Meet The Next Next-Gen Firewall

  /     /     /  
Publicated : 22/11/2024   Category : security


Meet The Next Next-Gen Firewall


Or at least the latest iteration of one of the oldest-running security tools that continues to evolve and transform with the times.



This is not your fathers firewall: In fact, most security experts say it shouldnt even be called a firewall anymore, this newest variety of the staple perimeter traffic-control box.
The modern firewall, aka the next-generation firewall, application-layer firewall, or deep-packet inspection firewall, indeed has been evolving dramatically for years. And today, Cisco Systems, which of late arguably had been losing ground in the next-gen firewall realm, today made a big plunge into that space by adding Sourcefires application control, IPS, and advanced threat detection to its ASA 5500 firewall.
In yet another example of the firewalls changing and expanding role, cloud application control provider Skyhigh Networks
announced today
that it has teamed up with next-gen firewall vendor Palo Alto Networks to blend Skyhighs cloud-based application control service with PANs platform, which basically adds a cloud-based application firewall to the governance and control policy management of SaaS-based applications.
This integration makes the cloud-aware firewall, [and with] PAN integrated with Skyhigh, more than a firewall because now it is not only enhancing the ability of the firewall to prevent bad stuff from entering the enterprise or the data center, but it is also helping in analyzing and controlling what goes out based on greater cloud intelligence, says Rajiv Gupta, CEO of Skyhigh Networks. This includes detecting insider threat and infected machines, and preventing confidential data from leaving the enterprise.
Palo Altos Scott Gainey, who is vice president of product marketing there, says the integration allows better application of controls to SaaS applications such as employee Dropbox accounts or other tools enterprises must support today.
PAN describes the next-gen firewall as one that provides single inspection of all traffic, including encrypted traffic, he says. Then you build services within that firewall, he says. Those services can include ones that block known and unknown threats, notorious command and control server traffic, for example, he says.
There’s definitely been a transition in the firewall market over time, from stateful inspection, to UTM and NGFW, and now products increasingly centered on advanced threat prevention, says John Grady, program manager for security products at IDC. I think it’s in recognition to the fact that the attack landscape has become incredibly dynamic and detecting advanced attacks is top of mind for a lot of organizations. The firewall market is incredibly competitive, so this type of differentiation is very important to remain relevant. I think we’ll continue to see added functionality in this vein.
Ciscos new ASA firewall helps bring the company back into more direct competition with other next-gen firewalls, security experts say.
Defending networks before, during, and after an attack or attack attempt is the goal of
Ciscos new ASA with FirePower Services
, with visibility into new threats, says Scott Harrell, vice president of product management at Ciscos Security Business Group. Next-generation firewalls were focused on applications. That was useful but the real problem is about the threat. The firewall must evolve to take on the next-generation threats, he says.
The goal is to minimize the number of security boxes, he says, and to provide a single pane of glass to detect the threats. In a lot of the breaches we have heard about [lately], they [the victims] got a warning but had so many security systems running, they didnt know which events to focus on, he says.
But the underlying security dilemma exposed in recent data breaches is that some large organizations such as Target still run traditional, flat networks that leave them exposed to attacks via their third-party suppliers, according to security experts. In Targets case, the weak link was its interconnected HVAC supplier. Targets network wasnt segmented … Its easier to penetrate if you have a flat network, says John Kindervag, vice president and principal analyst with Forrester. If the mega retailer had segmented the HVAC system access, the attackers may only have been able to make the Target facilities cooler or warmer, but they couldnt have stolen the customer data, he says.
Kindervag calls next-gen firewalls segmentation gateways.
Instead of at the edge, you put them at the center where they can be more effective, Kindervag says. Im excited to see Cisco jump into the fray with [its new] segmentation gateway.
Kindervag says the PAN-Skyhigh integration is a significant move. You have the two sides of the security business pulling together -- the on-premises side and the cloud side, he says. They have figured out a way to have visibility and control across both those vectors with a single pane of management.
End of a legacy?
Meanwhile, PANs Gainey concurs that the label of firewall indeed has become outmoded and is more a function of its familiarity. Its now more of a platform for multiple functions, he says.
Its a legacy term. No one has really come up with anything more creative.
Look for more next next-gen firewalls -- or segmentation gateways -- to add endpoint security features. A tremendous amount of knowledge can be gained listening to endpoint traffic, he says. Endpoints have the potential to see a lot of the network you wont see otherwise, especially if the endpoint is operating off-network.
Ciscos Harrell says his companys platform already supports endpoint security with multi-vector correlation. He says the new ASA firewall comes with the same advanced malware protection features as FirePower, and also integrates with endpoint AMP technology.
Bottom line, though, is that none of the new features in todays next-gen firewalls are especially advanced, notes Adrian Sanabria, senior analyst with the Enterprise Security Practice at 451 Research. The playing field is pretty level with these products nowadays, and if enterprises don’t have products labeled next-gen and ‘advanced at this point, they might not be able to defend against stuff that has become pretty normal nowadays, Sanabria says.
He sees the cloud app control market -- Skyhighs sector -- as the next big thing. This is truly a new market, though it builds on existing technologies. Earlier this year, I wrote that I expected acquisitions to heat up in this area, and pegged Palo Alto Networks and Cisco as potential acquirers, Sanabria says.
So is the firewall as we knew it dead? I think this is the next evolution. And like all transitions, it can take some time, so [Im] not ready to say its dead. Also, different use-cases require different functionality, IDCs Grady says. I think in the data center, a firewall closer to what we’ve known remains relevant -- at least until SDN really takes hold. Performance, scalability, and virtualization support are all more important in that scenario. At the edge, application visibility and advanced threat capabilities are important.
Says Forresters Kindervag: The traditional firewall is dead like the traditional network is dead. The traditional network falls down all the time, so it has to be rebuilt, he says.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Meet The Next Next-Gen Firewall