IT PROJECT CENTER www.esecurityplanet.com 2013 QuinStreet
Introduction Firewalls stand at the entrance to corporate networks like security guards or doormen, referring to a set of rules to decide what traffc to allow in or out, and what traffc to keep from entering. Traditional frewalls are limited to using port-based rules. That means they block inbound traffc heading to most ports, but they allow traffc to specifc ports that are used by certain applications port 80 for http traffc, and port 21 for ftp traffc, for example. But an increasing number of organizations are fnding that port-based frewalls are no longer up to the job of controlling unwanted traffc, and thats largely due to the rise of Web 2.0 applications. The problem is that many applications ones that run on Facebook, for example run over port 80 (http) or port 443 (https). For example, to block your employees from using Facebook applications youd have to block port 80 and 443. That would block the whole Facebook site, which at least some of your employees might need for their day-to-day work. More to the point, blocking ports 80 and 443 would prevent everyone on your network from accessing any part of the Web. Key next generation frewall features Next generation frewalls provide far greater granular control over traffc coming in and out of your network. They provide standard frewall capabilities such as packet fltering, network address translation (NAT), stateful protocol inspection and VPN capabilities. Many also have the ability to communicate with external intelligence sources such as reputation systems to enhance blocking decisions. In addition, they offer a powerful and advanced feature: application awareness with full stack visibility. Next-generation frewall buying guide Before making a next generation frewall purchasing decision, its worth considering and understanding the key features that these systems offer today. Application awareness and control These are perhaps the two most important features offered by next generation frewalls, and for most organizations the desire to control application usage is the main driver for purchasing one. With application awareness, a next generation frewall lets you see perhaps for the frst time exactly which applications are being used on your network. This may include previously undetected, bandwidth-hungry applications such as streaming video and audio services and even peer-to-peer fle sharing applications that may be illegal. More importantly, the next generation frewall also provides you with a means to control this application usage. By identifying the applications and enforcing network security policy at the application layer independently of port and protocol you can, for example: Allow Facebook but not Facebook applications such as Candy Crush Saga Allow Skype for voice-over-IP but not for fle sharing Allow webmail attachment downloads but not attachment uploads Apply application blacklists or whitelists. Identity awareness Without identity awareness, application control can be something of a blunt instrument that can prevent the use of applications such as Facebook by blocking everyone on the network from accessing them. 2. IT PROJECT CENTER www.esecurityplanet.com 2013 QuinStreet The reality is most organizations need more fexibility in their application control decisions. While there may be no legitimate reason why the majority of employees need to access social media applications, these applications may be used often by members of the marketing department for brand promotion and monitoring, for example. For that reason most next generation frewalls integrate with corporate directories such as Active Directory, enabling you to apply frewall rules to some groups of employees but not others. For example, you can create a rule allowing sales and marketing staff to use certain social media applications, and offer a small subset of those to contractors or temporary staff, while board members can be granted unfettered Internet access. Additional security features Although the basic function of a next generation frewall is to carry out frewalling duties albeit using blocking decisions that take advantage of application awareness rather than simple port information most are capable of far more than making intelligent block/allow decisions. Vendors take advantage of the powerful processing capabilities of their products to offer additional security capabilities that can be selectively activated, making them similar in functionality to all-in-one security appliances, unifed threat management devices or enterprise security gateways. The most important difference is that in a next generation frewall all of these security functions are integrated into the frewall core. That means that security processing is carried out at high speed in a single pass as traffc fows through the frewall. By contrast, unifed threat management devices generally combine a number of security functions in one box, with software that integrates the management of these functions to a greater or lesser extent. But each of these security functions is performed separately and in series, leading to performance that is generally lower than a true next generation frewall. Common additional security features that next generation frewalls offer include: Intrusion prevention: Early next generation frewalls offered fairly rudimentary IPS capabilities, but more recent ones generally offer IPS on a par with standalone solutions. Anti-malware scanning: This involves centralized scanning of all traffc coming entering the network. This should not be seen as an alternative to endpoint anti-virus software, however, since malware that passes undetected through the frewall may be spotted by endpoint software during a routine scan a few days later once anti-virus signatures have been updated to detect that particular piece of malware. SSL inspection: Encrypted traffc can be a blind spot for many organizations. Next generation frewalls solve this problem by issuing self-signed certifcates to endpoints. They can then work as a man in the middle, intercepting SSL transactions, decrypting them, inspecting the traffc and then re-encrypting them and sending them on to their destination. Buying criteria Capacity (frewall throughput) Probably the most important thing to establish when buying a next generation frewall is the amount of traffc you will expect it to handle. Vendors such as Checkpoint Technologies and WatchGuard Technologies offer low-end models with headline throughputs of less than 100Mbps for small business Vendors take advantage of the powerful processing capabilities of their products to offer additional security capabilities that can be selectively activated 3. IT PROJECT CENTER www.esecurityplanet.com 2013 QuinStreet or branch offce use, while vendors such as HP TippingPoint and Palo Alto Networks offer devices that can handle 10Gpbs or more. Some vendors allow you to unlock more capacity in an existing device rather than having to replace it when you run up against capacity constraints. Buyers tip: When looking at vendors capacity fgures, its important to understand exactly what they mean: Often a fgure of 1Gbps will be the maximum throughput of the frewall alone. Enabling additional features such as IPS or even malware scanning in a next generation frewall can make a signifcant difference to the throughput capability of the device. A next generation frewall that is rated as having a maximum 1Gbps throughput may only be able to handle 500Mbps or less when all the security services are enabled. Cost Next generation frewalls range from a few hundred dollars for entry-level devices right up to service provider models that cost hundreds of thousands of dollars. But pricing can be misleading because different vendors include different sets of functionality in their base prices. Buyers tip: Decide beforehand exactly what extra functionality (such as IPS or SSL decryption) you intend to use, and establish how much a given vendors offering will cost with those features enabled rather than looking at the base price alone. Extent of application awareness All next generation frewall vendors offer application awareness, but its important to establish which applications their devices are aware of, and how responsive vendors are to new applications or changes in existing ones. Buyers tip: Vendors often publish the number of applications their products are aware of, but these numbers should be treated with caution. Some treat variations of an application as different applications, and in general the numbers quoted cant be compared on a like-for-like basis. Identity awareness Almost all vendors offer integration with Active Directory to provide identity awareness, but if you dont use AD then clearly its important to ensure that any device you are considering works with whatever directory system your organization does use. IPv6 compatibility Few organizations have made the switch to IPv6, but its prudent to think about IPv6 compatibility in any device you are considering to ensure that it will continue to work with your network going forward. Form factor Vendors supply their frewalls as either a physical appliance, a virtual appliance or as software only, and many offer a choice between these three forms. Buyers tip: If you are considering a vendor that offers its product in one form, be sure to establish the cost implications of switching between one form and another at a future date, and ask how easy it is to move confguration information from one form to another. 4. IT PROJECT CENTER www.esecurityplanet.com 2013 QuinStreet Recommended questions to ask when talking to vendors: What is the peak frewall traffc throughput capability when all security features are disabled? What security features are offered? What is the peak frewall traffc throughput capability with all the security features I require enabled? What is the base cost of the device? What is the cost of the device with my security requirements enabled? What are the annual maintenance and update costs? How much expertise is needed to confgure the frewalling and security capabilities? How is the device confgured, and how easy is the interface to use? Which applications is the frewall aware of, and is it possible to create awareness for custom applications? How often is the application list updated? How granular is the identity awareness control? What kind of reporting is provided to help understand application usage and user behavior? Can the device make use of external intelligence sources such as blacklists? If so, which ones? How are updates for features like anti-malware scanning delivered, and how frequently? And who provides them; is security research carried out in-house? Can capacity and security features be changed on demand, and what are the cost implications of doing this? Which protocols does the VPN capability support, and how many VPN connections can the device handle concurrently? Is the device IPv6 ready? What security certifcations does the device hold? Leading next generation frewall vendors: Barracuda Networks http://www.barracuda.com Check Point Software Technologies http://www.checkpoint. com Cisco Systems http://www.cisco.com Fortinet Juniper Networks http://www.fortinet.com HP TippingPoint http://www.hp.com/go/ngfw Palo Alto Networks http://www.paloaltonetworks.com Juniper Networks http://www.juniper.net Sophos http://www.sophos.com WatchGuard Technologies http://www.watchguard.com