Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/16/2014
05:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Meet The Next Next-Gen Firewall

Or at least the latest iteration of one of the oldest-running security tools that continues to evolve and transform with the times.

This is not your father's firewall: In fact, most security experts say it shouldn't even be called a firewall anymore, this newest variety of the staple perimeter traffic-control box.

The modern firewall, aka the next-generation firewall, application-layer firewall, or deep-packet inspection firewall, indeed has been evolving dramatically for years. And today, Cisco Systems, which of late arguably had been losing ground in the next-gen firewall realm, today made a big plunge into that space by adding Sourcefire's application control, IPS, and advanced threat detection to its ASA 5500 firewall.

In yet another example of the firewall's changing and expanding role, cloud application control provider Skyhigh Networks announced today that it has teamed up with next-gen firewall vendor Palo Alto Networks to blend Skyhigh's cloud-based application control service with PAN's platform, which basically adds a cloud-based application firewall to the governance and control policy management of SaaS-based applications.

"This integration makes the cloud-aware firewall, [and with] PAN integrated with Skyhigh, more than a firewall because now it is not only enhancing the ability of the firewall to prevent bad stuff from entering the enterprise or the data center, but it is also helping in analyzing and controlling what goes out based on greater cloud intelligence," says Rajiv Gupta, CEO of Skyhigh Networks. "This includes detecting insider threat and infected machines, and preventing confidential data from leaving the enterprise."

Palo Alto's Scott Gainey, who is vice president of product marketing there, says the integration allows better application of controls to SaaS applications such as employee Dropbox accounts or other tools enterprises must support today.

PAN describes the next-gen firewall as one that provides single inspection of all traffic, including encrypted traffic, he says. "Then you build services within that" firewall, he says. Those services can include ones that block known and unknown threats, notorious command and control server traffic, for example, he says.

"There’s definitely been a transition in the firewall market over time, from stateful inspection, to UTM and NGFW, and now products increasingly centered on advanced threat prevention," says John Grady, program manager for security products at IDC. "I think it’s in recognition to the fact that the attack landscape has become incredibly dynamic and detecting advanced attacks is top of mind for a lot of organizations. The firewall market is incredibly competitive, so this type of differentiation is very important to remain relevant. I think we’ll continue to see added functionality in this vein."

Cisco's new ASA firewall helps bring the company back into more direct competition with other next-gen firewalls, security experts say.

Defending networks before, during, and after an attack or attack attempt is the goal of Cisco's new ASA with FirePower Services, with visibility into new threats, says Scott Harrell, vice president of product management at Cisco's Security Business Group. "Next-generation firewalls were focused on applications. That was useful but the real problem is about the threat. The firewall must evolve to take on the next-generation threats," he says.

The goal is to minimize the number of security boxes, he says, and to provide a "single pane of glass" to detect the threats. "In a lot of the breaches we have heard about [lately], they [the victims] got a warning" but had so many security systems running, they didn't know which events to focus on, he says.

But the underlying security dilemma exposed in recent data breaches is that some large organizations such as Target still run traditional, flat networks that leave them exposed to attacks via their third-party suppliers, according to security experts. In Target's case, the weak link was its interconnected HVAC supplier. "Target's network wasn't segmented … It's easier to penetrate if you have a flat network," says John Kindervag, vice president and principal analyst with Forrester. If the mega retailer had segmented the HVAC system access, the attackers may only have been able to make the Target facilities cooler or warmer, but they couldn't have stolen the customer data, he says.

Kindervag calls next-gen firewalls "segmentation gateways."

"Instead of at the edge, you put them at the center where they can be more effective," Kindervag says. "I'm excited to see Cisco jump into the fray with [its new] segmentation gateway."

Kindervag says the PAN-Skyhigh integration is a significant move. "You have the two sides of the security business pulling together -- the on-premises side and the cloud side," he says. "They have figured out a way to have visibility and control across both those vectors with a single pane of management."

End of a legacy?
Meanwhile, PAN's Gainey concurs that the label of "firewall" indeed has become outmoded and is more a function of its familiarity. It's now more of a platform for multiple functions, he says.

"It's a legacy term. No one has really come up with anything more creative."

Look for more next next-gen firewalls -- or segmentation gateways -- to add endpoint security features. "A tremendous amount of knowledge can be gained listening to" endpoint traffic, he says. "Endpoints have the potential to see a lot of the network you won't see otherwise, especially if the endpoint is operating off-network."

Cisco's Harrell says his company's platform already supports endpoint security with "multi-vector correlation." He says the new ASA firewall comes with the same advanced malware protection features as FirePower, and also integrates with endpoint AMP technology.

Bottom line, though, is that none of the new features in today's next-gen firewalls are especially advanced, notes Adrian Sanabria, senior analyst with the Enterprise Security Practice at 451 Research. "The playing field is pretty level with these products nowadays, and if enterprises don’t have products labeled 'next-gen' and ‘advanced' at this point, they might not be able to defend against stuff that has become pretty normal nowadays," Sanabria says.

He sees the cloud app control market -- Skyhigh's sector -- as the next big thing. "This is truly a new market, though it builds on existing technologies. Earlier this year, I wrote that I expected acquisitions to heat up in this area, and pegged Palo Alto Networks and Cisco as potential acquirers," Sanabria says.

So is the firewall as we knew it dead? "I think this is the next evolution. And like all transitions, it can take some time, so [I'm] not ready to say it's dead. Also, different use-cases require different functionality," IDC's Grady says. "I think in the data center, a firewall closer to what we’ve known remains relevant -- at least until SDN really takes hold. Performance, scalability, and virtualization support are all more important in that scenario. At the edge, application visibility and advanced threat capabilities are important."

Says Forrester's Kindervag: "The traditional firewall is dead like the traditional network is dead. The traditional network falls down all the time," so it has to be rebuilt, he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/18/2014 | 4:27:05 PM
Re: Meaning of Next Gen
Agreed, we can't rely on "generational" technology.  New threats occur on almost a daily basis and we need defenses that are agile and dynamic enough to meet those threats.  Sadly, even these "next-gen" firewalls are already outdated.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/17/2014 | 11:00:17 AM
Re: Meaning of Next Gen
It's all in the name! I really do wish vendors would stop calling them firewalls, but I get that enterprises and their execs are familiar with the term, so it's good for the sales side. =) 

It is really interesting just how far the firewall/segmentation gateway has come, though.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:35:26 AM
Meaning of Next Gen
Changes are occurring so quickly in technology in general and security in particlarthat the the term "next gen" is so overused that is practically meaningless! In terms of descriptive accuracy, I like Forrester's John Kindervag's term --"segmentation gateways" but it's not nearly as intriguing as the term "next gen."

 
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.