Firewalls can be the star performer in your inventory of security controls. A good firewall not only provides ways to manage user, application, and system behavior, but it also offers multiple avenues for controlling network traffic and can help companies cut back on vendor sprawl.
Yet in order to achieve optimal functionality, organizations must say goodbye to the firewalls of yesterday and welcome the new wave of Next-Generation Firewalls (NGFWs). As Gartner put it, “The firewall market has evolved from simple stateful firewalls to NGFWs, incorporating full stack inspection to support intrusion prevention, application-level inspection, and granular policy control.”
Traditional stateful firewalls are just not as effective as they were in the past due to the increase in intelligent adversaries seeking financial gain over defacement, their lack of specificity for network traffic types, and their inability to control traffic based on other factors, such as geographical region, application, or identity.
NGFWs offer several compelling functional advantages over stateful firewalls that can help organizations overcome these challenges.
Not all employees require the same security privileges throughout an enterprise. By aligning with identity management systems, NGFWs can create firewall rules that can be mapped to either individuals or groups in an effort to restrict or grant access to key users. For instance, NGFWs can give the human resources department access to Facebook while restricting it for everyone else. Additionally, by linking themselves to locations such as common lightweight directory access protocol (LDAP) sources, NGFWs can attribute certain behaviors to specific users on your network, creating additional visibility and auditing capabilities. For example, prohibited applications can be tracked back to an individual employee’s workstation, and the application can be removed.
Modern firewalls are no longer limited to blocking high-level protocols and ports. Leading security vendors, such as Palo Alto, Check Point, and Sophos, maintain granular databases that fingerprint application traffic. Therefore, organizations can allow access to Facebook, for example, but restrict access to specific applications within Facebook, such as Facebook games. Or, whereas organizations might have permitted all instant messenger traffic to pass through the firewall in the past, an application-aware firewall can block all but Google Hangouts, for example. This enables companies to allow access on a more precise level for greater overall control.
As part of best practices, security professionals seek to block unauthorized or undesirable traffic as close to the perimeter as possible, before it reaches other, more deeply embedded security controls. By stopping unwanted network traffic from ever crossing the outer threshold, organizations can reduce the burden on security controls and minimize the number of events that could be part of later security analysis.
Geo-blocking, the practice of blocking network traffic from specific countries, allows companies to block hosts and systems that should not be communicating with their network. In the past, IT departments had to create static network range block lists based on the country of ownership to restrict network access to specific geographies, but NGFWs’ geo-blocking capabilities can increase blocking accuracy and reduce upfront setup costs. Furthermore, administrators no longer have to research and maintain these blacklists manually. Instead, the lists are automatically updated by the NGFW vendor. Time to deployment is also reduced because of these pre-defined geographical objects.
Consolidation of network security controls
Vulnerable to the same economic pressures as other business units, security staffs have been continually asked to do more with less. Instead of deploying point products, such as a firewall, intrusion prevention system (IPS), or web content filter, throughout an organization’s architecture, IT teams are now achieving better results by concentrating multiple and disparate vendor products into a single appliance or system. Current processors and advances in technology enable these single systems to function as firewall and IPS, as well as perform data loss prevention (DLP), and spam and web filtering. Additional controls can be deployed deeper in the internal architecture as well, but properly sized NGFWs are capable of completing myriad security responsibilities. As an added benefit, these consolidated control deployments are available from a single vendor and cost less as a result of bundled-feature discounts.
If your organization is looking to replace or update its firewalls and perimeter security controls, contact SHI’s Security Team for help finding the best fit for your business needs.