Defining the Next-Generation Firewall

Gartner RAS Core Research Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210 04102010

Firewalls need to evolve to be more proactive in blocking new threats, such as botnets and targeted attacks. Enterprises need to update their network firewall and intrusion prevention capabilities to protect business systems as attacks get more sophisticated.

Key Findings

• Thestatefulprotocolfilteringandlimitedapplicationawarenessofferedbyfirst-generationfirewallsarenoteffectiveindealingwithcurrentandemergingthreats.

• Usingseparatefirewallsandintrusionpreventionappliancesresultsinhigheroperationalcostsandnoincreaseinsecurityoveranoptimizedcombinedplatform.

• Next-generationfirewalls(NGFWs)areemergingthatcandetectapplication-specificattacksandenforceapplication-specificgranularsecuritypolicy,bothinboundandoutbound.

• NGFWswillbemosteffectivewhenworkinginconjunctionwithotherlayersofsecuritycontrols.

Recommendations

• Ifyouhavenotyetdeployednetworkintrusionprevention,requireNGFWcapabilitiesofallvendorsatyournextfirewallrefreshpoint.

• Ifyouhavedeployedbothnetworkfirewallsandnetworkintrusionprevention,synchronizetherefreshcycleforbothtechnologiesandmigratetoNGFWcapabilities.

• Ifyouusemanagedperimetersecurityservices,looktomoveuptomanagedNGFWservicesatthenextcontractrenewal.

WHAT YOU NEED TO KNOWAnNGFWisawire-speedintegratednetworkplatformthatperformsdeepinspectionoftrafficandblockingofattacks.ThereareproductstodaywithNGFWcharacteristics,butthesemustnotbeconfusedwithwell-marketedfirst-generationfirewallsorproductsmoreappropriateforsmallbusinesses(seeNote1).

2ANALYSISChangingbusinessprocesses,thetechnologythatenterprisesdeploy,andthreatsaredrivingnewrequirementsfornetworksecurity.Increasingbandwidthdemandsandnewapplicationarchitectures(suchasWeb2.0)arechanginghowprotocolsareusedandhowdataistransferred.Threatsarefocusingongettingvulnerableuserstoinstalltargetedmaliciousexecutablesthatattempttoavoiddetection.Simplyenforcingproperprotocoluseonstandardportsandstoppingattackslookingforunpatchedserversarenolongerofsufficientvalueinthisenvironment.Tomeetthesechallenges,firewallsneedtoevolveintowhatGartnerhasbeencalling“next-generationfirewalls.”Iffirewallvendorsdonotmakethesechanges,enterpriseswilldemandpriceconcessionstoreducefirst-generationfirewallcostssubstantiallyandlookatothersecuritysolutionstodealwiththenewthreatenvironment.

What Is a Next-Generation Firewall?Tomeetthecurrentandcominggenerationofnetworksecuritythreats,Gartnerbelievesfirewallsneedtoevolveyetagaintowhatwehavebeencalling“next-generationfirewalls”.Forexample,threatsusingbotnetdeliverymethodshavelargelybeeninvisibletofirst-generationfirewalls.Asservice-orientedarchitecturesandWeb2.0growinuse,morecommunicationisgoingthroughfewerports(suchasHTTPandHTTPS)andviafewerprotocols,meaningport/protocol-basedpolicyhasbecomelessrelevantandlesseffective.Deeppacketinspectionintrusionpreventionsystems(IPSs)doinspectforknownattackmethodsagainstoperatingsystemsandsoftwarethataremissingpatches,butcannoteffectivelyidentifyandblockthemisuseofapplications,letalonespecificfeatureswithinapplications.Gartnerhaslongusedtheterm“next-generationfirewall”todescribethenextstageofevolutiontodealwiththeseissues.

Gartnerdefinesanetworkfirewallasanin-linesecuritycontrolthatimplementsnetworksecuritypolicybetweennetworksofdifferenttrustlevelsinrealtime.Gartnerusestheterm“next-generationfirewall”toindicatethenecessaryevolutionofafirewalltodealwithchangesinboththewaybusinessprocessesuseITandthewaysattackstrytocompromisebusinesssystems.Asaminimum,anNGFWwillhavethefollowingattributes:

• Supportin-linebump-in-the-wireconfigurationwithoutdisruptingnetworkoperations.

• Actasaplatformfornetworktrafficinspectionandnetworksecuritypolicyenforcement,withthefollowingminimumfeatures:

• Standardfirst-generationfirewallcapabilities:Usepacketfiltering,network-addresstranslation(NAT),statefulprotocolinspection,VPNcapabilitiesandsoon.

• Integratedratherthanmerelycolocatednetworkintrusionprevention:Supportvulnerability-facingsignaturesandthreat-facingsignatures.TheIPSinteractionwiththefirewallshouldbegreaterthanthesumoftheparts,suchasprovidingasuggestedfirewallruletoblockanaddressthatiscontinuallyloadingtheIPSwithbadtraffic.Thisexemplifiesthat,intheNGFW,itisthefirewallcorrelatesratherthantheoperatorhavingtoderiveandimplementsolutionsacrossconsoles.HavinghighqualityintheintegratedIPSengineandsignaturesisaprimarycharacteristic.IntegrationcanincludefeaturessuchasprovidingsuggestedblockingatthefirewallbasedonIPSinspectionofsitesonlyprovidingmalware.

• Applicationawarenessandfullstackvisibility:Identifyapplicationsandenforcenetworksecuritypolicyattheapplicationlayerindependentofportandprotocolversusonlyports,protocolsandservices.ExamplesincludetheabilitytoallowSkypeusebutdisablefilesharingwithinSkypeortoalwaysblockGoToMyPC.

• Extrafirewallintelligence:Bringinformationfromsourcesoutsidethefirewalltomakeimprovedblockingdecisions,orhaveanoptimizedblockingrulebase.Examplesincludeusingdirectoryintegrationtotieblockingtouseridentity,orhavingblacklistsandwhitelistsofaddresses.

• Supportupgradepathsforintegrationofnewinformationfeedsandnewtechniquestoaddressfuturethreats.

ExamplesofenforcementbyanNGFWincludeblockingoralertingonfine-grainednetworksecuritypolicyviolations,suchastheuseofWebmail,anonymizers,peer-to-peerorPCremotecontrol.SimplyblockingaccesstoknownsourcesoftheseservicesbydestinationIPaddressesisnotenough.Policygranularityrequirestheblockingofonlysometypesofapplicationcommunicationtoanotherwisepermissibledestination,andredirectorsmakeadefinitiveblacklistimpossibletoachieve.ThismeansthattherearemanyundesirableapplicationsthatanNGFWcanidentifyandblockevenwhentheyaredesignedtobeevasiveorareencryptedwithSSL.Anadditionalbenefitofapplicationidentificationcanbebandwidthcontrol,sinceremoving,forexample,undesiredpeer-to-peertrafficcangreatlyreducethebandwidthusage.

What Is an NGFW Not?Therearenetwork-basedsecurityproductspacesthatareadjacenttoNGFWbutnotequivalent:

• Small or midsize business (SMB) multifunction firewalls or unified threat management (UTM) devices:Thesearesingleappliancesthathostmultiplesecurityfunctions.Whiletheyinvariablyincludefirst-generationfirewallandIPSfunctions,theydonotprovidetheapplicationawarenessfunctionsandarenotgenerallyintegrated,single-engineproducts.Theyareappropriateforcostsavinginbranchofficesandforuseby

©2009Gartner,Inc.and/oritsAffiliates.AllRightsReserved.Reproductionanddistributionofthispublicationinanyformwithoutpriorwrittenpermissionisforbidden.Theinformationcontainedhereinhasbeenobtainedfromsourcesbelievedtobereliable.Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformation.AlthoughGartner’sresearchmaydiscusslegalissuesrelatedtotheinformationtechnologybusiness,Gartnerdoesnotprovidelegaladviceorservicesanditsresearchshouldnotbeconstruedorusedassuch.Gartnershallhavenoliabilityforerrors,omissionsorinadequaciesintheinformationcontainedhereinorforinterpretationsthereof.Theopinionsexpressedhereinaresubjecttochangewithoutnotice.

3smallercompanies,buttheydonotmeettheneedsoflargerenterprises.Thiscategoryofexclusionincludesfirst-generationfirewallspairedwithlow-qualityIPS,and/orhavingdeepinspectionandapplicationcontrolfeaturesmerelycolocatedintheapplianceratherthanatightintegration,whichisgreaterthanthesumoftheparts.

• Network-based data loss prevention (DLP) appliances: Theseperformdeeppacketinspectionofnetworktraffic,butfocusondetectingifpreviouslyidentifiedtypesofdataaretransitingtheinspectionpoint.Theyimplementdatasecuritypolicywithnoreal-timerequirement,notwire-speednetworksecuritypolicy.

• Secure Web gateways (SWGs): ThesefocusonenforcingoutbounduseraccesscontrolandinboundmalwarepreventionduringHTTPbrowsingovertheInternet,throughintegratedURLfilteringandthroughWebantivirus.Theyimplementmoreuser-centricWebsecuritypolicy,notnetworksecuritypolicy,onan“anysourcetoanydestinationusinganyprotocol”basis.

• Messaging security gateways:Thesefocusonlatency-tolerantoutboundcontentpolicyenforcementandinboundmailanti-spamandanti-malwareenforcement.Theydonotimplementwire-speednetworksecuritypolicy.

Whiletheseproductsmaybenetwork-basedandusesimilartechnology,theyimplementsecuritypoliciesthataretheresponsibilityandauthorityofdifferentoperationalgroupswithinmostbusinesses.GartnerbelievestheseareaswillnotconvergebeforeITandsecurityorganizationalresponsibilitieshaveradicallychanged.

AnNGFWisalsonotan“identityfirewall”oranidentity-basedaccesscontrolmechanism.Inmostenvironments,thenetworksecurityorganizationhasneithertheresponsibilitynortheauthorityforenforcinguser-basedaccesscontrolpoliciesattheapplicationlevel.GartnerbelievesthatNGFWswillbeabletoincorporateuseridentityinformationatthegrouplevel(thatis,shadowingActiveDirectory)tomakebetternetworksecuritydecisions,buttheywillnotberoutinelyusedforenforcinggranularuser-levelenforcementdecisions.

NGFW AdoptionLargeenterpriseswillreplaceexistingfirewallswithNGFWsasnaturalfirewallandIPSrefreshcyclesoccurorasincreasedbandwidthdemandsorsuccessfulattacksdriveupgradestofirewalls.Today,thereareafewfirewallandIPSvendorsthathaveadvancedtheirproductstoprovideapplicationawarenessandsomeNGFWfeatures,andtherearesomestartupcompaniesthatarefocusedonNGFWcapabilities.GartnerbelievesthatchangingthreatconditionsandchangingbusinessandITprocesseswilldrivenetworksecuritymanagerstolookforNGFWcapabilitiesattheirnextfirewall/IPSrefreshcycle.ThekeytosuccessfulmarketpenetrationbyNGFWvendorswillbetodemonstratefirst-generationfirewallandIPSfeaturesthatmatchcurrentfirst-generationcapabilitieswhileincludingNGFWcapabilitiesatthesameoronlyslightlyhigherpricepoints.

Gartnerbelievesthatlessthan1%ofInternetconnectionstodayaresecuredusingNGFWs.Webelievethatbyyear-end2014thiswillriseto35%oftheinstalledbase,with60%ofnewpurchasesbeingNGFWs.

Note 1

First-Generation Firewalls

First-generationfirewallscameaboutwhenconnectingtrustedinternalsystemstotheInternetresultedintherapidanddisastrouscompromiseofvulnerableinternalsystems,asevidencedbytheimpactoftheMorriswormin1988.Theiruseevolvedtoincludeimplementingsecurityseparationofinternalnetworksegmentsatdifferenttrustlevelsaswell,suchasDMZlayersinanextranetorindatacenterzones.Anetworkfirewallcanbeimplementedinawiderangeofformfactors,butitmustalwaysoperateatnetworkspeedsand,ataminimum,causenodisruptiontonormaloperationofthenetwork.

Standardnetworksecuritypolicyconsistsoftwoparts:

• Block all that is not explicitly allowed: Earlyfirewallsblockedconnectionsatthesource/destinationIPaddresslevelandthenevolvedtodosoattheportandprotocollevel.Asfirewallsmatured,thisenforcementofproperprotocolstatebecamemainstream.Morerecently,advancedfirewallshavedevelopedthecapabilitytorecognizeandblockconnections:

• Attheapplicationlevel

• Basedoncharacteristicsofthesourceaddressassociatedthroughexternalinformationsources(suchasgeolocation,knownsourcesformalware,orwhichuserisconnecting)

• Inspect what is allowed to detect and block attacks and misuse: Intheearlyyearsoffirewalls,proxy-basedfirewallsperformedmoredetailedinspectionofthetrafficallowedtopassthroughthefirewallandattemptedtodetectandblockmaliciousactions.However,earlyproxyfirewallsweresoftware-basedanddidnothavethehorsepowertokeepupwiththeincreasingspeedofnetworksortheincreasingcomplexityofapplicationsandattacks,andtheincreaseinnewapplicationsoutstrippedtheabilitytocreatenewapplication-specificproxies.IPSsbasedonpurpose-builtappliances,toperformdeeppacketinspection,haveevolvedastheprimarynetworksecuritycontrolimplementingthisfunction.