Traditional firewalls – an ‘own goal’ in the game against cybercrime
Traditional firewalls – an ‘own goal’ in the game against cybercrime
Anton Jacobsz, managing director of Fortinet distributor Networks Unlimited, says there is increasing interest in next generation firewalls around the world, but that enterprises need to take care in assessing the features and performance of many so-called next generation firewalls.
"Next generation has been a firewall buzzword since last year, but exactly what is meant by the term is not always clear," he says. "If a firewall has added levels of security to protect against attack, but it slows the enterprise network down to a crawl as a result, it achieves the same as a denial of service attack would – it effectively takes the enterprise network down." This has the same effect as attacks from outside, he says, noting that 78% of enterprises were attacked from outside in the last year, and 75% fell victim to denial of service attacks.
In March 2014, Fortinet commissioned Forrester Consulting to examine the changing adoption and implementation trends of next-generation firewall systems among enterprise-size companies in the US and Europe. The report noted that the top security challenge cited by 77% of surveyed companies is the continuously evolving and changing nature of IT threats. The secondary challenges, such as the growing complexity of IT environments and the pull on IT staff towards other tasks which take time away from security responsibilities, add to the challenge of protecting against these threats.
In order to protect against evolving threats, and address business and workforce requirements like bring your own device (BYOD) and the extended enterprise of business partner connectivity to the enterprise, organisations adopt the Zero Trust model of information security. In this model, there is no longer a trusted and untrusted interface on security devices, a trusted and an untrusted network, or trusted and untrusted users, so next generation firewalls will become an integral part of the discussion, says Forrester. Within this context of Zero Trust, NGFWs are known as network segmentation gateways (SGs) and are the key to building a Zero Trust network. An SG is a concept that takes all of the features and functionality of individual, standalone security products (firewalls, intrusion prevention systems, web application firewalls, content-filtering gateways, network access control, VPN gateways, and other encryption products) and embeds them a single appliance - and a next generation firewall is the product that takes a step towards bringing this concept to life.
The reports said few, if any, enterprises will opt to buy a traditional stateful firewall and a "conga line" of other standalone security controls when there is the option of a next generation firewall which runs multiple capabilities on single device.
Not all firewalls are equal, notes Jacobsz. "If a firewall is not built with custom chipsets internally to manage specific functions, the speed of processing will be impacted. It's not just about keeping malware out. Enterprises need to look to achieving next-generation performance. What's needed is a balance between the greatest efficacy, highest availability and best throughput for the lowest cost."
A standard firewall, notes Jacobsz, might need -many more resources monitoring its footprint, throughput and applications. A next generation firewall should incorporate custom chips to do this for the IT department. While automated detection of incidents is growing in importance, employees remain vital, he says. A next generation simply allows better allocation of resources and optimum performance of enterprise security systems. "You should not have to settle for a trade-off between security and performance," he says. A next generation firewall must include intrusion prevention, application control and anti-malware, he says, but the levels and modes of protection have to keep evolving with changing technology. Fortinet states that traditional Security Appliances that use multi-purpose CPU based architectures becomes an infrastructure bottleneck. Even when using multiple multi-core general purpose processors, network security devices cannot deliver the high performance and low latency required. The only way for a Network Security Platform to scale is via purpose-built ASICs to accelerate specific parts of the packet processing and content scanning functions. In addition, the next generation firewall should integrate with the full suite of IT security solutions to ensure simplified management and visibility.