Greg Young and John Pescatore just authored an excellent note on next-generation firewalls (see the liner notes/background in Greg’s blog).
In the note, “Defining the Next-Generation Firewall,” Greg and John do an excellent job laying out the definition, the requirements, and their recommendations for next-generation firewalls in the enterprise. Gartner notes that due to their dependence on port and protocol, first generation firewalls are not effective in today’s application and threat environment, and recommends that enterprises should move to next-generation firewalls at their next refresh. To help organizations understand this technology, Gartner lays out what an NGFW is, and what an NGFW isn’t. Here’s how Palo Alto Networks stacks up to Gartner’s NGFW requirements:
- Application Awareness and Full Stack Visibility: Palo Alto Networks’ App-ID technology IS the traffic classification mechanism for the firewall, and identifies 900+ applications regardless of port, protocol, encryption, or evasive tactic. The identity of the application is used in policy control that goes beyond simple allow/deny – to include limiting applications by user or function, scanning for threats or confidential data, or applying QoS/traffic shaping.
- Integrated Rather Than Co-Located IPS: Palo Alto Networks has IPS (using both vulnerability and exploit facing signatures) integrated into our next-generation firewalls. Employing a single architecture – our single-pass, parallel processing architecture means that not only is there a single policy interface, but also that packets are processed only once – which greatly improves performance.
- Extra-Firewall Intelligence: Palo Alto Networks’ User-ID technology incorporates an organization’s Active Directory users and groups into next-generation firewall policy – which, when coupled with the previously mentioned application knowledge, results in more meaningful, finer-grained network security.
- Standard First-Generation Firewall Capabilities: Palo Alto Networks family of next-generation firewalls provides typical packet filtering, state, flexible NAT, IPSec and SSL VPNs
- Support “bump in the wire” Deployments: Palo Alto Networks family of next-generation firewalls support a variety of deployments, including virtual wire (“bump in the wire”), tap, L2 and L3 – and can mix any of those modes on the same firewall.
- Things That a Next-Generation Firewall Isn’t: Gartner also walks through what a next-generation firewall isn’t – it isn’t a UTM device, DLP device, secure web gateway, or email security gateway. One of the common threads across all of those is the importance placed on the platform – it must perform well, and remember – it’s a firewall. A firewall is designed to see all network traffic. When one combines that with all of the requirements for an NGFW (application visibility and control, integrated IPS, extra-firewall intelligence), it creates a requirement for a new, high-performance platform. Because Palo Alto Networks built our next-generation firewall from the ground up, we are able to process traffic in a single pass – classifying application traffic in the firewall, associating users, and scanning content. Furthermore, the hardware for Palo Alto Networks next-generation firewalls was engineered with this in mind – not added onto ASIC-based hardware originally designed for a simpler purpose.
Gartner’s Recommendations
Gartner recommends that organizations should move to next-generation firewalls at their next refresh opportunity – whether for firewall, IPS, the combination of the two, or managed service. Have a look at the note for yourself.