Next-generation firewalls, meet this generation's network and threat environment.
Traditional stateful inspection firewalls, with their port- and protocol-based controls, have limited visibility into the contemporary Web-based network landscape. Thanks to the explosive popularity of Web 2.0, thousands of Web-based business and consumer apps and attacks are launched primarily through the application layer. Stateful inspection firewalls cannot distinguish what applications are passing via http and https over ports 80 and 443. Attackers have become adept at using low-and-slow techniques in targeted attacks that evade intrusion-prevention systems (IPS).
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
What next-gen firewalls do
True next-gen firewalls perform deep packet inspection to identify application traffic at Layer 7, performing a single inspection pass that integrates firewall, intrusion-prevention and additional security capabilities in a single high-performance appliance. Application intelligence, combined with user identity information, provides context for highly granular firewall access rules that allow for detection of contemporary Web-based attacks. Enterprises can enforce security and acceptable-use policies in ways that make sense for the business, in contrast to black-and-white policies like "No one can use Facebook" or "We have to let everyone use Facebook."
This is a fast-growing market, created when Palo Alto Networks appeared on the scene in 2007 with the capabilities and feature sets that characterize what are now known as next-gen firewalls. Most other firewall and unified threat management vendors have introduced, or are at least developing, network security products that provide fine-grained application and user controls in integrated, high-performance appliances.
"IPS should have been combined with firewall much sooner," says Greg Young, a Gartner research VP. "IPS ballooned up beyond $1 billion and took on a life of its own; no one was integrating. Palo Alto [Networks' next-generation firewalls] changed the game, and incumbent firewall vendors have been forced to react to meet that threat."
Next-gen firewall adoption was between 5 percent and 10 percent of total firewall appliances in 2010, according to a joint report by Infiniti Research and TechNavio Insights, and is expected to gain significant market share over the next few years. Gartner has predicted that next-gen firewalls will comprise 35 percent of the installed firewall base by the end of 2014 and will account for 60 percent of all firewall purchases.
[Also read about Firewall audit tools for simplifying rule sets and device management]
In some cases, enterprises are deploying next-gen in front of their existing network firewalls and IPS to get the benefits of app-layer and user-ID filtering without a wholesale rip-and-replace. In other cases, they put it behind their firewalls and IPS to see what is getting through.
"They look at it as an adjunct," says Lisa Phifer, president of consultancy Core Competence. "They either want to apply extra granularity or use next-gen to act as a sanity check if something goes through that wasn't expected."