Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

Meet The Next Next-Gen Firewall

Or at least the latest iteration of one of the oldest-running security tools that continues to evolve and transform with the times.

This is not your father's firewall: In fact, most security experts say it shouldn't even be called a firewall anymore, this newest variety of the staple perimeter traffic-control box.

The modern firewall, aka the next-generation firewall, application-layer firewall, or deep-packet inspection firewall, indeed has been evolving dramatically for years. And today, Cisco Systems, which of late arguably had been losing ground in the next-gen firewall realm, today made a big plunge into that space by adding Sourcefire's application control, IPS, and advanced threat detection to its ASA 5500 firewall.

In yet another example of the firewall's changing and expanding role, cloud application control provider Skyhigh Networks announced today that it has teamed up with next-gen firewall vendor Palo Alto Networks to blend Skyhigh's cloud-based application control service with PAN's platform, which basically adds a cloud-based application firewall to the governance and control policy management of SaaS-based applications.

"This integration makes the cloud-aware firewall, [and with] PAN integrated with Skyhigh, more than a firewall because now it is not only enhancing the ability of the firewall to prevent bad stuff from entering the enterprise or the data center, but it is also helping in analyzing and controlling what goes out based on greater cloud intelligence," says Rajiv Gupta, CEO of Skyhigh Networks. "This includes detecting insider threat and infected machines, and preventing confidential data from leaving the enterprise."

Palo Alto's Scott Gainey, who is vice president of product marketing there, says the integration allows better application of controls to SaaS applications such as employee Dropbox accounts or other tools enterprises must support today.

PAN describes the next-gen firewall as one that provides single inspection of all traffic, including encrypted traffic, he says. "Then you build services within that" firewall, he says. Those services can include ones that block known and unknown threats, notorious command and control server traffic, for example, he says.

"There’s definitely been a transition in the firewall market over time, from stateful inspection, to UTM and NGFW, and now products increasingly centered on advanced threat prevention," says John Grady, program manager for security products at IDC. "I think it’s in recognition to the fact that the attack landscape has become incredibly dynamic and detecting advanced attacks is top of mind for a lot of organizations. The firewall market is incredibly competitive, so this type of differentiation is very important to remain relevant. I think we’ll continue to see added functionality in this vein."

Cisco's new ASA firewall helps bring the company back into more direct competition with other next-gen firewalls, security experts say.

Defending networks before, during, and after an attack or attack attempt is the goal of Cisco's new ASA with FirePower Services, with visibility into new threats, says Scott Harrell, vice president of product management at Cisco's Security Business Group. "Next-generation firewalls were focused on applications. That was useful but the real problem is about the threat. The firewall must evolve to take on the next-generation threats," he says.

The goal is to minimize the number of security boxes, he says, and to provide a "single pane of glass" to detect the threats. "In a lot of the breaches we have heard about [lately], they [the victims] got a warning" but had so many security systems running, they didn't know which events to focus on, he says.

But the underlying security dilemma exposed in recent data breaches is that some large organizations such as Target still run traditional, flat networks that leave them exposed to attacks via their third-party suppliers, according to security experts. In Target's case, the weak link was its interconnected HVAC supplier. "Target's network wasn't segmented … It's easier to penetrate if you have a flat network," says John Kindervag, vice president and principal analyst with Forrester. If the mega retailer had segmented the HVAC system access, the attackers may only have been able to make the Target facilities cooler or warmer, but they couldn't have stolen the customer data, he says.

Kindervag calls next-gen firewalls "segmentation gateways."

"Instead of at the edge, you put them at the center where they can be more effective," Kindervag says. "I'm excited to see Cisco jump into the fray with [its new] segmentation gateway."

Kindervag says the PAN-Skyhigh integration is a significant move. "You have the two sides of the security business pulling together -- the on-premises side and the cloud side," he says. "They have figured out a way to have visibility and control across both those vectors with a single pane of management."

End of a legacy?
Meanwhile, PAN's Gainey concurs that the label of "firewall" indeed has become outmoded and is more a function of its familiarity. It's now more of a platform for multiple functions, he says.

"It's a legacy term. No one has really come up with anything more creative."

Look for more next next-gen firewalls -- or segmentation gateways -- to add endpoint security features. "A tremendous amount of knowledge can be gained listening to" endpoint traffic, he says. "Endpoints have the potential to see a lot of the network you won't see otherwise, especially if the endpoint is operating off-network."

Cisco's Harrell says his company's platform already supports endpoint security with "multi-vector correlation." He says the new ASA firewall comes with the same advanced malware protection features as FirePower, and also integrates with endpoint AMP technology.

Bottom line, though, is that none of the new features in today's next-gen firewalls are especially advanced, notes Adrian Sanabria, senior analyst with the Enterprise Security Practice at 451 Research. "The playing field is pretty level with these products nowadays, and if enterprises don’t have products labeled 'next-gen' and ‘advanced' at this point, they might not be able to defend against stuff that has become pretty normal nowadays," Sanabria says.

He sees the cloud app control market -- Skyhigh's sector -- as the next big thing. "This is truly a new market, though it builds on existing technologies. Earlier this year, I wrote that I expected acquisitions to heat up in this area, and pegged Palo Alto Networks and Cisco as potential acquirers," Sanabria says.

So is the firewall as we knew it dead? "I think this is the next evolution. And like all transitions, it can take some time, so [I'm] not ready to say it's dead. Also, different use-cases require different functionality," IDC's Grady says. "I think in the data center, a firewall closer to what we’ve known remains relevant -- at least until SDN really takes hold. Performance, scalability, and virtualization support are all more important in that scenario. At the edge, application visibility and advanced threat capabilities are important."

Says Forrester's Kindervag: "The traditional firewall is dead like the traditional network is dead. The traditional network falls down all the time," so it has to be rebuilt, he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
9/18/2014 | 4:27:05 PM
Re: Meaning of Next Gen
Agreed, we can't rely on "generational" technology.  New threats occur on almost a daily basis and we need defenses that are agile and dynamic enough to meet those threats.  Sadly, even these "next-gen" firewalls are already outdated.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
9/17/2014 | 11:00:17 AM
Re: Meaning of Next Gen
It's all in the name! I really do wish vendors would stop calling them firewalls, but I get that enterprises and their execs are familiar with the term, so it's good for the sales side. =) 

It is really interesting just how far the firewall/segmentation gateway has come, though.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:35:26 AM
Meaning of Next Gen
Changes are occurring so quickly in technology in general and security in particlarthat the the term "next gen" is so overused that is practically meaningless! In terms of descriptive accuracy, I like Forrester's John Kindervag's term --"segmentation gateways" but it's not nearly as intriguing as the term "next gen."

COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.