Skip the navigation

How cloud, virtualization and SDN will complicate future firewall security

By Ellen Messmer
June 27, 2013 01:13 PM ET

Network World - The firewall in decades past was mainly the port-based guardian of the Internet. Now vendors are vying to build so-called "next-generation firewalls" that are "application-aware" because they can monitor and control access based on application use.

In addition, more and more features have been packed into many firewalls that include intrusion-prevention systems (IPS), web filtering, VPN, data-loss prevention, malware filtering, even a threat-detection sandbox to try and uncover zero-day attacks. When it comes to the standalone IPS, it might be called "next-generation IPS" as well due to its application controls, such as the IBM Network Security Protection XGS 5000, or the McAfee NS-Series.

[SECURITY:How you are being watched?]

[Check Point, Juniper, Stonesoft shine in low-end network firewall test]

It's all part of the race among the firewall/IPS vendors to try and stay ahead of the pack as they also push for ever-higher throughput to satisfy the need for speed as data centers, which have undergone virtualization, making higher bandwidth in the firewalls a necessity.

Vendors crave the "thumbs-up" from the influential Gartner consultancy or vie to beat competitors in technical evaluation tests, such as those done by NSS Labs or Neohapsis Labs. But in the end, it's all to win the approval of buyers such as Rusty Agee, who's information security engineer for the City of Charlotte, N.C., which makes use of a wide array of firewalls.

"Firewalls have evolved," says Agee, and when it comes to function and speed in firewalls and IPS, "I'm always looking for more."

Data-center virtualization, the increased use of mobile devices and the prospect of the city adopting a "Bring Your Own Device" (BYOD) policy are some of the reasons Agee stays open to new possibilities to protect data at the various government agencies. The city's fire and police departments have started using tablets and smartphones and a BYOD migration policy is now being considered, he points out.

City employees that use mobile devices are making use of the Cisco AnyConnect client to establish a VPN-type connection back to the city's Cisco ASA firewall, according to Agee. Along with other Cisco firewalls and standalone Cisco IPS, the city also makes use of Check Point firewalls and standalone IPS to cordon traffic to critical servers, data centers, Internet access and the city's wireless network.

But multi-vendor firewall/IPS in the city's network doesn't stop there. The city also has the Palo Alto Networks Next-Generation Firewall to monitor and control employee use of applications. Plus, the city uses the F5 Networks application firewall to look for attack traffic against Web servers. Agee says the city of Charlotte has centralized log management for these security devices with LogRhythm's security information and event management.

Originally published on Click here to read the original story.
Reprinted with permission from Story copyright 2012 Network World, Inc. All rights reserved.
Our Commenting Policies