For example, Moy says, the firewall can tell the IPS module that the application being used is Skype, and the IPS can focus on detecting known Skype attacks rather than applying all of its thousands of signatures to every packet.
"The flip side to enablement is whether I can limit the number of applications that can penetrate the network, thereby controlling avenues of attack," says Chris King, Palo Alto Networks director of product marketing.
This integrated approach makes it easier to track the source of a potential security event than with separate appliances, and effectively reduces the false positives and false negatives associated with IPS.
"We've mitigated risk in providing access to those applications and gained better insight into who's using what and how," says Rahbany. "We have management oversight that we lacked. We're in a better position to anticipate threats and manage bandwidth and applications."
Evaluating next-gen tools: What to look for
Next-gen firewalls are complex products, and vendors claim an impressive array of capabilities. Determining how well an appliance meets your needs requires understanding your enterprise's requirements, and a lot of research and testing.
Look under the hood. All vendors will claim to have a special sauce for doing that voodoo that they say they do so well, but next-gen requires sophisticated software and hardware engineering that didn't exist until a few years ago. Hold the vendor's feet to the fire to get them to explain their software and hardware architecture and how it accomplishes the required processing, inspection, correlation and analysis. Consult third-party reviews and analysis as well.
Questions to ask include:
Is there actually only one inspection pass being leveraged by the various engines in the box?
Is inspection taking place on the firewall, where it can effectively pre-filter traffic and provide context for IPS and other integrated tools?
[Also see 7 deadly sins of network security]
Are the firewall and IPS truly integrated, or simply packed in the same box?
Does the product run on standard hardware or as a dedicated appliance? The general trend in IT has been toward use of standard hardware, but next-gen requires purpose-built appliances that can meet its demands in an enterprise environment.
Have they built truly new products or just adapted existing firewall and IPS technology? Most vendors, with the exception of Palo Alto, have existing firewall and IPS engines, and are now trying to integrate application control and other features with the tools they already have, says Young. "They're not completely integrated, so they have this hair-pinning of traffic between modules," he says. "This is highly inefficient."
Check its performance. All this capability comes at a price. Unlike traditional network firewalls, a next-gen appliances (like standalone IPS) is a "bump in the wire" that can clog the flow of production traffic. Connections per second -- throughput with all the security features turned on -- must be carefully evaluated and tested in as close to a real-world production environment as possible.