The term “next-generation firewall” may sound like marketing buzz, but it refers to application-aware firewalls – or firewalls that go past monitoring ports and protocols, offering visibility into applications and their users. That's especially crucial as enterprises move their applications into the private or public cloud.
A good application-aware firewall enables enterprises to log thousands of application signatures and track these applications and their users throughout the network. They can also see where users are when they access applications and what kinds of devices they are using. So new firewall strategies include the ability to set granular policy around which groups of users can access applications and even from which locations they can do so.
Application-layer firewalls: How deep do they go?
It's hard to define an application, considering platforms like Facebook and Google contain dozens or even hundreds of so-called applications, including chat, video, email, games, spreadsheets, surveys, file transfer, etc. Firewalls with application intelligence must therefore be able to discern different features and capabilities within a single web platform and apply policies accordingly.
Read more about how next-generation
Next-generation firewalls won't replace legacy firewalls
While application-aware firewalls get lots of marketing hype, this doesn't mean they'll replace legacy firewalls. Most enterprises will go with a layered approach to firewalls, demarcating different responsibilities to each type of firewall. One group of firewalls will work the network perimeter while another work inside the DMZ, for example.
Read this article on layered firewall strategies.
Choosing an application-aware firewall vendor
As users demand application-aware firewalls, partners may have to broaden their scope of vendors to work with. Lots of vendors offer so-called next-generation firewalls, but there are real differentiating qualities to these products. Some are offered as virtual appliances, while others are hardware. There are also differences in the number of applications these devices can track and how much visibility they provide.
Read this next-generation firewall vendor comparison.
Web-application firewalls are not trouble-free
Web application firewalls can keep Web-based malware from ever getting a foothold in an environment. They can also keep the bad guys from manually exploiting flaws at Layer 7, which, in turn, can prevent further intrusion into the network. However, there are a number of misgivings about Web application firewalls. For one, as with any perimeter-centric security device, if they are not properly configured, they’re likely to create a false sense of security.
Read this article about application-aware firewall problems.
Next-generation firewalls are not immune to human error
Change and configuration management have become dirty words in the networking world. In the best of scenarios, network managers would know the state and recent configuration changes of any component on the network. To do so, they would keep an ever-updated database of these alterations. But in reality, changes get made and never recorded. That can be deadly for new firewall strategies.
The good news for firewall change management is that there are tools that can automate the process of tracking changes.
This was first published in June 2011