What a difference a few years makes. In the world of hardware firewall appliances, things have changed drastically. "There's been a fundamental shift in what firewalls are expected to do," said Dmitriy Ayrapetov, Product Manager at SonicWALL. "Firewalls used to only focus on building a perimeter around the network by blocking ports. Now most threats come through legitimate access points, like [HTTP] port 80, by mixing malware in with legitimate web traffic."
Fred Kost, the head of product marketing at Check Point Software, agrees with Ayrapetov. "The days of firewalls just enforcing ports and access rules are long gone," Kost said. "Today's firewalls have taken on much greater functionality in order to remain effective, and have started to incorporate features from other security devices and introduce new ones."
Gartner classifies this new generation of firewalls as Next Generation Firewalls (NGFW). So, what are the new features that IT pros should be mindful of when shopping for an NGFW? Although there isn't a standard set of NGFW criteria that Gartner and firewall vendors have adopted, there are some commonly accepted features that NGFWs generally should include. I’ll discuss a few of these features. You’ll find others listed in the Buyer's Guide table.
Integrated Intrusion Prevention System
Traditionally, intrusion prevention systems (IPSs) have been separate devices from the firewall, but recent trends have seen more firewalls integrating IPS capabilities. This integration reduces the cost and complexity of managing two separate devices. It also makes the firewall more effective because the IPS helps the firewall determine what traffic should be allowed. In an example provided by Gartner analysts Greg Pescatore and John Young, good integration between an IPS and a firewall would allow for such capabilities as "providing a suggested firewall rule to block an address that is continually loading the IPS with bad traffic."
Another key NGFW feature is the ability to use an individual user's identity to set more granular security rules. "The ability to leverage identity has big security benefits," said Koast. "You can tie access to a user rather than the devices he uses by leveraging existing identity services like Active Directory." Enhanced capabilities here allow administrators to set specific rules for specific groups of people, such as blocking everyone but the marketing department from posting on Facebook.
Building on the ability to restrict or allow access based on group membership, another NGFW feature gives you the ability to target specific applications with more precise control. For example, you might want to allow people to use Facebook for posting images and communicating with customers, but not for instant messaging friends or playing Facebook games on company time. Many NGFWs let you create policies that allow employees to access an application but prevent them from using specific application features that violate HR policy.
Klaus Gheri, the vice president of European product management for Barracuda Networks, suggests that IT professionals look beyond the NGFW feature set and make sure that the firewall they're selecting is right for their own use case. Gheri had the following additional suggestions for prospective firewall purchasers:
- Have the right feature set. Gheri stresses that IT pros should make sure the firewall they choose fits the unique needs and requirements of their specific IT environment. "If you have a small business with very limited external traffic, you may not need huge throughput numbers. Or you may need integrated antivirus and anti-malware. Just be sure to get the features you need."
- Don't under- or over-size your firewall. A firewall can be a big investment, and picking the right size, form factor, and throughput performance are important points to consider. Features such as deep packet inspection, packet visualization, and other capabilities can slow traffic through your firewall, and result in unhappy users.
- Consider manageability and usability. "You also need to look at how easy the firewall is to install, manage, and maintain," Gheri said. "Some of these factors are soft costs that can really make a difference. How hard is it to upgrade or replace the firewall if something goes wrong? How good and how usable are the diagnostic tools and technical support options?"
- Look for additional value. Finally, Gheri suggests that firewall shoppers look for additional value beyond rigid feature sets. Companies with more rigorous auditing and compliance demands might need to look for products that focus more on those aspects, while smaller companies might favor ease of use and manageability over other features.
Regardless of which firewall you choose, you would be wise to consider the words of Windows IT Pro author Tony Howlett, who is also CTO of the security consulting firm Network Security Services. I interviewed Tony in 2008, and the comments he made then are still relevant: "You should treat [your firewall appliance] like any other OS, perhaps even more so because it guards the entrance to your network. Be sure to regularly review [installed firewall appliances] for required updates and maintenance."