Next-generation firewalls: In depth

Next-generation firewalls, meet this generation's network and threat environment

Make sure it's easy to manage. Next-gen firewalls are a different experience from managing traditional firewalls and standalone IPS, so it is critical that the management interface make the transition as seamless as possible. On one hand, the ability to define very specific, context-based rules for applications and users introduces a new level of complexity. On the other hand, the rules can be more sharply defined, so it's easier to get exactly what you intend without ambiguity or layers of rules.

"You can use that granularity and power, but in a way that becomes more manageable," says Phifer. "But it will still be harder than before; it's part of the pain of gaining that extra level of control."

It's important that the management interface and rule creation be as intuitive as possible and reflect the integration of the components' capabilities.

"The ability to centrally manage and distribute policy was a criterion," says Rahbany. "The firewall rule set is very intuitive and familiar. "There was some discrepancy between centralized management tools and the UI at the firewalls themselves."

Caveat emptor: How to avoid "gotchas"

Don't assume anything based on vendor claims. Not every product that's called "next-gen firewall" lives up to that description, and product capabilities vary widely. Take a hard look at:

Throughput. What happens when all the security services are enabled? How does the appliance perform under a real-world rule set tailored to your environment?

Detection. Test to determine if the vendor has made trade-offs between performance and detection. IPS has historically been marked by compromises in this area to keep up with high-speed networks.

Integration. Determine whether the components are truly integrated or just colocated. Integrated appliances will perform a single inspection pass on the firewall for all components.

Standard hardware. This is a show-stopper. Next-gen firewalls require the muscle of purpose-built hardware. "Beware of people who are overly reliant on general-purpose equipment to deliver all this extra inspection and try to defy the laws of physics," warns Young.

Applications. Vendors are likely to have a tough time keeping up with every new application and how enterprises will use them. "Despite the fact that vendors all have long lists of applications that they advertise, this is probably where customers might be most disappointed," says Phifer, because it seems like every day some app is being added to Facebook or there is a new capability being added to Twitter. Vendors will constantly be playing catch-up with what everyone is experiencing live.

This story, "Next-generation firewalls: In depth" was originally published by CSO.

| 1 2 Page 4
From CIO: 8 Free Online Courses to Grow Your Tech Skills