Next-generation firewalls: In depth
Next-generation firewalls may control applications and cost, if you skip the hype and focus on the practicals
By Neil Roiter
October 17, 2011 — CSO —
Next-generation firewalls, meet this generation's network and threat environment.
Traditional stateful inspection firewalls, with their port- and protocol-based controls, have limited visibility into the contemporary Web-based network landscape. Thanks to the explosive popularity of Web 2.0, thousands of Web-based business and consumer apps and attacks are launched primarily through the application layer. Stateful inspection firewalls cannot distinguish what applications are passing via http and https over ports 80 and 443. Attackers have become adept at using low-and-slow techniques in targeted attacks that evade intrusion-prevention systems (IPS).
In this in-depth report:
- What Next-Gen Firewalls Do (this page)
- Driving the Market: Consolidation and Cost Come First (p.2)
- Evaluating Next-Gen Tools: What to Look For (p.3)
- Caveat Emptor: How to Avoid "Gotchas" (p.4)
- Also see the companion article Dos and don'ts for Next-Generation Firewalls (free CSO Insider registration required)
What Next-Gen Firewalls Do
True next-gen firewalls perform deep packet inspection to identify application traffic at Layer 7, performing a single inspection pass that integrates firewall, intrusion-prevention and additional security capabilities in a single high-performance appliance. Application intelligence, combined with user identity information, provides context for highly granular firewall access rules that allow for detection of contemporary Web-based attacks. Enterprises can enforce security and acceptable-use policies in ways that make sense for the business, in contrast to black-and-white policies like "No one can use Facebook" or "We have to let everyone use Facebook."
This is a fast-growing market, created when Palo Alto Networks appeared on the scene in 2007 with the capabilities and feature sets that characterize what are now known as next-gen firewalls. Most other firewall and unified threat management vendors have introduced, or are at least developing, network security products that provide fine-grained application and user controls in integrated, high-performance appliances.
"IPS should have been combined with firewall much sooner," says Greg Young, a Gartner research VP. "IPS ballooned up beyond $1 billion and took on a life of its own; no one was integrating. Palo Alto [Networks' next-generation firewalls] changed the game, and incumbent firewall vendors have been forced to react to meet that threat."
Next-gen firewall adoption was between 5 percent and 10 percent of total firewall appliances in 2010, according to a joint report by Infiniti Research and TechNavio Insights, and is expected to gain significant market share over the next few years. Gartner has predicted that next-gen firewalls will comprise 35 percent of the installed firewall base by the end of 2014 and will account for 60 percent of all firewall purchases.
[Also read about Firewall audit tools for simplifying rule sets and device management]
In some cases, enterprises are deploying next-gen in front of their existing network firewalls and IPS to get the benefits of app-layer and user-ID filtering without a wholesale rip-and-replace. In other cases, they put it behind their firewalls and IPS to see what is getting through.
"They look at it as an adjunct," says Lisa Phifer, president of consultancy Core Competence. "They either want to apply extra granularity or use next-gen to act as a sanity check if something goes through that wasn't expected."
But that's now the exception, says Young. Today, 95 percent of next-gen purchases are firewall replacements, as the newer technology has proven its value and the vendor selection has widened.