Many midsize companies already realize the need to reinforce their traditional security solution and address new trends arising from mobility and cloud. These dynamics complicate the challenge of maintaining network security, and tax the network’s ability to perform optimally for the business. Traditional firewalls are not effective at seeing what users are doing, the types of applications they’re accessing, or the devices they’re using. Next-generation firewalls are designed to help close some of the gaps.

What’s the advantage of having a next-gen firewall? & What Should A next-gen firewall do?

A next-generation firewall is an important component of a threat-centric security model. It’s important to move to a threat-centric model to gain visibility across your network and respond appropriately to threats before, during, and after an attack. As you evaluate next-generation firewalls for your organization, keep in mind that any solution must:

• Deliver comprehensive protection: Defending the network in the modern threat landscape requires bestin-class anti-malware and intrusion protection based on vulnerability research, reputation scoring, and other critical factors.
• Work with business policy: A next-generation firewall must offer complete breadth and depth of policy enforcement for application use. It also must ensure that diverse collaboration and Web 2.0 applications used for both personal and professional reasons can be monitored and controlled, at a granular level, based on business policy.
• Ensure policies are enforced by device and user: A next-generation firewall must offer complete insight into what devices and users are accessing the network, and from what location. It also must ensure that security policies can be differentiated based on user, group, and device type (specific version of Apple iPhone, iPod, Android mobile devices, etc.).

Additionally, when multiple services are enabled, a next-generation firewall solution should not significantly degrade performance while it is ensuring protection, policy, consistency, and context all at once, and at wire speed.

What to consider when choosing a next-gen firewall

Today’s blog presents 10 considerations for midsize companies to weigh when evaluating a next-generation firewall solution, but we will only discuss the first five and leave the rest for our next blog.

So, with no further ado, here’s what to consider for an effective next-gen firewall solution:

• Is the firewall built on a comprehensive stateful firewall foundation?
• Does the solution support robust, secure remote access for mobile users?
• Does the firewall provide proactive threat protection?
• Can the firewall maintain performance when multiple security services are running?
• Does the solution offer deep visibility into applications with granular application controls?
• Is the firewall able to deliver user, network, application, and device intelligence to help drive context-aware protection?
• Does the firewall offer cloud-based web security?
• Can you deploy a future-proof solution that can scale as your organization grows?
• Does the firewall vendor have extensive support and services to ease the migration path?
• Does the firewall vendor offer attractive financing options to speed deployment time?

Now let’s dive into details:

1. Is the firewall built on a comprehensive stateful firewall foundation?

A next-generation firewall needs to understand both threat and network traffic. A solution built on a comprehensive stateful firewall foundation can provide visibility into potential security gaps, such as open ports. The firewall should feature an extensive stateful inspection engine that helps protect critical assets while also delivering high-performance security and reliability. The next-generation firewall should maximize network security with clear, deterministic Layer 3 and Layer 4 policies. Capabilities such as site-to-site virtual private network (VPN), network address translation (NAT), and dynamic routing also help to deliver secure, reliable access and robust perimeter security. The next-generation firewall must also be able to identify which users are connecting to the network and from where, what devices they’re using, and which applications and websites they’re accessing. Make sure that your firewall also provides visibility to users, devices, and applications.

2. Does the solution support robust, secure remote access for mobile users?

Today’s users require anywhere, anytime access to the network from a variety of company-owned and personal mobile devices. But opening up the network to accommodate this type of access leads to loss of control and visibility. To provide secure connectivity from device to application while also protecting the network, organizations need to know, at all times, who the users are, and what types of devices they are using to gain access to the network. A next-generation firewall that can enable user identity, application, and device awareness helps you enforce access control and mitigate threats based on the context of the request. Network-wide identity and fine-grained behavior controls combined with VPN technology can help you secure your network and your mobile users.

3. Does the firewall provide proactive threat protection?

A proactive next-generation firewall will block the majority (> 80 percent) of malware at the gateway, with minimal intervention required from administrators. Look for a strong integrated web filtering database. Web filtering solutions that allow you to create more than one URL filtering policy let you deliver differentiated access to the Internet. You can create web or URL filtering rules for different users and groups, according to their requirements.

4. Can the firewall maintain performance when multiple security services are running?

Purchasing, deploying, and then managing multiple, dedicated security services modules is a complex and expensive process. In the past, this was the only way organizations could scale as their needs changed. Now, with next-generation firewalls, you can reduce the number of boxes to manage and deploy with a single-box solution that combines firewall, VPN, web security, anti-malware, and intrusion prevention system (IPS) solutions. Purpose-built security acceleration hardware (for example, crypto and regular expression to speed up VPN and IPS processing) needs to be part of the base platform to deliver multiple layers of advanced security on top of the firewall without performance impact. To simplify administration, look for advanced security services that can be turned on simply by activating the appropriate software license. Expanded security services should be delivered with minimal impact to network performance.

5. Does the solution offer deep visibility into applications with granular application controls?

Your organization can’t control what it can’t see. To ensure acceptable use and security policies are enforced within Web 2.0 websites that contain embedded applications, a next-generation firewall solution must be able to identify and control, with precision, individual applications utilizing application signatures or other methods. Next-generation firewall services that offer very granular controls allow administrators to create firewall policies that match the nuanced business needs of today.

Granular application control is critical, considering the volume of actions that can be performed within a commonly used application such as Facebook: posting content, “liking” a user’s status, sending mail, chatting, and more. Administrators must be able to easily identify tens of thousands of applications and micro-applications, such as games for Facebook (for example, FarmVille, Candy Crush Saga, and Bingo Blingo), Facebook Messages, and Facebook Chat, when making access control decisions. A next-generation firewall should be able to identify application behavior: what action a user is taking within an application. Administrators also should be able to set granular controls for specific categories like Facebook Video—for example, allowing users to view and tag videos, but not upload videos.

Now that’s it for today. We will be giving you details on the rest of the considerations tomorrow so you can be better equipped to choose your ideal next-gen firewall solution.

Ctelecoms Team