Next-generation firewalls, meet this generation's network and threat environment.
Traditional stateful inspection firewalls, with their port- and
protocol-based controls, have limited visibility into the
contemporary Web-based network landscape. Thanks to the explosive
popularity of Web 2.0, thousands of Web-based business and
consumer apps and attacks are launched primarily through the
application layer. Stateful inspection firewalls cannot distinguish
what applications are passing via http and https over ports 80 and
443. Attackers have become adept at using low-and-slow
techniques in targeted attacks that evade intrusion-prevention
systems (IPS).
What Next-Gen Firewalls Do
True next-gen firewalls perform deep packet inspection to identify
application traffic at Layer 7, performing a single inspection
pass that integrates firewall, intrusion-prevention and additional
security capabilities in a single high-performance appliance.
Application intelligence, combined with user identity information,
provides context for highly granular firewall access rules
that allow for detection of contemporary Web-based attacks.
Enterprises can enforce security and acceptable-use policies in ways that make sense for the business, in contrast to black-and-white policies like "No one can use Facebook" or "We have
to let everyone use Facebook."
This is a fast-growing market, created when Palo Alto Networks
appeared on the scene in 2007 with the capabilities and feature
sets that characterize what are now known as next-gen firewalls. Most
other firewall and unified threat management vendors
have introduced, or are at least developing, network security
products that provide fine-grained application and user controls
in integrated, high-performance appliances.
"IPS should have been combined with firewall much sooner," says Greg Young, a Gartner research VP. "IPS ballooned up beyond
$1 billion and took on a life of its own; no one was integrating. Palo Alto [Networks' next-generation firewalls] changed
the game, and incumbent firewall vendors have been forced to react to meet that threat."
Next-gen firewall adoption was between 5 percent and 10 percent of total firewall appliances in 2010, according to a joint
report by Infiniti Research and TechNavio Insights, and is expected to gain significant market share over the next few years.
Gartner has predicted that next-gen firewalls will comprise 35 percent of the installed firewall base by the end of 2014 and
will account for 60 percent of all firewall purchases.
[Also read about Firewall audit tools
for simplifying rule sets and device management]
In some cases, enterprises are deploying next-gen in front of their existing network firewalls and IPS to get the benefits
of app-layer and user-ID filtering without a wholesale rip-and-replace. In other cases, they put it behind their firewalls
and IPS to see what is getting through.
"They look at it as an adjunct," says Lisa Phifer, president of consultancy Core Competence. "They either want to apply extra
granularity or use next-gen to act as a sanity check if something goes through that wasn't expected."
Source -Network World
0 comments:
Post a Comment