A large majority of users are seeking next-generation firewalls that go beyond port and protocol identification and offer up granular application awareness, according
According to the firewall study consisting of 221 respondents, 69% said they would seek next-gen firewalls that went deeper than port and protocol identification; 57% would seek a firewall product that enforces policy based on application traffic; 49% wanted a firewall product that incorporates user identity access and management; and 43% are interested in firewalls that can enforce varying policies on specific features or content within an application.
Another 55% said they would seek firewalls with intrusion prevention and user identity access capabilities. This highlights a continuing trend in users seeking an all-in-one security appliance.
Next-gen firewalls may be attractive, but are all users ready?
If users are ready to take on advanced next-gen firewalls, are channel partners ready to sell and support them?
Joel Snyder, senior partner with consultant firm Opus One, sees the next-generation firewall trend growing but is a little surprised that respondents are that aware of this niche.. “It’s not something that many people have experience with because there’s only a couple of them out in the market right now. That says there’s either a flaw in the survey, or that people are desperate for better security solutions to [solve] the problems they have on their network today.”
For larger enterprises, it's most likely the latter. These network managers are beginning to realize they need application-aware firewalls so they can apply a comprehensive policy for outbound connections, said Snyder. But for smaller companies it could be a different story.
“For enterprise managers yes, they can make that jump,” he said. “For small business managers, they probably don’t understand the difference between a next-generation and a normal UTM firewall. For inbound, server-protected firewalls, a traditional firewall coupled with an internal/external IPS is probably more appropriate than next-gen. [Enterprise] network engineers or managers are going to have to find a channel partner that can help them utilize these next-gen features, or they are going to have to learn how to utilize them themselves.”
Next-gen firewalls: How deep does application-awareness go?
Next-gen firewalls may not seem necessary to some, but others want to believe they'll need to get even more complex features over time.
“Of course a next-generation firewall has to have intrusion prevention. An IPS is what many firewalls have traditionally been, but in the face of modern malware attacks especially over social media Web 2.0 sites, these have proved to be ineffective in stopping serious intrusions into the network,” said Steven Gilmer, systems administrator at UC Irvine Extension. “A next-generation firewall has to have a deep encrypted packet filtering, proxy avoidance detection, block peer-to-peer and look at active content. The next-generation firewall is way past application and user identification. It’s what do you do after that? What are you going to do to stop the malware that's encrypted once you identify that app?”
The rise in enterprise use of public Internet, social media and mobile devices has catapulted the next-generation firewall demand, Gilmer said. “Websites are being hacked regularly. You think you’re safe in going to a website where the packets are encrypted, but the bad guys have hacked the site and their malware is inside of that encrypted packet, and that goes straight into your network. The next-generation firewall is trying to deal with that, but the bad guys are keeping up,” he said.
Next-generation firewall demands mean more work for partners
So what does this all mean for channel partners? It will mean the need to gain stronger and more in-depth technological background in firewalls and their capabilities. Previously, partners sold standard firewalls that did not have many bells and whistles. Now they'll have to answer a new level of questions and handle more complex implementations.
“Next-gen firewalls, and especially IPS, are more sophisticated and require more policy definition than a normal firewall,” Snyder said. “What channel partners might need to do is both educate and help with templates for intrusion prevention and application identification [on] parts of the firewall. You want a consultant to come in who knows your industry. It’s not so much about the training of the product, but the configuration of the product.”
Documentation and videos from the vendors greatly help end users on become educated with next-gen firewall appliances, Gilmer said.
On Virtual Graffiti’s website, where Gilmer purchased his next-gen firewall, there are several icons that you can click on where you can see specs and documentation, as well as videos produced by the vendor that educate the end user on next-generation firewalls.
“Also at Virtual Graffiti, they have vendors put on class seminars, so their engineers and salesmen are schooled. Good support services with well-educated vendors are really important for end users,” Gilmer added.
Andrew Plato, president of Anitian Enterprise Security, and his team provide these educational services in addition to implementation specifically tailored to user needs. “We don’t pitch a product, we pitch an answer. Our focus is trying to find a technology that meets users’ needs while coming in under budget. We are training our staff on that, not just selling boxes and pushing them on people,” Plato said.
Some partners are fine with selling ports and protocols, but once security factors like intrusion prevention and application control come into play, that takes a higher skill set that partners may not have, Plato said.
“There is a pressure on a lot of VARs to have security-trained people, and that’s not always that easy to get,” Plato said.
The future of next-generation firewalls: Will they replace other network products?
The term “next-generation firewall” may soon be obsolete as the additional demands of firewalls become more common. Additionally, since networks are growing in capabilities, users may want to utilize a firewall that can not only keep up with growth, but perhaps take the place of another solution or two, decreasing products and clutter on the network.
“It’s an inevitable evolutionary step. Next-generation will not be its own product category. As the next-generation technology of application identification becomes better understood and is better able to fit into the performance of the devices we have, this will just be a default feature. Soon there will be no such thing as a non-next-generation firewall,” Snyder said.
Plato also sees a future in which consolidating products on the network will save time and cost in the enterprise. “Now, one piece of equipment can do the work of what previously took three, four or five to do. It can provide a broader platform of capabilities. Because of that, that’s driving down cost. If you can collapse multiple applications or services onto one platform, you are going to save more money and get more out of less,” he said.