Next-gen firewalls require external visibility tools

Knowing what's happening on your network is a pre-requisite to controlling the traffic. We call that visibility because it combines all of the information the firewall knows, including session and application information, traffic volumes, and rate information, into a way to "see" into your network -- to give you visibility.

In a traditional firewall, visibility is a nice-to-have, because security policy dictates what ports are allowed inbound and outbound and other tools, such as Netflow analyzers, can be used to dig into traffic. In next-generation firewalls, where the emphasis is on controlling application usage, visibility is a requirement.

Next-gen firewalls: Off to a good start

Applications may have many different names and categories, and compared to ports and IP addresses, we found tremendous variation and ambiguity. Without visibility and knowing how the firewall classifies each application it identifies, you can't write the rules that make a next generation firewall "next-generation."

We quickly found that if you want good reporting, you need to have an external device to do it. SonicWall and Fortinet both have internal reporting engines; both engines had problems during our testing, which was entirely expected by the on-site engineers.

Fortunately, all products have off-box reporting engines that are critical to offering next-generation visibility. Check Point customers are not off the hook here either, because the standard Check Point reporting system won't do -- you really must add on the optional SmartEvent to get the visibility required for next generation firewalls.

Fortinet FortiGate and Check Point Security Gateway (SmartEvent) gave us the best visibility into our traffic, with a combination of drill-downs, visual reporting including charts, lists, and "top-10" type lists. FortiGate's on-box dashboard was an especially slick visualization tool, which let us add "widgets" that included mini-reports that were constantly updated. FortiGate's dashboard wasn't just a visualization tool, because it included the ability to drill-down to get additional information. Our only complaint about the dashboard is that the display tool crashed in our browser several times during testing.

The FortiGate reporting engine is based on an SQL database and Fortinet isn't shy about exposing the internals of the database. All reports are configured within the firewall and you can easily get to the raw SQL used to generate the results. If you're the type of network manager who wants a lot of very custom reports, but don't want to extract the data and dump them into your own database, Fortinet's approach will be very attractive.

SonicWall and Barracuda also have good visibility tools, but we found them weaker than what Fortinet and Check Point offered. SonicWall confuses the issue a bit by having four separate visibility tools, ranging from the on-box tools (only suitable in very small environments) to their enterprise-class management system, SonicWall GMS.

We looked at GMS, and were disappointed to see that there isn't feature parity between the on-box reporting and the high-end GMS. For example, in on-box reporting you can generally drill down to individual log entries, and then go directly to policy editing if you want. With GMS, you can drill down, but if you want to change policy, you'll have to go find the affected rule yourself before you can start editing it.

Visibility isn't just reporting and top-10 lists; you also might want to look at what is happening in the firewall right at this moment. Instantaneous reporting is a weakness of most firewalls, but we found a great reporting screen in the Barracuda NG firewall that let us see open connections flowing through the firewall in real time.

Overall, we think that the visibility tools we found offer a good start into what is needed for next generation firewalls. All of the products have slightly different approaches, but it was clear that an off-box reporting engine -- even if you only have a single firewall -- is a minimum requirement to effectively build next-generation firewall policies.

Fortinet's FortiGate FortiAnalyzer and Check Point Security Gateway SmartEvent led the pack, with Barracuda NG Firewall and SonicWall SonicOS falling slightly behind in our feature-focused comparison.

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)