For most IT organisations, the firewall is a primary component of their security strategy. Traditional firewalls as we know them provide protection based on specific ports and protocols and can provide this protection based on source and destination IP address. These firewalls are popular because they are relatively simple to operate and maintain, generally inexpensive, have good throughput, and have been the prevalent design for more than two decades.
However, with new Internet-based threats being launched faster than ever and increasingly targeting “firewall friendly” applications and application-layer vulnerabilities, traditional firewalls are becoming less and less capable of adequately protecting corporate networks. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services.
Protection based on ports, protocols, IP addresses is less and less reliable and viable as these traditional firewalls see a given port as corresponding to a given service (such as TCP port 80 corresponding to HTTP) which is simply not the case anymore due to the increase in web-based applications. Another blind spot of current generation firewalls is for HTTP traffic that is secured with SSL (HTTPS). HTTPS is normally assigned to well-known TCP port 443. Since the payload of these packets is encrypted with SSL, the traditional firewall cannot use deep packet inspection to determine if the traffic either poses a threat or violates enterprise policies for network usage
This is where Next-generation firewalls come in. Palo Alto Networks introduced the concept of next-generation firewall a few years ago and they have been successfully accredited by Gartner as a Leader for four consecutive times.
Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. A NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or non-enterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated.
Next-generation firewalls can identify applications regardless of port, protocol, evasive techniques, or SSL encryption and provide real-time protection against a wide array of threats, including those operating at the application layer. This provides increased security as we are able to identify the specific applications that are running on port 80 since we are looking at the application and not just the port. As well as detecting applications they can also limit or even block their usage and the features within them.
Benefits of Next generation firewalls include:
1. User Identification
NGFWs can link IP addresses to specific user identities, enabling visibility and control of network activity on a per-user basis. This gains visibility into who specifically is responsible for all application, content, and threat traffic on the network
2. Content Identification
NGFWs can scan content to prevent data leakage and stop threats with detailed, real-time traffic inspection. This content identification includes Threat prevention, URL filtering and file and data filtering.
3. Advanced Policy control
Traditional firewalls work on a simple deny/allow model. In this model, everyone can access an application that is deemed to be good and nobody can access an application that is deemed to be bad. This model simply doesn’t work anymore. Today’s reality is that an application that might be bad for one organisation might well be good for another. What NGFWs allow is granular levels of control to allow the good aspects of an application to be accessed by the appropriate employees while blocking all access to the bad aspects of an application.
To sum up, traditional firewalls are no longer able to protect organisations from modern, sophisticated threats. Next generation firewalls have the capabilities to offer actionable intelligence and controls that allow standard firewall features, integrated network intrusion prevention, application awareness and extra firewall intelligence.
Interested in a FREE health check? Sign up today for your FREE security health check worth €2,500, powered by Palo Alto Networks and Smarttech! Simply fill in your details below.
[fc id='1' align='left'][/fc]
Find out more