employees need to access social
media applications, these applications may be used often by
members of the marketing department for brand promotion
and monitoring, for example.
For that reason most next generation frewalls integrate with
corporate directories such as Active Directory, enabling you
to apply frewall rules to some groups of employees but not
others. For example, you can create a rule allowing sales and
marketing staff to use certain social media applications, and
offer a small subset of those to contractors or temporary staff,
while board members can be granted unfettered Internet
Additional security features
Although the basic function of a next generation frewall is to
carry out frewalling duties albeit using blocking decisions
that take advantage of application awareness rather than
simple port information most are capable of far more than
making intelligent block/allow decisions.
Vendors take advantage of the powerful processing
capabilities of their products to offer additional security
capabilities that can be selectively activated, making them
similar in functionality to all-in-one security appliances, unifed
threat management devices or enterprise security gateways.
The most important difference is that in a next generation
frewall all of these security functions are integrated into the
frewall core. That means that security processing is carried
out at high speed in a single pass as traffc fows through the
By contrast, unifed threat management devices generally
combine a number of security functions in one box, with
software that integrates the management of these functions to
a greater or lesser extent. But each of these security functions
is performed separately and in series, leading to performance
that is generally lower than a true next generation frewall.
Common additional security features that next generation
frewalls offer include:
Intrusion prevention: Early next generation frewalls
offered fairly rudimentary IPS capabilities, but more
recent ones generally offer IPS on a par with standalone
Anti-malware scanning: This involves centralized
scanning of all traffc coming entering the network.
This should not be seen as an alternative to endpoint
anti-virus software, however, since malware that passes
undetected through the frewall may be spotted by
endpoint software during a routine scan a few days
later once anti-virus signatures have been updated to
detect that particular piece of malware.
SSL inspection: Encrypted traffc can be a blind spot
for many organizations. Next generation frewalls
solve this problem by issuing self-signed certifcates
to endpoints. They can then work as a man in the
middle, intercepting SSL transactions, decrypting
them, inspecting the traffc and then re-encrypting
them and sending them on to their destination.
Buying criteria
Capacity (frewall throughput)
Probably the most important thing to establish when buying
a next generation frewall is the amount of traffc you will
expect it to handle. Vendors such as Checkpoint Technologies
and WatchGuard Technologies offer low-end models with
headline throughputs of less than 100Mbps for small business
Vendors take advantage of the powerful processing
capabilities of their products to offer additional security
capabilities that can be selectively activated
or branch offce use, while vendors such as HP TippingPoint
and Palo Alto Networks offer devices that can handle 10Gpbs
or more.
Some vendors allow you to unlock more capacity in an existing
device rather than having to replace it when you run up against
capacity constraints.
Buyers tip: When looking at vendors capacity fgures, its
important to understand exactly what they mean: Often a
fgure of 1Gbps will be the maximum throughput of the frewall
alone. Enabling additional features such as IPS or even malware
scanning in a next generation frewall can make a signifcant
difference to the throughput capability of the device. A next
generation frewall that is rated as having a maximum 1Gbps
throughput may only be able to handle 500Mbps or less when
all the security services are enabled.
Next generation frewalls range from a few hundred dollars
for entry-level devices right up to service provider models that
cost hundreds of thousands of dollars. But pricing can be
misleading because different vendors include different sets of
functionality in their base prices.
Buyers tip: Decide beforehand exactly what extra
functionality (such as IPS or SSL decryption) you intend to use,
and establish how much a given vendors offering will cost
with those features enabled rather than looking at the base
price alone.
Extent of application awareness
All next generation frewall vendors offer application
awareness, but its important to establish which applications
their devices are aware of, and how responsive vendors are to
new applications or changes in existing ones.
Buyers tip: Vendors often publish the number of applications
their products are aware of, but these numbers should be
treated with caution. Some treat variations of an application
as different applications, and in general the numbers quoted
cant be compared on a like-for-like basis.
Identity awareness
Almost all vendors offer integration with Active Directory to
provide identity awareness, but if you dont use AD then clearly
its important to ensure that any device you are considering
works with whatever directory system your organization does
IPv6 compatibility
Few organizations have made the switch to IPv6, but its
prudent to think about IPv6 compatibility in any device you
are considering to ensure that it will continue to work with your
network going forward.
Form factor
Vendors supply their frewalls as either a physical appliance, a
virtual appliance or as software only, and many offer a choice
between these three forms.
Buyers tip: If you are considering a vendor that offers its
product in one form, be sure to establish the cost implications
of switching between one form and another at a future date,
and ask how easy it is to move confguration information from
one form to another.
Recommended questions to ask when
talking to vendors:
What is the peak frewall traffc throughput capability when all
security features are disabled?
What security features are offered?
What is the peak frewall traffc throughput capability with all
the security features I require enabled?
What is the base cost of the device?
What is the cost of the device with my security requirements
What are the annual maintenance and update costs?
How much expertise is needed to confgure the frewalling and
security capabilities?
How is the device confgured, and how easy is the interface to
Which applications is the frewall aware of, and is it possible to
create awareness for custom applications?
How often is the application list updated?
How granular is the identity awareness control?
What kind of reporting is provided to help understand
application usage and user behavior?
Can the device make use of external intelligence sources such
as blacklists? If so, which ones?
How are updates for features like anti-malware scanning
delivered, and how frequently? And who provides them; is
security research carried out in-house?
Can capacity and security features be changed on demand,
and what are the cost implications of doing this?
Which protocols does the VPN capability support, and how
many VPN connections can the device handle concurrently?
Is the device IPv6 ready?
What security certifcations does the device hold?
Leading next generation frewall
Barracuda Networks
Check Point Software Technologies http://www.checkpoint.
Cisco Systems
Fortinet Juniper Networks
HP TippingPoint
Palo Alto Networks
Juniper Networks
WatchGuard Technologies