Next Generation Firewalls |Are all NGFW the Same?

Today we are presenting 3 videos from three different Next Generation Firewall vendors.  Now granted these are all pretty much marketing videos and don’t get into the technical “nitty-gritty” behind the devices. That being said, the three vendors in these videos do discuss many of the same features of their Next Generation Firewalls. While there are other vendors out there, today we discuss the videos from Palo Alto Networks, Cisco, and Barracuda Networks. All three of these companies have next gen firewalls that make certain claims about securing your network. In these videos, they are mostly making similar claims about the overall concept of network security and the new role that issues such as application awareness, BYOD trends, advanced user IDs and proactive threat protection can be dealt with. “Most of these vendors do have similar functionality, they just tend to do them in s slightly different way.”  Said Michael McLaughlin Senior Engineer of Chicago based IT Consulting firm Black Diamond Solutions “Of course how much these vendors are investing in new ways to stay ahead of the bad guys is an important consideration as well since the security space is constantly changing.”

Next Generation Firewalls from Palo Alto Networks

The first Video is from Palo Alto Networks and does a nice job discussing how 15 years ago network traffic was much simpler. It was really either e-mail, business application, or threats.  However today, traffic is much more complex. Allowing users to choose applications without IT managing and deploying them has made employees much more efficient and effective In fact, it is almost impossible to imagine employees NOT being able to do this anymore. However it also opens up the network to risk that these applications can introduce malware into the network. Although IT is not involved in these deployments, they still need to be secured while running on the network. This all starts with the firewall because most if not all traffic in an organization runs through it.


Palo Alto next generation firewalls are offered in different sizes for different environments. They include the PA-200, PA-500, PA-3000 series, PA-5000 Series and the PA-7000 Series Next Gen Firewalls

Next Generation Firewalls from Cisco Networks

The second video here is from Cisco. Now Cisco does take a little bit of a different approach than many other NGF companies in that they offer a layered approach to their security. There is debate to be had as to whether this is a better way to go or not, but it is a delta in the approach. This video mostly discusses how applications have become more dynamic and multifaceted, and that users can now access these applications from any desktop, laptop, or mobile device. This video also discusses how application awareness is simply not enough these days and that Cisco goes well beyond this with their Cisco ASAx next generation firewalls by offering granular control of applications, enhanced user ID authentication, enterprise class web security and proactive threat protection. They also discuss the Cisco cloud which they call the Cisco Security Intelligence Operations  (SIO) which gathers intelligence from over 2 million Cisco security devices worldwide to offer near real time protection from zero day malware.

Cisco offers a layered approach based on its Cisco ASAx next gen platform


Next Generation Firewalls from Barracuda Networks

he third video here is From Barracuda Networks. It is the shortest of the videos and generally discusses similar concepts behind today’s need for more than just port protection.  One thing it does discuss is that many companies are deploying a UTM approach which does offer many security offerings in one appliance, but when run on the network and not the cloud, can cause network performance issues that can hinder the network. One nice thing about Barracuda networks is that they do offer Free Evaluations of most of their products.


Barracuda Networks Offers next gen appliances with their NextGen Firewall F-series, NextGen Firewall X-series, and their NextGen Firewall F-series


In the end there are many different vendors that offer these application aware malware protecting Next Generation Firewall devices. Things to consider are not only the reputation of these companies, but also the network architecture used, types of extra features available, ease of management, as well as total cost of ownership. offers expertise in network security design, product procurement, installation and training. We are here to help you secure your network. Contact us and set up a free consultation!

Traditional Firewall vs Next Generation Firewalls (NGFW) Technology

Want to see a video representation of the difference between traditional firewall and Next Generation Firewalls?

This video by Palo Alto Networks does a pretty good job of explaining why traditional firewalls fail in today’s network environments and goes a little bit into the need for application awareness in your firewall in today’s computing environment.  While this video was created by Palo Alto Networks, the basic concept of application awareness vs port blocking is similar to other next generation firewalls such as those from Cisco, Fortinet, and Barracuda.

If you are considering upgrading your old school firewall, application aware technology is a must, and this video gives a quick insight into that technology.


Target President and CEO Gregg Steinhafel Resigns

Target President and CEO Gregg Steinhafel Resigns

Data breach continues to cause turmoil

Gregg Steinhafel

Gregg Steinhafel – Image courtesy of

The executive bloodbath continued at Target Corporation (NYSE: TGT) following December data breach. Today, in a letter to the board of directors that was posted to Target’s website, Gregg Steinhafel stated “The last several months have tested Target in unprecedented ways. From the beginning, I have been committed to ensuring Target emerges from the data breach a better company, more focused on delivering for our guests”

Gregg Steinhafel, an employee of target for over 35 years, will continue to be a part of the transition to a new CEO when one is found.  He is not the only casualty of the credit card data breach. CIO Beth Jacob resigned in March. Last week Target announced that Bob DeRodes will take over that position today. According to his LinkedIn profile, Mr. DeRodes has a long history of executive IT positions with companies such as NCR, The Home Depot, Delta Airlines and Citibank.  He was also a board member for cloud based application security company Veracode.

Data security has continued to be a hot topic within all sizes of organizations with parameter protection still taking a front seat. Companies looking at the capabilities of Next Generation Firewalls (NGFW) or Unified Threat Managers (UTMs) has never been higher which has been a large windfall for companies that are strong in offering those multi-level security offerings such as Fortinet  (Nasdaq: FTNT), Palo Alto Networks (NYSE: PANW), CheckPoint Software (Nasdaq: CHKP) as well as others.

Companies looking for application aware hardware, software as well as cloud based protection from cybercriminals are looking to these companies more and more to prevent similar breaches that have wreaked absolute havoc on Target as well as other organizations.

“What executives of all sized companies are starting to realize is that there are criminals out there that want to steal their data. No longer are SMBs immune with the thinking that their data is not valuable” Said Michael Kupfer CEO of Chicago based technology consulting firm Black Diamond Solutions. “Your data needs protecting even if outside compliance does not dictate it to be. Even if Target did not have , as a publicly traded company compliance forcing them to protect their customers data, think about the amount of trust lost with customers, and that leads to trouble in the sales department.”

Target is spending  about $100 million currently to speed up the timeline to accept “chip based” credit cards. They hope to have all of their internal Target cards reissued by 2015.

What is a Next Gen Firewall? And Why Should I Care?

What is a Next Gen Firewall? And Why Should I Care?

NGFW Security -

I may be going out on a limb here, but I’m going to bet that you found this blog because you were interested in learning more about firewalls. About Internet security? Maybe you wanted to read about next generation security. Bleeding edge. Hype. Hoopla. Who can blame you? You can’t go more than a day without reading about some company that lost millions of private records to hackers. It’s only a matter of time before a hacker aims for your data, your identity, or your financial records.

You are here because you are searching for the best technology that is available to protect yourself against the ever increasing number of threats – very real threats that can expose your data and destroy your online integrity in a matter of seconds.

Let me cut to the chase: You want a Next Generation Firewall.

I’m not going to sell you one, however. I’m not even going to tell you which one to buy. I know better than to stake my reputation on some device that was designed yesterday but will be used to protect against threats that won’t even exist until tomorrow. You shouldn’t either. What I will do is tell you about firewalls so you can decide what is best for your needs and for your network.
It’s a killer sales tactic, I know. Before you big spenders pull out your wallets, let me tell you a few things about firewalls and about internet security that you probably don’t realize.

The three most important things you need to know about firewalls are:

1. All firewalls are insecure.
2. All firewalls are insecure.
3. All firewalls are insecure.

Firewalls are not designed to keep malicious traffic off of your network. Firewalls are designed to recognize friendly traffic and to let it in.

In other words: Firewalls are not steel-reinforced walls and thick iron gates, they are doormen.

That said, there is a difference between a good firewall and a bad firewall. Some firewalls, in fact, act more like greeters at your local Big Box Mart-o-Rama, happily smiling and waving while any and all types of people stroll through the door. You don’t want that. What you want is a doorman who is intelligent, who can recognize people that are coming and going, who can discern their intentions, and who can adapt immediately to sudden changes in circumstances.

This is exactly what you will get in a Next Generation Firewall.

Let’s take one step deeper…

All firewalls rely on ALLOW and DENY rules that define who can enter and who cannot. If I want to attack your network, it’s simple – all I have to do is follow the ALLOW rules, the ones that describe who can enter. If your firewall blocks all incoming traffic from everyone except computers belonging to your sales team, for instance, then all I have to do to break into your network is make my computer look and act like a computer that belongs to your sales team. Your firewall has no choice but to let me – a legitimate attacker – into your network! Why? Because it has to follow the rules.*

These rules are what make every firewall a liability.

This is not a bug or a backdoor. Firewall ALLOW rules represent an intentional hole in your security infrastructure. For this reason, hacking through firewalls is vastly different than other forms of attack. To protect yourself and to choose the best firewall, you must develop new ways of thinking about firewalls and how they function in your network. Sadly, most software firewalls that come with your operating system function in exactly this way. Default firewall security is never enough.

Bad Firewall Bouncer -

Bad firewalls are like bouncers at night clubs, good firewalls are like the secret security.

So what’s next?

If you truly want the best firewall for your needs, the question you must ask yourself isn’t What will this firewall protect me against? You should be asking yourself What rules do I want my firewall to follow? Think about that question for a little bit. Maybe even make a list.

OK, welcome back. You probably ran into a big problem with that last question. Even though I told you to think like a firewall and to think about the rules that you need to follow, you probably realized that it’s impossible to define every rule that your firewall will ever need to follow. It’s the same reason that you can’t hire someone to watch your front door and, on day one, give them a list of everyone who will ever enter or exit the door.

What we need are new types of rules. Complex and sophisticated rules that adapt on the fly to the needs of trusted applications, that respond immediately and intelligently to unusual spikes in traffic, and that can accommodate elevated security for special types of connections. Most importantly, and perhaps counterintuitively, you want rules that apply to both sides of the network – inside and outside.

This is what you will get with a Next Generation Firewall.

And this is what you need to think about when you are shopping for a firewall. You don’t need a firewall that mindlessly follows ALLOW and DENY rules. You need a smart device that is going to scale with your security needs, adapting and responding without requiring constant reconfiguration or monitoring, and keeping you informed when trouble arises.

I’m sure you get the picture by now: This is what Next Generation Firewalls are all about.
Stay tuned for more articles on this site where we explore specific features of next generation firewalls, and even report on some performance testing of popular models from names like Palo Alto, Cisco, Juniper, and Dell SonicWALL.

*A similar attack was once perpetrated at an upscale dining establishment when a notorious offender claimed to be Abe Froman, the Sausage King of Chicago. The maître d’ was rule bound and had no choice but to seat the individual and his companions.

Application Awareness: Next Generation Firewall vs. Traditional Firewalls

Application Awareness: Next Generation Firewall vs. Traditional Firewalls

Working Application Awareness Into Next Generation Firewall:


When considering security in the light of the Internet/Virtual environment, much of the problem is that improvements in such an alien environment are difficult to grasp. The purpose of this blog is to give some real world analogies to how application awareness works in a next gen firewall (NGFW) as opposed to a traditional hardware firewall. I have selected application awareness because I personally believe it is one of the most important differentiators for a Next Generation Firewall.

You can think of a firewall as the wall that secures a physical building. In order for the building to be of use you need to have doors to allow people to travel in and out.  Each of these doors has a security guard that checks if the people exiting or entering have permissions to do so.<If, based on the rules setup for the guard, the answer is “Yes” and “door 80 (as an example)” the guard lets the person through. The guard does not care why the person is there.  Further, the guard is incapable of asking other questions to find out visit’s purpose.

Leveraging Application Awareness with Next Generation Firewall: Application Awareness -

In contrast, a next generation firewall will leverage application awareness, which will improve the qualifying process for entry. First it asks, “What is your purpose here?” and second it performs a “strip search” of the people, checking their profile and equipment against a database of criminals and illegal objects. If the purpose stated is not allowed, or it finds anything illegal/harmful it prevents entry and alerts the appropriate responsible party that an attempt at illegal entry was just made. Some such firewalls include Palo Alto Networks (PAN), Checkpoint firewalls, Fortinet, Cisco firewalls, and Juniper Firewalls. All of these brands can be set to be application aware. While they may all have some significant differences as to how they handle and report on the applications that are trying to invade your network, any of these Next Generation Firewalls will be significantly a better solution than what was considered traditional hardware firewalls.

Obviously, these extra steps go a long way toward better securing your environment. Criminals on the Internet are using new ways to gain access to your data to bypass traditional firewalls. 5 years ago no one ever heard of Malware, Phishing, or compromised websites. Firewalls that leverage technology greater than 5 years old are at risk to threats that were developed to bypass them.

People trying to compromise your environment are leveraging these blind spots and limitations of traditional firewalls to get a foot hold on within your environment. The longer a company runs a security perimeter that relies on a set security products that are fundamentally compromise, the greater the chance some nefarious entity will take advantage of that deployment.

A Next Generation Firewall set up with application awareness will allow you to better guard your network perimeter from those trying to gain access for malicious purposes.

Top 5 Non-Tech Tips a CEO Can Learn from the Target Security Breach

What your US Company and Target Corporation Have In Common

Target Security Breach -

You’re the CEO of a small or medium sized business-define that any way you want. $500,000 to 500,000,000 million in revenues, 5 to 5000 employees, 1 to 1000 locations, or any combination thereof. Your company may not be named Target, but without a doubt your company information is a target. There could not have been a more apropos company to be associated with the largest security breach (most customers effected) in the US than a company named TARGET! Perhaps this will be a wakeup call for all the SMB’s out there that think  either “nobody will come after them” or “my information isn’t valuable to others” attitude.

So here are the Top 5 non-technical things that a CEO should learn from the Target Corporation breach:

1.) Your company info is valuable. If the Target security breach teaches us anything, it is that a company’s data is valuable. Data about your customers, vendors, personal, marketing strategies, intellectual property, even company memos can have detrimental value in someone else’s hands such as your competitors, cyber-thieves, or even your own employees.

Target Security Breach Valuable Data -

We certainly try to prevent our employees from taking company data when they leave the company. Has an employee of your firm ever left and went to work for a competitor? Of course they have. Your customers, IP, Marketing, even processes that give your firm an advantage are at risk. Cyber thieves are an obvious danger that does not need any explanation. You need to make sure this data is being protected both internally and externally.  The first step in doing this is realizing that your data is actually valuable and that someone out there wants it.

2.) Fixing a breach is costly. Stating the obvious, Target Corporation is spending oodles of money in PR, discounts to save customers, attorneys, reporting, the list goes on and on. In fact Target just announced that they will be offering effected customers FREE credit monitoring and identify theft protection. Think of the cost of that. Besides those hard costs, think of the cost of human talent that comes from taking on the project of defending your corporate reputation. Now add the costs of this project being completely unexpected. Can you even measure such costs? Could you as CEO of your company basically clear your schedule for the next month+ as Target CEO Gregg Steinhafel is doing? Sure your company might not have to appear on CNBC to explain your reactions and strategy, but as CEO you will probably have to spend a lot of time explaining those same things to your clients, vendors, and employees.  Even if you can eventually delegate that work it is a costly, unexpected project which means it delays other legitimate projects that currently have you and your staff’s resources. Can you calculate the costs of putting all of those projects on hold?

Target Security Breach Checkbox Compliance -

3.) Checkbox compliance is NOT a strategy.

You may have heard on TV reports that Target actually did have anti-malware software installed on their terminals, so they are not sure exactly how the breach happened. Now, we do not have any insight into Target’s security policies and procedures and we are not accusing them of anything in this paragraph, but that statement is worth thinking about for a minute because many companies take an approach to security and compliance of “check it and forget it”. Installing software or hardware and not putting together a plan to make sure updates happen on a schedule, or that certain types of known cyber-theft strategies are not considered on an ongoing bases can render any hardware or software solution installed to “comply with the auditor’s checkbox “ as worthless. Best practices in security should be created, known, and followed.  Create a plan in house if you have the technology talent or outsource it if you don’t. A solid plan is the best start to a strong defense.

4.) Breach Notification: Timing can be Everything. There is a very good chance that the Target security breach did not just happen a day before it was reported. Many times these breaches can go undetected for a long time while the “cyber-criminal” is in your systems, but just looking for an opening to more valuable data. In such cases it be great to have a plan that incorporates systems and monitoring that would document and inform you of not only a breach, but also actions by these criminals that could even be considered an attempted breach.  Technologies such as SIEM (Security Information Event Managers) can offer such protections. When put together as part of a strategy with your network or Next Generation Firewall you can truly have your staff monitor potential breaches in a much more timely fashion. Therefore, reducing the effects of a breach or avoiding one altogether.

Target Security Breach Hacker Wordle -

 5.) You can’t just spend to protect. It would be great if all you had to do was purchase a next generation firewall and be all good. However, just like the argument that putting more police on a police force won’t necessarily reduce crime in an area; just frivolously spending budget for security will not stop all cyber-crime. You can have firewall hardware, firewall software, a free firewall or the best firewall in your company, if you don’t have a plan of action, you still may be in for a breach.

Of course every company has a responsibility to its clients, vendors, stakeholders, and even shareholders to try and protect its systems, but educating your employees about cybercrime and the little things they can do to keep an eye out or help prevent can also go a long way. The Cybercriminal is always trying to be one step ahead just like street criminals try to be with the police. So we have to use tools and education to try to keep up and prevent them from being successful.  You do need to budget for solutions. There are of course many hardware firewalls. Cisco firewall, Palo Alto Firewall, Fortinet, Checkpoint Firewall, or Juniper firewall.  However, you can implement any hardware, and if you do not follow best practices on implementation, you can easily not get the most out of the money you spend. You have to plan and spend, not just spend.

As a CEO, it is important that you understand the risks and consequences of a poorly laid out security plan. Of course you are not likely the one who will be executing on such a plan, but since a breach will certainly fall squarely on your plate to fix. It is highly recommended that you have someone designated on your staff to delegate having such a strategy produced. Also, making sure that one of the responsibilities for this staff member is to inform you on a regular basis as to how the plan is being executed on so that diligence and not checkbox compliance is exercised. The CEO’s knowledge on this topic is essential if a breach was ever to occur. You will be much better prepared to deal with what is likely to become a very public affair if you have been involved and informed along the way.

So take these lessons from Target’s misfortune and try to avoid such an occurrence within your organization. You and your staff won’t be able to stop all attempts to target your company’s data, but with the right tools you can both prevent breaches as well as be notified as early as possible if there are attempts at breaches. As CEO this is not the way you want to get your name out there.

Not Your Father’s Perimeter Protection

by Michael Kupfer

The use of firewalls as a network control piece has been around for about 20 years.  In the most basic terms, a firewall sits in front of your network and blocks items coming in on certain ports to prevent intrusion into the network by people who want to gain access for malicious intent.

Over the years, the firewall industry has grown to have many players. Traditional players such as Checkpoint , Cisco, and Sonicwall (now owned by DELL) have all found this market to be a strong growth space over the past 2 decades as network traffic  has increased and compliance for organizations has become more strictly enforced.

Some recent trends in the types of intrusion have made the securing of a network both more difficult as well as more financially necessary.

Below are four major trends that make firewall usage as well as next generation firewall usage an important part of your security strategy.

  • The motivations of the intruders
    • 15 years ago the typical intruder would try to break into a network with the main goal in mind to intrude and then scream about how they did it.  An ego thing if you will all played out in what we now would call the internet but back then were “chat rooms”
    • Today attackers are not screaming anything. In fact they are quietly intruding NOT for the purpose of being able to say they accomplished it, but to slowly and quietly gain access to other systems in the network.  The purpose of which is to steal data. Client lists, Credit card information, Trade secrets, company IP.  All of which are sell able in today’s “internet world” and not even so discretely. Just check out the results when you “GOOGLE”  the term “ How to buy stolen credit cards”
PCI Compliance,PCI,stolen credit cards,firewall,next generation firewall,

There are plenty of easy to find outlets for stolen credit cards

  • The underground market for this type of information is large and the technology to penetrate networks for as much information as can be obtained is heavily invested in by these cyber-crooks.


  • Heftier Compliance
    • Compliance getting stricter deems that companies invest in technologies that protect client data. PCI compliance for example, states guidelines that must be followed to protect client credit cards from being accessed. With the authority to fine offenders who can’t pass audits or who are breached, as well as the ability to deny those organizations the ability to accept credit cards, the PCI Security Standards Council has a lot of leverage in making sure investments are made in data protection.
    • Company Brand Protection
      • Nothing can ruin a company faster than the loss of trust. Especially in the past 5 years there has been no shortage of companies having to deal with the financial, Public relations, marketing and legal consequences of information breaches.
      • Sony Online Entertainment, Citibank, and many others high profile names have had breaches. There are some pretty big names on a recent list of worst breaches.  Corporations are not alone,  universities such as Harvard, Stanford, Cornell , Princeton and others, are all examples of companies that have had to deal with the MULTIPLE costs associate with a breach.
      • Some brands can be ruined forever. For example, how comfortable would you be donating to a specific non-profit who had its data breached,  allowing undesirables to collect lots of data about your charitable giving as well as potential personal information?  The answer is probably not likely. That organization’s brand is forever tainted as soon as a break of data is reported on the ten o’clock news.
      • You are not to small anymore
        • Most small to med-sized companies all think “I am too small for someone to want my data” or even more often “What data do I have that others would even consider valuable?”
        • The answer to those questions are  the following: 1) You are not too small. Hackers trying to get through your perimeter find it much easier to target mid sized or even small companies because those companies more more likely easier to breach.  They do not necessarily have compliance concern that a fortune 500 company may have , nor do they typically have the budget to re0-invest as new ways of hacking become available. 2) You absolutely have data that others would want.  Do you keep your documents, drawings, designs, client credit cards, client database, marketing strategies, legal documents, corporate memos, financials, web content on tape or disk within your environment?  Would any of your competitors like to get this information? Don’t put it past a thief of corporate information make his first call to your biggest rival in the industry.


data breach protection bolt insurance
Via: BOLT Insurance
The motivations of the bad guys as well as compliance and the fear of brand devaluation have made data protection a top priority for organizations both large and small. The types of networks we work with today, as well as the explosion of internet use within our organizations has forced the security vendors such as the firewall vendors to constantly adapt. If you are asking yourself “What is Next generation Firewall?”  The answer is the latest adaption of the old faithful in the industry- that is there to protect our network.

More to come on NGFW in future posts.