Nicolai Solling, director of Technology Services at help AG tells Network Middle East why it is time to migrate to next-generation firewalls.
The firewall has long been the vanguard of enterprises’ efforts to effectively protect their networks from the multitude of internet threats. In its simplest form, a firewall is a means of access control, preventing outsiders from accessing private company data and controlling what external resources the employees have access to.
Traditional firewalls, introduced as far back as the mid-1990s have limited visibility into the contemporary web-based network landscape. Thanks to the explosive popularity of Web 2.0, application delivery is now possible through a variety of means – AJAX based applications, Java based applications, Hypertext Preprocessor (PHP), Active Server Pages (ASP) and .Net. When it comes to controlling such applications, a traditional firewall just doesn’t make the grade.
What are NGFW’s?
Next Generation Firewalls (NGFW) combine the features of traditional firewalls along with intrusion prevention, application identification and control, and user and group policies into a single high-performance application.
These firewalls are ‘application-aware’ in that filtering is based upon the type of application or traffic traversing the ports.
These devices can even discriminate between applications that share the same port allowing enforcement of highly granular policies, such as permitting access to Facebook while blocking the gaming applications on the site, or blocking file sharing applications or proxy services, while permitting the flow of HTTP traffic through the firewall.
Apart from addressing security concerns, NGFWs offer bandwidth control. Because of application awareness, NGFWs perform quality of service functions, so higher priority applications are accorded a higher percentage of bandwidth. In the Middle East, where the cost of bandwidth is still prohibitively high, a device which addresses this concern in addition to its primary functionality is a welcome solution.
Many of the features of NGFWs were first promised by Unified Threat Management (UTM), but UTM systems have inherent performance issues when enabling advanced security features. This is due to the fact that UTM systems are just classical firewalls and while they offer bolt-on features such as antivirus, IPS and URL filtering, the basic processing of packets is still done in sequence.One of the reasons companies are wary of jumping on the NGFW bandwagon is because they burned their fingers with UTM solutions and are afraid that NGFWs too will raise similar performance issues. However since NGFWs classify traffic based on signatures and perform security inspection in parallel, they do not suffer the same pitfalls as UTM.
Migrating to NGFW
IT departments today are asked to do more with less, which is why next-generation firewall technologies are an attractive option, both from a technical as well as a financial perspective. Next-generation firewalls perform multiple functions such as IPS, URL filtering, proxies and network antivirus thereby eliminating the need for separate devices for each of these which in turn brings about significant reduction in operational expenses. When migrating to next-generation firewall technology, customers must be aware of the new features so as not to lose out on any of the functionalities offered.
One thing organisations need to ensure is that the firewall software supports sufficient features for the rules migration from legacy firewalls. Many enterprises are still required to run two levels of firewalls and it is acceptable to operate a classic and a NGFW. This may even be desirable during the migration phase to allow for the optimisation of the NGFW or to allow complete reorganisation of the policy set taking into account the increased visibility and control offered by the new system.
Two prevailing trends in the Middle East IT industry have been the rise in the number of hacking attacks and the gradual shrinking of IT budgets. Through the adoption of all-in-one solutions CIOs can tackle both problems simultaneously. The bottom line is that organisations that fail to do so are at the risk of falling behind the competition. Next-generation firewalls are here to stay – be safe rather than being sorry!