Archive for the ‘Firewall Stronger Security’ Category

Traditionally, firewalls have been stupid, mindless beasts—which is a little disconcerting, given that for years you’ve been relying on them to protect your company. Old-school firewalls are simple port-watchers. Leaving open the ports used for typical Web traffic, such as HTTP on port 80 and encrypted SSL traffic on port 443, old-school firewalls simply relied on applications to “play fair” and use the ports they were intended to use.


But there are problems with that approach. First, there’s nothing that says that malicious traffic cannot use supposedly safe ports. And, while most firewalls will allow all traffic that originates from a supposedly safe, trusted network, outbound traffic need not be benign. Then, the explosive growth of social networking sites (and the platform-based apps that can reside on them) has meant that there are legitimate business uses for such tools, and businesses have therefore had to allow (potentially malicious) traffic to and from those sites and devices. To top it all off, ubiquitous (and potentially insecure) mobile devices can now access your corporate network from anywhere.



Palo Alto Networks


Palo Alto Networks’
PA-4020 is part of the
company’s powerful
4000-series-NGFW line.



“In the old days, applications had their own protocols, so they could be filtered at the network layer,” says security expert Chris Hadnagy, author of Social Engineering: The Art of Human Hacking. “Now, everything runs over HTTP, meaning through port 80. To filter that, you need intelligent security at the application layer, because simply closing port 80 would shut down all legitimate Web access.” The result? The firewall you installed a few years ago is a sieve, and no longer capable of protecting your corporate network.


Juniper Networks


Juniper Networks markets its SSG140 modular security product for branch offices, regional offices, and enterprise businesses.


Next-Generation Firewalls Defined
NGFWs are a different animal. They are, by definition, capable of examining traffic at the application level, distinguishing one type of traffic from another,and taking action based not on the port being used, but on the behavior of the individual application that’s using the port. Rather than assuming that port 80 is being used for “friendly” traffic (because, after all, that’s what it’s supposed to be used for), a NGFW is aware of the applications
moving through it, and it enforces policies based not on the port in use, but on the specific identity of the application using it and on the rules set up to allow—or disallow—its behavior. In other words, while a NGFW may indeed offer standard firewall features such as NAT (network address translation) and stateful inspection, its salient feature is a more granular level of control that we characterize as “application awareness.” NGFWs thus identify, categorize, and control application traffic based on policies set by network administrators. Because of this awareness, a NGFW can do much more than simply control port-based traffic: It provides a security mechanism that allows for intrusion detection and prevention, anti-malware, antispam, VPN
(virtual private network) functionality, and more.


The Future Of NGFWs
NGFWs are a nascent market. Gartner estimatesthat less than 1% of secure interconnections currently use a NGFW. However, numerous NGFW vendors
have emerged, including Palo Alto Networks, Crossbeam, McAfee, SonicWALL, and others. Prices vary widely, depending on factors that include the number of gateways, device throughput under different security scenarios, maximum number of simultaneous sessions, and number of users supported. Given the burgeoning and ever-adaptive malware threat, it may be time to re-evaluate your security tools; perhaps a NGFW is what you need to help keep your network secure.


Read Full Post »