Firewalls have been labeled "next generation" for as long as the Star Trek TV series have been so designated. And while many of us have a preference for the classic firewall, we should at least consider what the next generation brings to the party. One issue is that labels don't describe the whole range of issues involved in migrating and supporting next gen firewalls. We will talk about some of them here.
Cisco’s Adaptive Security Appliance, what they call their firewall, used to have a tired user interface shown here. It was a Windows application (not Web), and based on the traditional ports and protocols approach.
So let’s look at some of the more important characteristics of next gen firewalls, we will touch on these topics in more depth.
First is applications granularity. Here is what the Cisco Prime, which is their next generation interface, looks like now. You can see all the various Facebook applications controls here and they can get very nitty-gritty into how you allow or block games or sports or other aspects of the popular social networking service.
Cisco ASA Next Gen application awareness allows you to set these various slider switches, you can see they have come a long way from their older interface. And this is all available via the Web too! We start out by choosing Facebook messaging to focus our policy on. We then come to the screen below where you can use simple slider controls to enable various aspects of our policy and its various components, such as to allow attachments to be uploaded or downloaded, or to block the posting of photos to anyone's Facebook account. With the older firewalls, you typically had to experiment with rules through mostly trial and error before you could be sure that they were blocking or allowing particular behaviors.
Most of the next gen firewalls operate similarly to what we have shown with the Cisco ASA line and have easier-to-use graphical interfaces. As another example, here is a dashboard that shows you at a glance what kinds of exploits have been reported across your network. A lot nicer than that old crusty Cisco ASA interface!
Palo Alto Networks takes things a step further with its online Applipedia which lists over a 1000 different applications and characterizes them by risk, ports that they use, and whether they are prone to particular exploits. Here you see the details for the Facebook chat application.
A second aspect of next gen firewalls is their ability to handle reputation management of incoming domains. You can lookup the history of a domain and how active it has been and whether it has been party to sending spam or other malware. Cisco's SenderBase and McAfee's TrustedSource –which is what we are looking at here-- have similar databases that are also freely available for browsing and education purposes and also serve as the basis for their next gen application awareness engines.
Complementing applications awareness is the ability to add domain or IP reputation management to the firewall actions. This is done through a combination of sensors that are placed across the Internet and whitelist and blacklist particular domains or IP source addresses as potential malware. As part of the reputation management feature, you can create individual profiles for particular domains. Here we are using the Cisco ASA firewall reputation scoring and tagging feature to segregate out particular traffic from domains. BYU-Hawaii uses a different take on domain reputation. After getting severely hacked last year, the university wanted something that could isolate its servers into separate security zones, and looked at several next gen firewalls for this feature. "This way the database server and application server are in separate zones and they can only talk to each other. If our servers are compromised, our databases are still intact,”
The McAfee Enterprise Firewall is an example of a new breed of applications-aware tools where the colored bubbles indicate the volume of events and firewall actions between a source (who) and a destination (where).The bigger the bubble the more traffic. This is an example of the integrated IPS that is part of the firewalls, where you can start to have intelligence to what is happening across your network as part of the firewall console and configuraiton.
Another aspect is to add geo-location intelligence to the standard firewall package. Here we are looking at the McAfee Enterprise Firewall and you can see we can block traffic from particular export-limited countries such as Cuba from entering our network.
But deploying next gen firewalls isn’t very simple. The problem is that the next gen products operate differently when it comes to NAT and QoS deployment. Also, most traditional firewall administrators are used to thinking of blocking incoming threats, whereas for next generation admins, "you look at the outbound interface more closely," he said. One example of this is how "some companies use an IPS as a way to monitor the health and well being of their firewalls, so they have evolved with separate staffs to handle each device. This makes for a less compelling case for integrating them,"
This infographic is very depressing, and shows you how much original content is uploaded to these various Internet sites every minute. If there ever was an argument for having better firewalls, this should be in your slide deck too.
You need a full understanding of when to use applications IDs in your firewall rule sets. You need to know what protocols are being used by which apps and when using a classic port/protocol approach is appropriate and when it isn't.The issue with application control isn't a technical issue, but that IT managers have to understand its implications and consequences. You could inadvertently block your employees' access to Facebook games. Ideally, IT should coordinate closely with human resources and management to ensure that the intended policies are deployed correctly
Inertia is probably the biggest sticking point for why people haven't upgraded their firewalls and could be one reason that many stick with Cisco. The IT Director oat Houston-based Texas Heart Institute did with his Cisco ASA firewalls. He moved to the CX models because he trusted Cisco and "didn't want any downtime. Plus, we aren't adding a new piece of gear to our existing Cisco infrastructure such as switches and VPNs, and we have staff that are already trained how to use them," he said. "There isn't much of a learning curve to come up to speed on the CX next gen features."
One IT manager told me It took him four months to do the migration, with most of the time related to issues involving having a large group of people coordinating their efforts because each was responsible for a different part of their network. He also had outdated documentation of our network that didn't help matters. Like many businesses, they grew organically over time and our documentation had lagged behind. So make sure you update this before you start any migration process, and get your house in order.
the more virtualized environments of today's networks adds to the complexity of their information security structure. The traditional firewall technologies simply don't scale to the cloud
This is just a partial list of them, I have found 20 of them, and have tested 6 or 7 for Network World. You can find the links to these on my strominator.com blog.
This is Catbird’s vCenter configuration, you see that they use a separate virtual network interface for the management of the VMs that are running on that particular hypervisor.
Another issue is how existing firewalls are used, or more accurately, misused. In some cases, business have come to rely too heavily on their firewalls, often as their sole piece of network routing infrastructure with no edge routers in place. "This makes it difficult to rip and replace them," said Hubbard.
In recent years, UTMs from Juniper (Which we are looking at here), Check Point Software and others have gotten better, incorporating the same security features that used to be only found on the most expensive models across their entire UTM lines.
Sonicwall wireless settings which is one reason to choose their box if you want to have better integration of wireless and wired protection
Check Point UTM licensing details showing that UTMs can be difficult to get all the various modules installed and figuring out pricing can be complex. But the next gen FWs can save money -- , depending on your own licensing requirements, it could actually cost less: at BYU-Hawaii, replacing their older firewall and anti-malware licenses actually ended up being cheaper. "We are saving a bundle on maintenance fees now."
Here is another example of a popular UTM box from Watchguard and its control console.
Cyphort has this scanner that you can download for free, along with other tools. Norse displays the actual attacks they are seeing in real time.
This is from Norse and shows you the activity of a particular IP address
Advanced Firewalls Progress Report
Next Generation Firewalls:
Ready or Not
AITP St. Louis March 2014
Who am I?
• Long time tech journalist, product reviewer
• IT manager from the dawn of the PC era
• Former editor-in-chief at Network Computing,
• Author of two books on
• Based here
Next Gen distinguishing characteristics
Issues with next gen deployment
UTM pro and con
Advanced persistent threat tools
What about UTMs?
– A lot of protection for the $ nowadays
– One box does it all
– Complex licensing issues
– Can get expensive if you have high bandwidth
– Latency can kill you if you turn on Anti-Virus