Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Network Security

Firewall Wars 2.0 – Are You Armed?

When Evaluating Firewalls, Understand What the Choices Mean in Terms of Benefits and Trade Offs for your Network.

Maybe like me, you remember the early days of firewalls. This is before the word resonated as a network architecture imperative.

When Evaluating Firewalls, Understand What the Choices Mean in Terms of Benefits and Trade Offs for your Network.

Maybe like me, you remember the early days of firewalls. This is before the word resonated as a network architecture imperative.

In those days your firewall choices if you knew them at all, were simple. Practically every solution was software based and of the commercially available ones (versus the open source toolkits with command lines) the big question to be answered was which product is more secure: stateful inspection or proxy-based?

Evaluating FirewallsBoth had considerable merit. Proxy-based firewalls assured one that particular applications like file transfers and email would never make a direct connection inside the network. But application proxies could be slow where stateful inspection offered real-time security controls without the performance penalty of brokering a connection. The moment suspicious activity was detected the firewall would simply block that connection therefore averting the risk.

Today, every Internet connected device from smartphones to tablets and certainly every network of any size has an access control device or firewall as minimal protection from unwanted connectivity.

In fact firewalls, the non-brick and mortar kind, are so broadly understood that the concept even spawned a major motion picture. Which means the technology is long overdue for a refresh and that is exactly was is happening in the marketplace today.

Firewalls, especially enterprise grade ones; the kind that keep vigil over your data in banks and government data centers have evolved greatly into sophisticated threat management systems and solutions and they are now needed to protect against threats both outside and inside the perimeter. This means that if you are ready to upgrade your firewalls you will have tons of choices but you’ll also need to conduct considerable research and gain an understanding of what those choices mean in terms of benefits and trade offs for your network.

Most of today’s “new network” firewalls are actually UTMs or unified threat management systems. Some vendors call these “next generation firewalls.” In fact those that are intended for commercial use in medium to large-scale networks are typically hardware based. And the vast majority combine a number of security functions or layered defenses including stateful inspection firewalling, application proxies, deep packet inspection, intrusion prevention and virtual private network (VPN) connectivity to name a few.

Advertisement. Scroll to continue reading.

Others still add web and application specific security, URL filtering and even anti-virus as part of the same gateway. The hardware options as well as the combination of features and functionality abound. So how then do you select the right device and level of protection for your network? First, you need to keep in mind that just because a product claims to be new or advanced doesn’t necessarily mean that it is optimal for your needs and deployment.

It’s also important to understand that when it comes to functionality and performance in one device, there is no free lunch. The more the device has to do and the more processing it’s required to conduct simultaneously in the execution of the various features the slower it will become during peak traffic hours (or the bigger the device you have to buy). So your challenge then is in knowing both the traffic demands for your network or data center as well as the types of applications and traffic that will flow through it.

You’ll also need to factor in any short-term plans for scaling or augmenting your data center architecture. Only when you have the demands of your network capacity and traffic flows in hand can you embark on selecting the right “new” firewall technology to replace those older simpler devices.

You may be surprised as to how your options shape up. The key is to buy the “right” kind and size firewall for the use case and place of deployment in the data center or network. At the edge of your network you may want a very fast stateful packet filtering device or one that can terminate a lot of VPN connections.

Further in the network, you might require a firewall that’s tuned to protect certain types of applications or traffic flows. Your virtualized network segments might require something more customized that is a combination of technology types.

In any case, the days of stateful inspection versus proxy are long gone. Now with the myriad of options comes the need to be a savvy firewall customer. You’re challenge will be to sort through the hype and buy what you need for your type of network. This is a first in a series of articles that are aimed at helping you do just that.

Next up: high performance hardware firewalls and the truth about scaling.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...