Value behind Enterprise Application-Aware Firewalls
Value behind Enterprise Firewalls have remained largely unchanged since their emergence 25 years ago, but with Web 2.0 technologies surfacing, organizations are in need of a solution that can distinguish different risks within a website s features and content. This expert E-Guide, brought to you by SearchSecurity.com, explores the and uncovers why they re in such high demand among users. applicationaware By: Michael Cobb, Application Security Firewalls have been the predominant form of security for Internet-connected networks for some 25 years now. While the technology remained largely unchanged for much of that time, more recently a new generation of "" s has emerged to deal with today's applicationcentric threats. During this last quarter century, attackers have moved from targeting operating systems to targeting the applications that run on them, moving up the protocol stack to use protocols such as HTTP and XML to launch sophisticated attacks. These attacks are designed to circumvent the traditional access control policies enforced by perimeter s. In turn, s have added more functionality to be able to operate on all layers of the protocol stack, from layer 2 to layer 7, inspecting traffic and analyzing protocols to thwart the latest attack techniques. Firewalls have traditionally been based on a "block or allow" model: "Bad" packets are blocked by the, and any packets that don't violate rules are deemed "good" and allowed to pass through. However, today, with the emergence of Web 2.0 technologies, organizations needs a that is able to distinguish between different risks within a website's features and content, and apply policies accordingly. Page 2 of 10
Value behind Enterprise Many organizations resort to restricting employees' use of certain Web applications altogether, losing out on the potential benefits of Software as a Service (SaaS) and other cloud and mobile apps. These decisions often arise because of installed technologies not being able to effectively enforce security policies as they can't put content into context. The new generation of s, such as SonicWall Inc.'s E-Class and McAfee Inc.'s Firewall Enterprise, are far more context-aware, enabling network administrators to fine tune network traffic rules. The key features include: Real-time visualization: Create effective rules that perform as intended based on real-time information and observations, such as bandwidth utilization or sites visited by a user. Monitor how rule changes affect productivity and security and really understand how your network is being used. Greater levels of granular control: Apply rules to specific applications rather than trying to rely on generic port or protocols. Ensure critical applications such as Microsoft SharePoint and Salesforce.com get the bandwidth required and review the impact of rule changes via live graphs. Easy implementation of complex rules: Avoid draconian "block all" rules and use more flexible ones, such as "Facebook but no Farmville," and "Facebook can only use less than 10% of connections and bandwidth during business hours." Also restrict access to certain applications to specific groups or users. Automatic signature updates: Block dynamically changing applications such as P2P, designed to evade rules, with automatic updates of application signatures regardless of the port or protocol being used. Control data transfers: Warn users with messages whenever they try to transfer specific files and documents that conflict with policy. The introduction of real-time visualization makes implementing and regulating such specific rules much easier. Visualization of network traffic Page 3 of 10
Value behind Enterprise makes it easier to create effective rules that perform as intended based on real-time information and observations, such as bandwidth utilization or sites visited by a user. Rules can be applied to specific applications rather than trying to rely on generic port or protocols and the business impact of rule changes can be reported back via live graphs. Application-aware s: Can they do it all? These next-generation capabilities of enterprise s work alongside the standard gateway antivirus, antispyware and intrusion prevention features of standard s or UTM appliances. It takes a lot of processing power to be able to deliver this level of insight and control, evaluating traffic payloads in real-time as they enter and exit the network. It takes a lot of processing power to be able to deliver this level of insight and control, evaluating traffic payloads in real-time as they enter and exit the network. Even though these s run on multi-core processors, it's important to ensure they will be able to handle your current and future network traffic loads. For high-volume networks, it still pays to install s that specialize in different layers. Network s can filter large amounts of traffic, catching the port-scanning, denial-of-service and other low-level network attacks, leaving the s to control acceptable use of today's complex Web applications. This way, the right balance between performance and in-depth analysis can be achieved from an organization's infrastructure. About the author: Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com's contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com's Security School lessons. Page 4 of 10
Value behind Enterprise Demand among Users, By: Rachel Shuster, Associate Editor A large majority of users are seeking next-generation s that go beyond port and protocol identification and offer up granular application awareness, according to a recent survey conducted by TechTarget. According to the study consisting of 221 respondents, 69% said they would seek next-gen s that went deeper than port and protocol identification; 57% would seek a product that enforces policy based on application traffic; 49% wanted a product that incorporates user identity access and management; and 43% are interested in s that can enforce varying policies on specific features or content within an application. Another 55% said they would seek s with intrusion prevention and user identity access capabilities. This highlights a continuing trend in users seeking an all-in-one security appliance. Next-gen s may be attractive, but are all users ready? If users are ready to take on advanced next-gen s, are channel partners ready to sell and support them? Joel Snyder, senior partner with consultant firm Opus One, sees the nextgeneration trend growing but is a little surprised that respondents are that aware of this niche.. It s not something that many people have experience with because there s only a couple of them out in the market right now. That says there s either a flaw in the survey, or that people are desperate for better security solutions to [solve] the problems they have on their network today. For larger enterprises, it's most likely the latter. These network managers are beginning to realize they need s so they can apply a comprehensive policy for outbound connections, said Snyder. But for smaller companies it could be a different story. Page 5 of 10
Value behind Enterprise For enterprise managers yes, they can make that jump, he said. For small business managers, they probably don t understand the difference between a next-generation and a normal UTM. For inbound, server-protected s, a traditional coupled with an internal/external IPS is probably more appropriate than next-gen. [Enterprise] network engineers or managers are going to have to find a channel partner that can help them utilize these next-gen features, or they are going to have to learn how to utilize them themselves. Next-gen s: How deep does ness go? Next-gen s may not seem necessary to some, but others want to believe they'll need to get even more complex features over time. Of course a next-generation has to have intrusion prevention. An IPS is what many s have traditionally been, but in the face of modern malware attacks especially over social media Web 2.0 sites, these have proved to be ineffective in stopping serious intrusions into the network, said Steven Gilmer, systems administrator at UC Irvine Extension. A nextgeneration has to have a deep encrypted packet filtering, proxy avoidance detection, block peer-to-peer and look at active content. The nextgeneration is way past application and user identification. It s what do you do after that? What are you going to do to stop the malware that's encrypted once you identify that app? The rise in enterprise use of public Internet, social media and mobile devices has catapulted the next-generation demand, Gilmer said. Websites are being hacked regularly. You think you re safe in going to a website where the packets are encrypted, but the bad guys have hacked the site and their malware is inside of that encrypted packet, and that goes straight into your network. The next-generation is trying to deal with that, but the bad guys are keeping up, he said. Next-generation demands mean more work for partners So what does this all mean for channel partners? It will mean the need to gain stronger and more in-depth technological background in s and Page 6 of 10
Value behind Enterprise their capabilities. Previously, partners sold standard s that did not have many bells and whistles. Now they'll have to answer a new level of questions and handle more complex implementations. Next-gen s, and especially IPS, are more sophisticated and require more policy definition than a normal, Snyder said. What channel partners might need to do is both educate and help with templates for intrusion prevention and application identification [on] parts of the. You want a consultant to come in who knows your industry. It s not so much about the training of the product, but the configuration of the product. Documentation and videos from the vendors greatly help end users on become educated with next-gen appliances, Gilmer said. On Virtual Graffiti s website, where Gilmer purchased his next-gen, there are several icons that you can click on where you can see specs and documentation, as well as videos produced by the vendor that educate the end user on next-generation s. Also at Virtual Graffiti, they have vendors put on class seminars, so their engineers and salesmen are schooled. Good support services with welleducated vendors are really important for end users, Gilmer added. Andrew Plato, president of Anitian Enterprise Security, and his team provide these educational services in addition to implementation specifically tailored to user needs. We don t pitch a product, we pitch an answer. Our focus is trying to find a technology that meets users needs while coming in under budget. We are training our staff on that, not just selling boxes and pushing them on people, Plato said. Some partners are fine with selling ports and protocols, but once security factors like intrusion prevention and application control come into play, that takes a higher skill set that partners may not have, Plato said. There is a pressure on a lot of VARs to have security-trained people, and that s not always that easy to get, Plato said. Page 7 of 10
Value behind Enterprise The future of next-generation s: Will they replace other network products? The term next-generation may soon be obsolete as the additional demands of s become more common. Additionally, since networks are growing in capabilities, users may want to utilize a that can not only keep up with growth, but perhaps take the place of another solution or two, decreasing products and clutter on the network. It s an inevitable evolutionary step. Next-generation will not be its own product category. As the next-generation technology of application identification becomes better understood and is better able to fit into the performance of the devices we have, this will just be a default feature. Soon there will be no such thing as a non-next-generation, Snyder said. Plato also sees a future in which consolidating products on the network will save time and cost in the enterprise. Now, one piece of equipment can do the work of what previously took three, four or five to do. It can provide a broader platform of capabilities. Because of that, that s driving down cost. If you can collapse multiple applications or services onto one platform, you are going to save more money and get more out of less, he said. Page 8 of 10
Value behind Enterprise Guided by its vision of Dynamic Security for the Global Network, SonicWALL develops advanced intelligent network security and data protection solutions that adapt as organizations evolve and as threats evolve. Trusted by small and large enterprises worldwide, SonicWALL solutions are designed to detect and control applications and protect networks from intrusions and malware attacks through award-winning hardware, software and virtual appliance-based solutions. SonicWALL offers a massively scalable architecture to address the rapid increase in bandwidth speeds and escalating volume, frequency and sophistication of Internet threats. Moreover, SonicWALL drives the cost and complexity out of building and running secure infrastructures, thus enabling greater productivity and IT efficiencies. Page 9 of 10
Value behind Enterprise Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 10 of 10