Sergey Nivens - Fotolia

Latest types of firewalls merge NGFW and threat analysis features

The next-generation firewall has become the focal point of an enterprise security strategy that integrates with cloud-based threat analysis and endpoint management.

Some tech buzzwords just won't go away. Despite their forward-looking moniker, next-generation firewalls have been around for at least a decade, debuting with revolutionary capabilities like stateful packet filtering, user identity aware controls, intrusion detection/prevention and application visibility/control.

Integrating all those features into one product was important, but the application control was a major step forward because, for the first time, these types of firewalls could detect and block Web application traffic traversing through an enterprise network.

Those early next-generation firewalls (NGFWs) were built for a different era. Eight to 10 years ago, companies still relied largely on building a perimeter around the network to block malware.

Chris Rodriguez, a senior industry analyst at Frost & Sullivan who covers the NGFW market, contends that isn't a comprehensive strategy anymore.

"A firewall is just one of many sensors companies can put out there today," he says. "A firewall is not an end-all and be-all. It has to work in tandem with endpoint management and threat analysis. That's where big data and security analytics become important."

William Dugger, a senior manager of network engineering at fitness company Beachbody LLC, based in Santa Monica, Calif., says security takes a high priority at his company because it needs to run secure online transactions, protect partners and secure Agile development environments.

Dugger manages roughly 1,700 users across two West Coast data centers and five corporate sites. The company deployed Cisco’s ASA 5585-X SSP-60 firewalls and its ASA 5585-X SSP-10 firewalls with FirePower module.

At BeachBody, the SSP-60s are clustered in the data center core and there are two per data center, while the SSP-10s reside at the edge of each data center.

"At the time we were looking for a firewall platform, we had just implemented new Cisco-driven data centers and Cisco was one of the only vendors offering the clustering capability, plus their cluster fit into our design," Dugger explains. "With clustering, I can spread the load across the different firewalls and each firewall is aware of what the other is doing. Cisco’s architecture put us in a position to take advantage of the next-generation security capabilities coming down the pike."

For example, the ASA now comes with an integrated Cisco Sourcefire option, which does URL filtering and advanced malware mitigation. The ASAs also integrate with Cisco’s Identity Service Engine, the vendor’s secure access control system.

"We're also prepared for any other new innovations, such as SSL decryption and enhanced application awareness," Dugger adds. 

Next-generation threat prevention

Today, companies run networks in physical and virtual environments, and data runs over the cloud. Employees are also more mobile, so the concept of building a moat around the perimeter doesn't work anymore. Employees work all over the world, so they are well beyond the reach of the conventional types of firewalls in the data center.

"Networks are consistently changing at the speed of technology innovation," says Samantha Madrid, head of network security product marketing at Palo Alto Networks. "It's critical that your security keeps up so there are no gaps in protection."

mobile malware has come into its own and become an area of increased attention, according to Don Meyer, head of data center product marketing at Check Point Software Technologies. The company's Mobile Threat Prevention platform, which detects malicious apps on iOS and Android devices, builds the same threat detection and prevention capabilities for mobile devices as it builds into its NGFWs. 

Meyer agrees that while NGFWs are still relevant, how they integrate with other threat detection and endpoint management capabilities makes all the difference. The company's SandBlast Zero-Day Protection software -- which integrates with its firewalls -- detects and remediates zero-day attacks and advanced persistent threats at the CPU level, or the exploit phase, before malware authors can employ evasion techniques.

What type of firewall do you plan to purchase in the next month?

Traditional sandboxes are vulnerable because the writers of malware code have gotten very sophisticated, according to Meyer. New malware now looks for a human element or heartbeat before it wakes up and starts running its code.

"Without CPU-level inspection, traditional sandboxing solutions are ineffective at identifying and preventing infections because of the sophistication of emerging malware," Meyer says. "We want to detect and prevent malware from ever reaching the network."

While companies still need the types of firewalls in the data center that can inspect, detect and discard infected applications, Palo Alto's Madrid contends that what organizations really require now is a security platform that integrates NGFW capabilities with cloud-based threat analysis and endpoint management.

Palo Alto's approach is a triad that consists of Palo Alto's PA and VM Series firewalls; WildFire, a cloud-based threat analysis engine; and Traps, an endpoint security product. All work together to protect the enterprise network. For example, when a company subscribed to WildFire gets hit with malware, it alerts the network of Palo Alto users worldwide. Firewalls and endpoints throughout the WildFire network are automatically updated.

IT staff members also want to make sure the types of firewalls they select support all the major software-defined networking environments, and also work well in public cloud environments such as Amazon Web Services (AWS) and Microsoft Azure.

Check Point's firewalls support VMware's NSX platform and OpenStack, as well as public cloud environments; the company is looking into integrating with Cisco's Application Centric Infrastructure, Meyer says. Palo Alto's can run in AWS and are managed through Panorama, the firewall vendor's management platform.

"The automation and integration are what's really key here," Madrid says. "And from a firewall perspective, companies need to be sure their firewalls can run in both private and public cloud environments."

Taking a broader approach

There's too much hype in the industry about what can be predicted and the levels of protection offered, argues John Maddison, vice president of products and solutions at Fortinet.

"Our approach is to look at the enterprise network as a whole and deploy the firewall based on where it best fits in the network," he says.

Fortinet takes a single-policy approach that's transmitted to all the security devices across the network. The company advises customers to deploy midrange edge firewalls at the campus edge; unified threat management devices in branch offices; internal segmentation firewalls that separate the traffic by user or application; data center firewalls in a central facility; cloud firewalls at Amazon Web Services or Microsoft Azure; and carrier-class firewalls at Internet service providers.

"Ten years ago, we deployed firewalls at the branch and at the main data center," Maddison says. "There are now many more configurations that IT people have to concern themselves with. Today, we're trying to get people to think in terms of an enterprise-wide approach to firewalling."

Firewalls can't be treated as just a checkbox item on a long list of infrastructure purchases, says Dave Stuart, director of product marketing for network security at Cisco Systems. Rather, they need to offer contextual awareness about potential infections -- not only alerting the IT staff that they are seeing threats, but also telling them whether those threats are harmful.

"The industry has been good at protecting known threats. What's needed today are products that can identify unknown threats," Stuart says.

Cisco’s ASA with FirePower Services contains three distinct automation features, according to Stuart. First, the system monitors threats as they come into the network, assigns a response priority, moves them to quarantine and remediates them. Then once the malware gets detected and remediated, the system automatically creates new signatures so that in the future the detected malware can be quarantined or blacklisted. Lastly, the management software can make correlations on seemingly unconnected examples of malware, across both the network and endpoints, and then quarantine them in the future.

Cisco's endpoint security software, known as Advanced Malware Protection, or AMP, is designed to sandbox, analyze and remediate suspected malware, Stuart says. It alerts IT to how far malware has made it into the network.

"People need to understand that classic, stateful firewalls are still useful," Stuart says. "But now companies can get all that functionality in one appliance."

NGFWs and antivirus software at the endpoint don't cut it anymore. Today's networks are complicated, so it follows that securing them takes more work. While industry analysts still review these types of firewalls as a discrete category, any enterprise evaluating a NGFW without cloud-based threat analytics and an endpoint strategy needs to dig a bit deeper.

Next Steps

Could your company be the next target of a network breach?

NGFWs vs. UTMs: What's the difference?

The state of enterprise firewall protection

This was last published in February 2016

Dig Deeper on Network Security Best Practices and Products