The basic perimeter firewalls of the past have evolved over the years to become a Swiss Army knife of protection capabilities. These next-gen firewalls (NGFWs) offer significantly greater enterprise security protection and are better able to protect users against today’s sophisticated and persistent threats. When it comes to selecting an NGFW, however, there are dozens of choices. Keep the following five criteria in mind to ensure you choose the right one.
NGFW Must-Have Feature #1: True NGFW Capabilities
One thing that makes technology buying decisions harder than they need to be is the misuse of terms. This is particularly true where security is concerned. Rather than doing the work to develop true “cloud-enabled solutions” or “next-generation firewalls,” some vendors find it easier to just adopt these phrases. According to Info-Tech Research Group, the following four features represent the minimum requirements of a true NGFW:
- Stateful Inspection Filter. Also known as a dynamic packet filter, this technology monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
- VPN (virtual private network). This feature offers IP security (IPsec) for site-to-site tunnels and SSL (secure socket layer) encryption for remote access options.
- Anti-Malware. This includes built-in perimeter antivirus and anti-spyware protection.
- Intrusion Prevention. This gives the firewall the ability to recognize and restrict inappropriate and unauthorized access.
NGFW Must-Have Feature #2: Circumvention Controls
Proxies (e.g. Tor), remote access (e.g. LogMeIn, TeamViewer) and encrypted tunnel applications (e.g. UltraSurf) are specifically designed to get around firewall defenses. To make things even trickier, these tools and apps aren’t always malicious. This is where security policies — and automated controls to enforce policies — come into play. Prior to selecting your next NGFW, make sure it has specific ways to deal with circumventors, regardless of port, protocol, encryption, or other evasive tactics.
For example, the NGFW should offer the ability to limit remote access apps to specific users/groups and completely block other specified apps from ever being used in the workplace (e.g. UltraSurf). In addition to providing granular controls, it is important that the NGFW’s application intelligence is updated regularly and well supported and maintained because the list of circumventors is constantly growing and changing.
NGFW Must-Have Feature #3: Ability to Identify Threats Within Allowed Applications
One technique malicious hackers and cyber criminals use to fool security defenses is using features within approved business applications, such as Microsoft Office, to launch malware and other threats. A deadly ransomware, nicknamed Locky, for example, which is reportedly spreading at the rate of 4,000 new infections per hour, typically uses the macros feature in programs like Microsoft Word to launch itself. Other collaborative applications, such as hosted SharePoint or Google Docs, can become conduits for malware, too. A good NGFW will have the ability to allow these approved applications to run, while scanning them for threats at the same time.
NGFW Must-Have Feature #4: Ability to Distinguish Between Applications Within the Same Platform
Not all applications sharing the same platform have the same risk profile and business value. For example, while viewing Gmail a user can launch a Google Talk session within the same user interface. A good NGFW will be able to recognize the application change occurring within the session (by continuously evaluating the traffic) and apply the appropriate policy controls.
NGFW Must-Have Feature #5: Security Without Performance Compromises
One of the biggest drawbacks of security is that it can put a damper on productivity. For example, emails with important information can get caught in overactive spam filters and never make it to the intended recipient. Or, a user may need to use a legitimate application to collaborate with a remote colleague, but the firewall blocks the application, which requires an IT admin to intervene.
The best NGFWs are built with the security-performance balance in mind, and they minimize performance drawbacks by avoiding redundant networking layers, scanning engines, and policies. Such redundancies typically arise from technologies cobbled together from different origins. For example, if a firewall vendor acquires an intrusion prevention vendor to add that capability to its product and doesn’t do a thorough job removing redundant features from the acquired company’s product, the performance of its new product could suffer.
The security threat landscape is evolving at a fast pace, and the number of threats and the serious nature of those threats continue to escalate. NGFWs play a key role in keeping your customers safe. Prior to selecting an NGFW, make sure to do your due diligence and look for a solution that can handle as much of the security burden as possible without compromising the speed with which your customers need to work.