As security threats evolve, so must firewalls — but not at the expense of network performance. That’s one factor that enterprises need to consider when developing a strategy for next-generation firewalls.
Nearly half of the medium and large enterprises in a recent Ponemon Institute survey sponsored by security vendor Sourcefire have deployed a next-gen firewall. The survey also found performance degradation to be a major concern. Jason Lamar, Sourcefire’s senior director of product management, recently spoke with Intelligence in Software about how next-gen firewalls work and the architectural options.
Q: What exactly is a next-gen firewall?
Jason Lamar: It’s a combination of threat prevention, access control and application control. The next-generation part is about going beyond the traditional language of writing firewall policies, where you use users and applications as the way to communicate what the policy means and how it would be implemented. That’s the common definition out there in the marketplace.
Sourcefire has a little different perspective. Our belief is that you really need to have a next-generation intrusion-prevention system (IPS) as a component of a next-generation firewall. That requires contextual awareness, which is the systematic understanding of the network that you’re trying to protect, as well as all of the relevant information about the endpoints, files, users, applications and operating systems. You need to know all of that stuff about your environment in order for your system to work effectively as a next-generation security solution. We believe that you need to have contextual awareness and an enterprise-quality IPS to really be next-generation.
Q: What’s an example of the kinds of threats that a next-gen firewall would catch?
J.L.: Traditional firewalls that look only at ports and IP addresses won’t pick out anything that’s especially evasive. So a traditional firewall won’t find command-and-control channels that have been set up by an owned host inside your network, for example. And a traditional firewall that just added on good-enough IPS — more of a Unified Threat Management approach — won’t have the extensive evasion prevention and traffic normalization good enough to detect rapidly changing threats.
Q: So a next-gen firewall would be doing things such as filtering by signatures and reputations, right?
J.L.: Yes. The reputational component is there as an additional context, so to speak. It’s about detecting things at a high accuracy. If you look at the kinds of testing you do for a next-generation IPS, like we do at NSS Labs, and you compare that to what the traditional firewalls have in terms of threat prevention, there’s a big gap.
Q: Encryption can provide a shield for malware. Isn’t that why a next-gen firewall decrypts traffic?
J.L.: Definitely. It is a component of a next-generation firewall architecture. Most next-generations don’t do this well, though. Their performance doesn’t scale. Some vendors will tell you that you need embedded SSL decryption, but when you turn that on, the whole performance of the system tanks.
You really need an architectural approach to decryption. Why impact your IPS and application-control performance when you could have a standalone, scaling appliance to do that decryption?
By the way, most enterprises have some other reason to want to decrypt SSL than just to do the next-generation firewall components. A lot of times, there’s a content gateway there that they want to interface with or some other thing that they want to have looking at the traffic. If you go with the next-generation firewall with embedded SSL, you miss an architectural trick in offloading SSL so you can use it for multiple security inspection points.”
Q: Any other architectural tips one should consider when developing a next-gen firewall strategy? Any pitfalls to avoid?
J.L.: A lot of enterprises are struggling with whether to displace their whole firewall infrastructure for a new, next-generation firewall versus supplement and augment with next-generation firewall as an additional control behind their traditional firewall. Not every enterprise is ready to make that move or has the financial resources to make that move quickly.
Q: That ties in with the survey, where 56 percent of respondents prefer augmentation rather than replacement.
J.L.: For many organizations, it’s just too much to switch all that around when the real benefit you’re trying to get is better security and that’s really delivered through the threat-prevention and application-control components. Why change the thing that’s working and that’s operationally and organizationally the most difficult to move when you really want to get application control and better threat prevention?
A lot of customers think they’re going to buy a next-generation and switch all of their policies over to the thing with a couple of mouse clicks. That’s usually not the case, and typically it’s not advisable. Take the opportunity to rationalize the policies you should have now versus carrying forward a policy that doesn’t match what you’re trying to do.