In my last post, I outlined the business case for converting to a next-generation firewall. Essentially, it’s about protecting valuable IT assets in the face of advanced malware with sophisticated evasion capabilities that make them much harder to detect, and much more dangerous given their ability to hold payloads with multiple, often persistent exploits.
How does a firewall system defend against these sophisticated malware schemes? Is it even possible?
Early firewall systems utilized simple packet filtering to identify suspicious payloads. Later, stateful packet filtering evolved to allow the system to track the state of network connections such as TCP and UDP communications traveling across it. The firewall was able to distinguish legitimate packets for different kinds of connections. This technology, also known as dynamic packet filtering, has been a standard security feature for almost 20 years and has been extended as network performance improves.
Today, it’s possible to take stateful inspection up several notches, to include not just basic and dynamic packet filtering, but also full-stack inspection, meaning every layer in the communications protocol can be inspected.
Additionally, the next-generation firewall must expand upon this intrusion prevention capability with evasion detection technology. This key functionality allows the inspection engine to look for embedded code and other exploits in seemingly benign packets, again at all levels of the stack.
It’s also necessary to look outside the traditional channels such as email and data packets, to non-traditional and in some cases even occasional points of entry, including ATM machines, service station kiosks and other devices, which may become infected with intelligent viruses that use these points of entry to work their way into deeper parts of the system, such as credit card files.
A true next-generation firewall must also include application-level inspection and granular access control. Today’s firewalls must understand what applications and protocols are running, and adjust their protection strategies accordingly.
A next-generation firewall must be able to dynamically adjust, improve and scale to meet the expanding needs of the network. Importantly, this level of control works best in a centralized management environment, capable of overseeing the entire security architecture and adjusting strategies
A next-generation firewall must be able to deal with exploits and upgrade its capabilities seamlessly and with minimal impact on everyday operation of the data center, server farm, network or enterprise it serves.
The market for Next Generation Firewalls is broad, ranging from small, distributed franchises to global enterprises and utilities, telecommunications companies, governments and MSSPs. Each segment has its own security priorities, from pure data protection to satisfying complex network and business protection requirements. A proper security strategy enables not only proven business continuity but also ways to differentiate and leverage new business opportunities.