What should enterprises expect if they want to make the transition from a traditional firewall to a next-generation firewall? It starts with a decidedly different way of thinking about security goals associated with a firewall, especially in terms of establishing application-aware controls over employees as they access the Internet, the Web and social networking sites. (See Unbatten the hatches.)
"There is a chasm to cross," acknowledges Patrick Sweeney, vice president of product management at SonicWall. The old way of talking about traditional port-based firewalls, with system administrators discussing the "language of protocols," is inadequate. Companies need to adopt a more business-focused vocabulary, related to application use, that's common to the CIO, CFO and CEO. "There has to be unification of the languages they speak," Sweeney says.
That's because the new generation of fast, intelligent firewalls are application-aware, enabling enterprises to establish and enforce identity-based application usage policies for employees. So-called next-generation firewalls (NGFW) also incorporate VPN capabilities, perform intrusion prevention sweeps of traffic, have the brains to use technologies such as reputation filtering, and integrate with Active Directory for identity and policy management.
That's the definition put out by research firm Gartner as well as several vendors -- including Palo Alto Networks, McAfee, Check Point, Fortinet, Barracuda Networks and SonicWall - that have embraced the NGFW term to describe their firewall products.
While the NGFW wave is at least three years old, Gartner acknowledges that actual use is still very low today, even less than 1%. Looking ahead, Gartner optimistically predicts NGFW adoption will grow to 35% by 2014.
Vendors continue to evolve their NGFW offerings, and the NGFW "should become your primary firewall," says Gartner analyst Greg Young. Even if your enterprise is not at the point of reviewing its firewall contracts for renewal or replacement, IT managers should be researching vendors' NGFW road maps and preparing for the next refresh cycle, he says.
One adoption driver is the opportunity to see network activity and bandwidth consumption more clearly, says SonicWall's Sweeney. "You can look at any particular user and see if they're using BitTorrent or some application," he says.
Enterprises can administer application controls related to bandwidth needs and priorities via a NGFW. Additionally, some NGFWs, including those from Check Point and SonicWall, can act like data-loss prevention tools to block usage based on keywords and other definers.
Check Point offers NGFW controls in its firewall gear today via application-control software blades that cover nearly 5,000 applications and 90,000 social-network widgets, says Oded Gonda, vice president of network security. The Check Point approach also offers a way to warn a user rather than outright blocking access, Gonda says. That involves interjecting an "inform" screen to explain to a user going to Facebook that corporate policy might restrict sharing certain company-related information. "Sometimes you don't want to block, you want to educate," Gonda says.
The Check Point NGFW can also play a role in finding out why people may be turning to use Internet-based applications. "The IT department wants to understand why people are using Google Docs," Gonda offers by way of example. "Sometimes it's hard to collect this information. So, the first time you use Google Docs, you have to input in the answer screen why you're using it." Check Point calls this function "User Check," and it's just starting to make it available in 2011.
Migrating from a traditional firewall to a NGFW is not trivial, Young acknowledges. "You have to migrate rules and policy," and staff will require training, he says.
Some companies opt to gradually shift to NGFWs by running both traditional and next-generation firewalls in tandem. About half of SonicWall's customers have started to use an application-aware NGFW to some extent, Sweeney notes, and they often maintain their traditional firewall rules while incorporating application-based controls over time.
On the positive side, enterprises should be able to reap some cost savings by moving to a consolidated multi-function NGFW, according to Young.
Read more about wide area network in Network World's Wide Area Network section.
This story, "2011 tech priorities: Moving to a next-generation firewall" was originally published by Network World.