When Evaluating Firewalls, Understand What the Choices Mean in Terms of Benefits and Trade Offs for your Network.
Maybe like me, you remember the early days of firewalls. This is before the word resonated as a network architecture imperative.
In those days your firewall choices if you knew them at all, were simple. Practically every solution was software based and of the commercially available ones (versus the open source toolkits with command lines) the big question to be answered was which product is more secure: stateful inspection or proxy-based?
Both had considerable merit. Proxy-based firewalls assured one that particular applications like file transfers and email would never make a direct connection inside the network. But application proxies could be slow where stateful inspection offered real-time security controls without the performance penalty of brokering a connection. The moment suspicious activity was detected the firewall would simply block that connection therefore averting the risk.
Today, every Internet connected device from smartphones to tablets and certainly every network of any size has an access control device or firewall as minimal protection from unwanted connectivity.
In fact firewalls, the non-brick and mortar kind, are so broadly understood that the concept even spawned a major motion picture. Which means the technology is long overdue for a refresh and that is exactly was is happening in the marketplace today.
Firewalls, especially enterprise grade ones; the kind that keep vigil over your data in banks and government data centers have evolved greatly into sophisticated threat management systems and solutions and they are now needed to protect against threats both outside and inside the perimeter. This means that if you are ready to upgrade your firewalls you will have tons of choices but you’ll also need to conduct considerable research and gain an understanding of what those choices mean in terms of benefits and trade offs for your network.
Most of today’s “new network” firewalls are actually UTMs or unified threat management systems. Some vendors call these “next generation firewalls.” In fact those that are intended for commercial use in medium to large-scale networks are typically hardware based. And the vast majority combine a number of security functions or layered defenses including stateful inspection firewalling, application proxies, deep packet inspection, intrusion prevention and virtual private network (VPN) connectivity to name a few.
Others still add web and application specific security, URL filtering and even anti-virus as part of the same gateway. The hardware options as well as the combination of features and functionality abound. So how then do you select the right device and level of protection for your network? First, you need to keep in mind that just because a product claims to be new or advanced doesn’t necessarily mean that it is optimal for your needs and deployment.
It’s also important to understand that when it comes to functionality and performance in one device, there is no free lunch. The more the device has to do and the more processing it’s required to conduct simultaneously in the execution of the various features the slower it will become during peak traffic hours (or the bigger the device you have to buy). So your challenge then is in knowing both the traffic demands for your network or data center as well as the types of applications and traffic that will flow through it.
You’ll also need to factor in any short-term plans for scaling or augmenting your data center architecture. Only when you have the demands of your network capacity and traffic flows in hand can you embark on selecting the right “new” firewall technology to replace those older simpler devices.
You may be surprised as to how your options shape up. The key is to buy the “right” kind and size firewall for the use case and place of deployment in the data center or network. At the edge of your network you may want a very fast stateful packet filtering device or one that can terminate a lot of VPN connections.
Further in the network, you might require a firewall that’s tuned to protect certain types of applications or traffic flows. Your virtualized network segments might require something more customized that is a combination of technology types.
In any case, the days of stateful inspection versus proxy are long gone. Now with the myriad of options comes the need to be a savvy firewall customer. You’re challenge will be to sort through the hype and buy what you need for your type of network. This is a first in a series of articles that are aimed at helping you do just that.
Next up: high performance hardware firewalls and the truth about scaling.