Information Security Blog

July 15, 2014

Going Next Level

The shape of the internet as we know it is constantly changing and evolving to meet the growing demands of business and entertainment. This constant growth however has added levels of complexity to Information and Network Security which can lead to complex and mismanaged network environments. One of the newer products to hit the Security scene that is hoping to help reduce those layers is a Next Generation Firewall.

In the past we have relied on a "source, destination, service/port" format for rule structure. However as the Internet has aged the complexly of modern web traffic and the volume of unique web services has changed as well. Most standard firewalls simply do not have the levels of complexity to fully understand and separate today's Internet traffic.

A next-gen firewall is looking to improve on the administration of firewalls by adding new layers to the equation. These new additions are application awareness, and deep packet inspection. While these terms are not new, the method in which the firewalls will approach them is. Typically in the past we have seen deep packet inspection included in devices like IPS/IDS or malware prevention systems. Multiple devices in a network can cause added latency and additional overhead for the management team. By allowing the firewall to also do deep packet inspection this can eliminate some of the latency by offering robust hardware that only needs to inspect the traffic once to perform multiple security tasks as traffic enters or exits your network.

Capture Image

Application awareness is another area in which next generation firewalls aims to separate themselves from the pack. By using application signatures, head inspection, and payload analysis firewalls will be able to distinguish network traffic based on its specific application. This means an admin will be able to create rules that specifically block Facebook Chat while still allowing your employees to navigate to your company Facebook page. This also will give administrators an advantage on curbing time wasting Internet habits such as gaming, streaming, and social media.

While it all looks good on paper we have to remember it takes time and research to determine if this is the right approach. Multi-device vs. All-in-One is a largely debated topic in network security and the best method can vary from one organization to another. One thing to consider is the complexity of the devices and the services you are looking to get with your security device. While next generation firewalls do offer a single point of inspection often times this means they might not offer the same feature set as a dedicated device. Research should be done on the product to ensure it will be able to perform all tasks required. Also with a single point device sizing becomes important. One of the goals of the next gen firewalls is to reduce the latency that accumulates when packets have to be sent to multiple devices. This can be negated if the device does not have the hardware to deal with your network usage. If the device is not able to keep up during peak times bottle necks can form. This is especially true when using all the features offered on the firewall. When enabling each new function like application filtering, malware detection, or intrusion detection, testing should be done to determine its impact on your network.

Authored By: Greg Peterson, CCSE