The security landscape has changed dramatically in the last few years. Not only are there an ever increasing number of threats to the network that must be guarded against, but the way we use networks has changed thanks to the advent of social networking and Web 2.0 applications. Originally, firewalls were designed to block threats at the network layer by analysing ports and protocols, however, today’s Web applications do not rely on specific ports, leaving traditional firewalls blind to threats and networks open to vulnerabilities. The time has come for Next-Generation Firewalls that combine the still necessary network protection layer with protection at the application layer, to prevent the host of modern application based threats from wreaking havoc on corporate and private networks.
“With the constant evolution of malware and security threats, protection too needs to evolve, and a few years ago one of the most popular ‘buzz phrases’ to do the security rounds was Unified Threat Management (UTM), which includes technology that combines a traditional firewall with port blocking as well as dedicated anti-virus, content and other filters at the gateway,” says Dominique Honnay, Director of Emerging Markets and EMEA Distribution at SonicWALL. “However, while UTM addresses several of the security issues that have come to the fore, it is unable to correctly identify individual applications, meaning that Web applications which are port independent can still find a way around the firewall, leaving the network open to threats.”
The Next-Generation Firewall addresses these vulnerabilities by identifying all traffic that comes into the network independently of the port, including a wide variety of protocols such as VoIP, streaming media, HTTP, HTTPS and so on. Based on certain characteristics of the data stream, Next-Generation firewalls can identify individual applications. This enables traffic to be filtered at the application layer, which when combined with traditional firewall technology provides protection at all layers of vulnerability on the network.
The latest in firewall technology enables organisations to determine usage patterns by monitoring all network traffic, which then makes it possible to create highly granular policies on a per application, per user or per user group basis, as well as by time of day or other variables. This delivers flexible control which can easily be tailored to fit the requirements of any network.
“Next-Generation Firewalls enable organisations to identify and control all of the applications being used on the network. This not only provides better protection, it also enhances compliance and data leakage prevention as well as enabling bandwidth to be more efficiently controlled. For example, bandwidth can now be allocated to mission-critical or latency sensitive applications, while restricting the use of productivity draining applications like online games or streaming video,” says Martin Tassev, Managing Director at Loophold Security Distribution.
By identifying traffic according to inherent unique characteristics rather than by source port, destination port or protocol, organisations are also empowered to control not only individual applications and categories of applications, but also specific features within applications. For example, using this technology, organisations can allow instant messaging, but block file transfers which may be a source of vulnerability, or allow Facebook access, but block access to unproductive Facebook-based games.
“In this way organisations can very tightly control application usage, allowing access to specific sites while limiting available bandwidth for these applications instead of implementing a blanket ban. This control can be taken to a very granular level, with different steps of control. As an example, the marketing department may have access to YouTube where HR does not, and the whole organisation may have limited bandwidth available for Facebook, but the CEO may be permitted to access any site and always have bandwidth priority,” says Honnay.
Organisations with distributed networks, such as university campuses, hospitals and dispersed enterprises, with multiple branches, can also use Next-Generation Firewall technology to filter internal traffic as well. Monitoring external traffic only is no longer enough, since potential threats can originate from within a network just as easily, so providing internal scanning ensures that all traffic is cleared for threats without impacting on the performance of the network.
“Aside from managing wired connections, the Next-Generation Firewall combines the capability to manage wireless connectivity as well, applying the same rules and enforcing the same policies for user authentication, bandwidth prioritisation and so on. This is becoming increasingly important given the consumerisation of IT and the trend towards Bring Your Own Device (BYOD). With the right technology in place, this can easily be allowed without compromising network security,” Tassev adds.
The Next-Generation Firewall incorporates a host of functionality that has become vital in modern network security. Some of these capabilities include control of the applications that are permitted on the network, management of bandwidth for critical applications and blocking of unproductive applications, or even just components of unproductive applications. This technology also allows for the visualisation of application traffic, identification of connections by country of origin and prevention of data leaks by stopping information marked as confidential from leaving the corporate networks.
While Next-Generation Firewalls have become vital to security in the modern organisation, they are just a stepping stone on the path towards true network optimisation. Once the functionality of the Firewall has been incorporated, WAN acceleration can be included to optimise WAN links and side to side connectivity, improving performance while maintaining the highest security standards.