The next-generation firewall is well defined by Gartner as something new and enterprise-focused “incorporating full-stack inspection to support intrusion prevention, application-level inspection and granular policy control” .
Most network security vendors are now offering application visibility and control by either adding application signatures to their IPS engine, or offering you an add-on license for an application control module. In either case, these options are additive to a port-based firewall, and do little to help you focus on the fundamental tasks your firewall is designed to execute.
( Read more: Top 5 Application Security Technology Trends )
Next-Generation Firewall Requirements:
- Identify applications regardless of port, protocol,evasive tactic or decryption.
- Identify users regardless of device or IP address.
- Decrypt outbound SSL.
- Protect in real-time against known and unknown threats embedded across applications.
- Deliver predictable, multi-gigabit inline deployment.
Firewall selection criteria will typically fall into three areas: security functions, operations, and performance.The security functional elements correspond to the efficacy of the security controls, and the ability for your team to manage the risk associated with the applications traversing your network. From an operations perspective, the big question is, “where does application policy live, and how hard or complex is it for your team to manage?”
The performance difference is simple: can the firewall do what it’s supposed to do at the required throughput your business needs?
( Read more: How Should a CISO choose the right Anti-Malware Technology? )
The Top 10 Things Your Next Firewall Must Do are:
- Identify and control applications on any port
- Identify and control circumventors
- Decrypt outbound SSL and control SSH
- Provide application function control
- Systematically manage unknown traffic
- Scan for viruses and malware in all applications, on all ports
- Enable the same application visibility and control for all users and devices
- Make network security simpler, not more complex, with the addition of application control
- Deliver the same throughput and performance with application control fully activated
- Support the exact same firewall functions in both a hardware and virtualized form factor
What does 'NextGen Firewall' mean to you? Are there more features that should be added to the checklist? Share your views in the comments below