Next-gen firewalls: Off to a good start

By Joel Snyder, Network World |  Security, firewalls

SonicWall has so many sub-divisions of every application, none of which were documented or made any sense to us, that we gave it a failing score when we tried to allow end users to see Facebook, but not post to it — one of vendor marketing's favorite examples of why a next-generation firewall is a good idea. It was possible to block Facebook completely, but you can do that with a URL filter — you don't need a next-generation firewall. SonicWall would have had a higher score if its application identification GUI wasn't so poorly designed.

The Check Point Security Gateway has a fantastic management interface for application identification and control that is much easier to use than the other products we tested. However, the engine underlying that interface doesn't work as well as SonicWall. For example, we could easily create policies that blocked particular parts of Facebook or LinkedIn, but those policies didn't actually work. Only when we blocked all of LinkedIn, for example, did the firewall behave properly.

Fortinet's FortiGate fit somewhere between SonicWall and Check Point on the management interface front. Not as elegant as Check Point, but much more usable than SonicWall, FortiGate was easy to learn and use.

But FortiGate stumbled most when encrypted traffic was involved. For example, a rule to block the popular webmail application Squirrelmail worked great when Squirrelmail was run over standard Port 80, but if we encrypted the same traffic on standard HTTPS Port 443, FortiGate wouldn't block it — even though we could see that the FortiGate was decrypting and re-encrypting the traffic as expected. The same was true of Facebook — unencrypted Facebook was blocked or allowed per policy, but if we simply used HTTPS for Facebook, the policy didn't work properly.

We had a difficult time making Barracuda's next-gen firewall block applications without some help from technical support, largely because of the poor design of the management GUI.

For example, because application identification occurs in the HTTP and HTTPS proxies, which are separate tools, you have to duplicate policy, wasting time and adding the opportunity for errors and inconsistencies. Barracuda told us that this, and other problems we had in the GUI, would be fixed in release 5.4, so we advise waiting until that version is available before even starting to test next-generation features.

Even if you do remember to change the policy in both proxies in the Barracuda NG Firewall, you also have to be careful when defining applications to be blocked. Although you get to pick which application you want to block in the first screen that pops up, you have to scroll down for three full screens before you can enter the list of networks this rule applies to.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness