How cloud, virtualization and SDN will complicate future firewall security
Network World - The firewall in decades past was mainly the port-based guardian of the Internet. Now vendors are vying to build so-called "next-generation firewalls" that are "application-aware" because they can monitor and control access based on application use.
In addition, more and more features have been packed into many firewalls that include intrusion-prevention systems (IPS), web filtering, VPN, data-loss prevention, malware filtering, even a threat-detection sandbox to try and uncover zero-day attacks. When it comes to the standalone IPS, it might be called "next-generation IPS" as well due to its application controls, such as the IBM Network Security Protection XGS 5000, or the McAfee NS-Series.
[SECURITY:How you are being watched?]
It's all part of the race among the firewall/IPS vendors to try and stay ahead of the pack as they also push for ever-higher throughput to satisfy the need for speed as data centers, which have undergone virtualization, making higher bandwidth in the firewalls a necessity.
Vendors crave the "thumbs-up" from the influential Gartner consultancy or vie to beat competitors in technical evaluation tests, such as those done by NSS Labs or Neohapsis Labs. But in the end, it's all to win the approval of buyers such as Rusty Agee, who's information security engineer for the City of Charlotte, N.C., which makes use of a wide array of firewalls.
"Firewalls have evolved," says Agee, and when it comes to function and speed in firewalls and IPS, "I'm always looking for more."
Data-center virtualization, the increased use of mobile devices and the prospect of the city adopting a "Bring Your Own Device" (BYOD) policy are some of the reasons Agee stays open to new possibilities to protect data at the various government agencies. The city's fire and police departments have started using tablets and smartphones and a BYOD migration policy is now being considered, he points out.
City employees that use mobile devices are making use of the Cisco AnyConnect client to establish a VPN-type connection back to the city's Cisco ASA firewall, according to Agee. Along with other Cisco firewalls and standalone Cisco IPS, the city also makes use of Check Point firewalls and standalone IPS to cordon traffic to critical servers, data centers, Internet access and the city's wireless network.
But multi-vendor firewall/IPS in the city's network doesn't stop there. The city also has the Palo Alto Networks Next-Generation Firewall to monitor and control employee use of applications. Plus, the city uses the F5 Networks application firewall to look for attack traffic against Web servers. Agee says the city of Charlotte has centralized log management for these security devices with LogRhythm's security information and event management.
- Accelerating Cloud Deployment and Operations with Managed Services Companies that do not have sufficient in-house expertise to either deploy or maintain an IaaS cloud should turn to Managed Service Providers .
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Simplifying Product Design In A Complex World Product design engineering has moved far beyond the confines of ever-more powerful workstations. Companies can't afford to restrict projects to using only local...
- A Reference Architecture for the Internet of Things The aim of this is to provide Architects and Developers of IoT projects with an effective starting point that covers the major requirements...
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Hardware White Papers | Webcasts