Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Firewall Wars 2.0 – Are You Armed?

When Evaluating Firewalls, Understand What the Choices Mean in Terms of Benefits and Trade Offs for your Network.

Maybe like me, you remember the early days of firewalls. This is before the word resonated as a network architecture imperative.

When Evaluating Firewalls, Understand What the Choices Mean in Terms of Benefits and Trade Offs for your Network.

Maybe like me, you remember the early days of firewalls. This is before the word resonated as a network architecture imperative.

In those days your firewall choices if you knew them at all, were simple. Practically every solution was software based and of the commercially available ones (versus the open source toolkits with command lines) the big question to be answered was which product is more secure: stateful inspection or proxy-based?

Evaluating FirewallsBoth had considerable merit. Proxy-based firewalls assured one that particular applications like file transfers and email would never make a direct connection inside the network. But application proxies could be slow where stateful inspection offered real-time security controls without the performance penalty of brokering a connection. The moment suspicious activity was detected the firewall would simply block that connection therefore averting the risk.

Today, every Internet connected device from smartphones to tablets and certainly every network of any size has an access control device or firewall as minimal protection from unwanted connectivity.

In fact firewalls, the non-brick and mortar kind, are so broadly understood that the concept even spawned a major motion picture. Which means the technology is long overdue for a refresh and that is exactly was is happening in the marketplace today.

Firewalls, especially enterprise grade ones; the kind that keep vigil over your data in banks and government data centers have evolved greatly into sophisticated threat management systems and solutions and they are now needed to protect against threats both outside and inside the perimeter. This means that if you are ready to upgrade your firewalls you will have tons of choices but you’ll also need to conduct considerable research and gain an understanding of what those choices mean in terms of benefits and trade offs for your network.

Most of today’s “new network” firewalls are actually UTMs or unified threat management systems. Some vendors call these “next generation firewalls.” In fact those that are intended for commercial use in medium to large-scale networks are typically hardware based. And the vast majority combine a number of security functions or layered defenses including stateful inspection firewalling, application proxies, deep packet inspection, intrusion prevention and virtual private network (VPN) connectivity to name a few.

Others still add web and application specific security, URL filtering and even anti-virus as part of the same gateway. The hardware options as well as the combination of features and functionality abound. So how then do you select the right device and level of protection for your network? First, you need to keep in mind that just because a product claims to be new or advanced doesn’t necessarily mean that it is optimal for your needs and deployment.

Advertisement. Scroll to continue reading.

It’s also important to understand that when it comes to functionality and performance in one device, there is no free lunch. The more the device has to do and the more processing it’s required to conduct simultaneously in the execution of the various features the slower it will become during peak traffic hours (or the bigger the device you have to buy). So your challenge then is in knowing both the traffic demands for your network or data center as well as the types of applications and traffic that will flow through it.

You’ll also need to factor in any short-term plans for scaling or augmenting your data center architecture. Only when you have the demands of your network capacity and traffic flows in hand can you embark on selecting the right “new” firewall technology to replace those older simpler devices.

You may be surprised as to how your options shape up. The key is to buy the “right” kind and size firewall for the use case and place of deployment in the data center or network. At the edge of your network you may want a very fast stateful packet filtering device or one that can terminate a lot of VPN connections.

Further in the network, you might require a firewall that’s tuned to protect certain types of applications or traffic flows. Your virtualized network segments might require something more customized that is a combination of technology types.

In any case, the days of stateful inspection versus proxy are long gone. Now with the myriad of options comes the need to be a savvy firewall customer. You’re challenge will be to sort through the hype and buy what you need for your type of network. This is a first in a series of articles that are aimed at helping you do just that.

Next up: high performance hardware firewalls and the truth about scaling.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...