2020/07/13 IT & Cyber-Security Solutions 1591 visit(s)
Many midsize companies already realize the need to reinforce their traditional security solution and address new trends arising from mobility and cloud. These dynamics complicate the challenge of maintaining network security, and tax the network’s ability to perform optimally for the business. Traditional firewalls are not effective at seeing what users are doing, the types of applications they’re accessing, or the devices they’re using. Next-generation firewalls are designed to help close some of the gaps.
A next-generation firewall is an important component of a threat-centric security model. It’s important to move to a threat-centric model to gain visibility across your network and respond appropriately to threats before, during, and after an attack. As you evaluate next-generation firewalls for your organization, keep in mind that any solution must:
Additionally, when multiple services are enabled, a next-generation firewall solution should not significantly degrade performance while it is ensuring protection, policy, consistency, and context all at once, and at wire speed.
Today’s blog presents 10 considerations for midsize companies to weigh when evaluating a next-generation firewall solution, but we will only discuss the first five and leave the rest for our next blog.
So, with no further ado, here’s what to consider for an effective next-gen firewall solution:
Now let’s dive into details:
A next-generation firewall needs to understand both threat and network traffic. A solution built on a comprehensive stateful firewall foundation can provide visibility into potential security gaps, such as open ports. The firewall should feature an extensive stateful inspection engine that helps protect critical assets while also delivering high-performance security and reliability. The next-generation firewall should maximize network security with clear, deterministic Layer 3 and Layer 4 policies. Capabilities such as site-to-site virtual private network (VPN), network address translation (NAT), and dynamic routing also help to deliver secure, reliable access and robust perimeter security. The next-generation firewall must also be able to identify which users are connecting to the network and from where, what devices they’re using, and which applications and websites they’re accessing. Make sure that your firewall also provides visibility to users, devices, and applications.
Today’s users require anywhere, anytime access to the network from a variety of company-owned and personal mobile devices. But opening up the network to accommodate this type of access leads to loss of control and visibility. To provide secure connectivity from device to application while also protecting the network, organizations need to know, at all times, who the users are, and what types of devices they are using to gain access to the network. A next-generation firewall that can enable user identity, application, and device awareness helps you enforce access control and mitigate threats based on the context of the request. Network-wide identity and fine-grained behavior controls combined with VPN technology can help you secure your network and your mobile users.
A proactive next-generation firewall will block the majority (> 80 percent) of malware at the gateway, with minimal intervention required from administrators. Look for a strong integrated web filtering database. Web filtering solutions that allow you to create more than one URL filtering policy let you deliver differentiated access to the Internet. You can create web or URL filtering rules for different users and groups, according to their requirements.
Purchasing, deploying, and then managing multiple, dedicated security services modules is a complex and expensive process. In the past, this was the only way organizations could scale as their needs changed. Now, with next-generation firewalls, you can reduce the number of boxes to manage and deploy with a single-box solution that combines firewall, VPN, web security, anti-malware, and intrusion prevention system (IPS) solutions. Purpose-built security acceleration hardware (for example, crypto and regular expression to speed up VPN and IPS processing) needs to be part of the base platform to deliver multiple layers of advanced security on top of the firewall without performance impact. To simplify administration, look for advanced security services that can be turned on simply by activating the appropriate software license. Expanded security services should be delivered with minimal impact to network performance.
Your organization can’t control what it can’t see. To ensure acceptable use and security policies are enforced within Web 2.0 websites that contain embedded applications, a next-generation firewall solution must be able to identify and control, with precision, individual applications utilizing application signatures or other methods. Next-generation firewall services that offer very granular controls allow administrators to create firewall policies that match the nuanced business needs of today.
Granular application control is critical, considering the volume of actions that can be performed within a commonly used application such as Facebook: posting content, “liking” a user’s status, sending mail, chatting, and more. Administrators must be able to easily identify tens of thousands of applications and micro-applications, such as games for Facebook (for example, FarmVille, Candy Crush Saga, and Bingo Blingo), Facebook Messages, and Facebook Chat, when making access control decisions. A next-generation firewall should be able to identify application behavior: what action a user is taking within an application. Administrators also should be able to set granular controls for specific categories like Facebook Video—for example, allowing users to view and tag videos, but not upload videos.
Now that’s it for today. We will be giving you details on the rest of the considerations tomorrow so you can be better equipped to choose your ideal next-gen firewall solution.