What is a Next Gen Firewall? And Why Should I Care?
I may be going out on a limb here, but I’m going to bet that you found this blog because you were interested in learning more about firewalls. About Internet security? Maybe you wanted to read about next generation security. Bleeding edge. Hype. Hoopla. Who can blame you? You can’t go more than a day without reading about some company that lost millions of private records to hackers. It’s only a matter of time before a hacker aims for your data, your identity, or your financial records.
You are here because you are searching for the best technology that is available to protect yourself against the ever increasing number of threats – very real threats that can expose your data and destroy your online integrity in a matter of seconds.
Let me cut to the chase: You want a Next Generation Firewall.
I’m not going to sell you one, however. I’m not even going to tell you which one to buy. I know better than to stake my reputation on some device that was designed yesterday but will be used to protect against threats that won’t even exist until tomorrow. You shouldn’t either. What I will do is tell you about firewalls so you can decide what is best for your needs and for your network.
It’s a killer sales tactic, I know. Before you big spenders pull out your wallets, let me tell you a few things about firewalls and about internet security that you probably don’t realize.
The three most important things you need to know about firewalls are:
1. All firewalls are insecure.
2. All firewalls are insecure.
3. All firewalls are insecure.
Firewalls are not designed to keep malicious traffic off of your network. Firewalls are designed to recognize friendly traffic and to let it in.
In other words: Firewalls are not steel-reinforced walls and thick iron gates, they are doormen.
That said, there is a difference between a good firewall and a bad firewall. Some firewalls, in fact, act more like greeters at your local Big Box Mart-o-Rama, happily smiling and waving while any and all types of people stroll through the door. You don’t want that. What you want is a doorman who is intelligent, who can recognize people that are coming and going, who can discern their intentions, and who can adapt immediately to sudden changes in circumstances.
This is exactly what you will get in a Next Generation Firewall.
Let’s take one step deeper…
All firewalls rely on ALLOW and DENY rules that define who can enter and who cannot. If I want to attack your network, it’s simple – all I have to do is follow the ALLOW rules, the ones that describe who can enter. If your firewall blocks all incoming traffic from everyone except computers belonging to your sales team, for instance, then all I have to do to break into your network is make my computer look and act like a computer that belongs to your sales team. Your firewall has no choice but to let me – a legitimate attacker – into your network! Why? Because it has to follow the rules.*
These rules are what make every firewall a liability.
This is not a bug or a backdoor. Firewall ALLOW rules represent an intentional hole in your security infrastructure. For this reason, hacking through firewalls is vastly different than other forms of attack. To protect yourself and to choose the best firewall, you must develop new ways of thinking about firewalls and how they function in your network. Sadly, most software firewalls that come with your operating system function in exactly this way. Default firewall security is never enough.
So what’s next?
If you truly want the best firewall for your needs, the question you must ask yourself isn’t What will this firewall protect me against? You should be asking yourself What rules do I want my firewall to follow? Think about that question for a little bit. Maybe even make a list.
OK, welcome back. You probably ran into a big problem with that last question. Even though I told you to think like a firewall and to think about the rules that you need to follow, you probably realized that it’s impossible to define every rule that your firewall will ever need to follow. It’s the same reason that you can’t hire someone to watch your front door and, on day one, give them a list of everyone who will ever enter or exit the door.
What we need are new types of rules. Complex and sophisticated rules that adapt on the fly to the needs of trusted applications, that respond immediately and intelligently to unusual spikes in traffic, and that can accommodate elevated security for special types of connections. Most importantly, and perhaps counterintuitively, you want rules that apply to both sides of the network – inside and outside.
This is what you will get with a Next Generation Firewall.
And this is what you need to think about when you are shopping for a firewall. You don’t need a firewall that mindlessly follows ALLOW and DENY rules. You need a smart device that is going to scale with your security needs, adapting and responding without requiring constant reconfiguration or monitoring, and keeping you informed when trouble arises.
I’m sure you get the picture by now: This is what Next Generation Firewalls are all about.
Stay tuned for more articles on this site where we explore specific features of next generation firewalls, and even report on some performance testing of popular models from names like Palo Alto, Cisco, Juniper, and Dell SonicWALL.
*A similar attack was once perpetrated at an upscale dining establishment when a notorious offender claimed to be Abe Froman, the Sausage King of Chicago. The maître d’ was rule bound and had no choice but to seat the individual and his companions.