Next-Generation Firewalls

Written by Kevin South

With a current installed base of about 1%, the answer to this question would be NO. Although, a report from Gartner Research says that your next firewall should be a next-generation firewall and believes the installed base will increase to 35% by 2014.

The term “next-generation firewall” (NGFW), has been around for three years or so and is being referenced by major players like Palo Alto Networks, Check Point, Fortinet, SonicWall, and Barracuda Networks. Surely, Cisco can’t be far behind.

According to the same Gartner report, a NGFW should include the following capabilities:

  • Zero downtime configuration
  • Standard firewall features: packet filtering, NAT, stateful inspection, VPN
  • Integrated IPS: it should work seamlessly with firewall, i.e. IPS interpreted threats can be addressed by the firewall with an access control list, for instance.
  • Identify applications and enforce network security policy at the application layer
  • Firewall Intelligence: Incorporating Active Directory for user identity and blocking, as well as Whitelists and Blacklists
  • Scalability to address future threats and upgrades

 

So what’s it going to take for you to switch from your tried and true firewall to a NGFW? Well, it should NOT be as easy as replacing your current stateful-inspection, port-based firewall with a NGFW at your next refresh cycle. You will need to evaluate how such a device will impact your business and security posture.

Some questions you should ask yourself at your next refresh:

  • Can it reduce the complexity of my environment?
  • What’s my current environment’s longevity?
  • Is the “next-generation” technology worthy of replacing the current environment?

 

Those who have jumped onboard seem to be doing so in a phased approach. Most early adopters are not ready to rely on (or trust) one device to handle that diverse workload or ditch their current investment. As well, since there are no independent lab tests to date to solidify the NGFWs claims, they are using their current installed base as a checks and balances against the NGFW. The early adopters are making sure the device can do all it is suppose to do.

Assuming price points for the NGFWs are at or near that of classic firewalls, more companies will be willing to invest in them. Why wouldn’t you want to replace an out-dated firewall with a new one that promises IPS, AD Integration and application awareness integrated with classic firewall standards? Sure, NGFWs may never replace your multi-tiered security environment but they’ll surely replace yesterday’s firewall.

1. John Pescatore, Greg Young, Defining the Next-Generation Firewall, Gartner RAS Core Research, Note G00171540, 12 October 2009.

Back