Next-generation firewalls have come a long way since their days as cutting-edge technology. Driven by the need for application-aware security and deep packet protection, organizations have increasingly made next generation-firewalls a common part of the weaponry protecting enterprise networks.
Yet despite this, there remain some misconceptions about next-gen firewalls that could complicate life for customers, security experts say. To make the water less murky, Network Computing turned to some security pros to clear up some of the common misunderstandings surrounding next-generation firewall (NGFW) technology.
1. All NGFWs Are Not Created Equal
"Don't assume that one next-generation firewall is the same as another next-generation firewall," says Brian Monkman, perimeter security programs manager at ICSA Labs. "There is general agreement that next-generation firewalls should be able to run as a bump-in-the-wire, have application awareness, have all of the basic firewall functionality and tightly integrated network IPS capabilities. However, opinions diverge from that point."
Companies need to focus on their enterprise requirements and what functionality they need when shopping for a NGFW, advises Javvad Malik, senior analyst for the enterprise security practice at 451 Research.
"One of the key traits of next-gen firewalls is the identification and control of traffic at the application layer," he says. "However, other features have come to be identified with the popular available product offerings--for example, some form of light network DLP or Web content filtering."
Enterprises should also look for a robust Layer 7 application matching mechanism, advises John Stauffacher, senior consultant at Accuvant.
"Each vendor does it differently, and each vendor supports a different subset of applications/protocols," he says. "Find the one that has support for the applications you use--and can do so with speed and accuracy."
2. Weigh Performance Claims Carefully
"The adage 'your mileage may vary' applies here," said Monkman. "We have seen the performance characteristics on some next-generation firewalls drop down to as low as 50% of the stated capability just by changing the traffic mix the product handles or turning up some of the application inspection functionality. Nothing beats subjecting the product you are looking at to the mix of traffic on your network and the security profile to meet your needs."
[For an introduction to NGFWs, read "Next-Generation Firewalls 101" ]
3. Don't Assume An NGFWs Is a UTM Replacement
"I see next-generation firewalls and unified threat management systems as being very different answers to the security problem," says Monkman. "Think of [a NGFW] as a combination of a network IPS and a network firewall with the addition of application awareness. Whereas a UTM is the Swiss army knife equivalent to the stateful inspection firewall--that is, basic firewall capabilities with additional security functionality added. I see both UTMs and NGFWs continuing to be popular and playing important roles together in securing the enterprise."
4. Onboard SSL Decryption May Not Be What You Expect
Onboard SSL decryption is a myth at high speed and useless unless you have multiple NGFWs clustered, says NSS Labs Research VP John Pirc. In a report released in February, NSS Labs revealed that when SSL decryption is enabled on many of the most popular next-generation firewalls--including products from Palo Alto Networks, Cisco Systems and Juniper Networks--there is a significant performance hit.
Has your company deployed a next-generation firewall? What's been your experience with the technology? Are there any other misconceptions IT teams should know about before shopping for a NGFW? Share your thoughts in the comments section below.