Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

Meet The Next Next-Gen Firewall

Or at least the latest iteration of one of the oldest-running security tools that continues to evolve and transform with the times.

This is not your father's firewall: In fact, most security experts say it shouldn't even be called a firewall anymore, this newest variety of the staple perimeter traffic-control box.

The modern firewall, aka the next-generation firewall, application-layer firewall, or deep-packet inspection firewall, indeed has been evolving dramatically for years. And today, Cisco Systems, which of late arguably had been losing ground in the next-gen firewall realm, today made a big plunge into that space by adding Sourcefire's application control, IPS, and advanced threat detection to its ASA 5500 firewall.

In yet another example of the firewall's changing and expanding role, cloud application control provider Skyhigh Networks announced today that it has teamed up with next-gen firewall vendor Palo Alto Networks to blend Skyhigh's cloud-based application control service with PAN's platform, which basically adds a cloud-based application firewall to the governance and control policy management of SaaS-based applications.

"This integration makes the cloud-aware firewall, [and with] PAN integrated with Skyhigh, more than a firewall because now it is not only enhancing the ability of the firewall to prevent bad stuff from entering the enterprise or the data center, but it is also helping in analyzing and controlling what goes out based on greater cloud intelligence," says Rajiv Gupta, CEO of Skyhigh Networks. "This includes detecting insider threat and infected machines, and preventing confidential data from leaving the enterprise."

Palo Alto's Scott Gainey, who is vice president of product marketing there, says the integration allows better application of controls to SaaS applications such as employee Dropbox accounts or other tools enterprises must support today.

PAN describes the next-gen firewall as one that provides single inspection of all traffic, including encrypted traffic, he says. "Then you build services within that" firewall, he says. Those services can include ones that block known and unknown threats, notorious command and control server traffic, for example, he says.

"There’s definitely been a transition in the firewall market over time, from stateful inspection, to UTM and NGFW, and now products increasingly centered on advanced threat prevention," says John Grady, program manager for security products at IDC. "I think it’s in recognition to the fact that the attack landscape has become incredibly dynamic and detecting advanced attacks is top of mind for a lot of organizations. The firewall market is incredibly competitive, so this type of differentiation is very important to remain relevant. I think we’ll continue to see added functionality in this vein."

Cisco's new ASA firewall helps bring the company back into more direct competition with other next-gen firewalls, security experts say.

Defending networks before, during, and after an attack or attack attempt is the goal of Cisco's new ASA with FirePower Services, with visibility into new threats, says Scott Harrell, vice president of product management at Cisco's Security Business Group. "Next-generation firewalls were focused on applications. That was useful but the real problem is about the threat. The firewall must evolve to take on the next-generation threats," he says.

The goal is to minimize the number of security boxes, he says, and to provide a "single pane of glass" to detect the threats. "In a lot of the breaches we have heard about [lately], they [the victims] got a warning" but had so many security systems running, they didn't know which events to focus on, he says.

But the underlying security dilemma exposed in recent data breaches is that some large organizations such as Target still run traditional, flat networks that leave them exposed to attacks via their third-party suppliers, according to security experts. In Target's case, the weak link was its interconnected HVAC supplier. "Target's network wasn't segmented … It's easier to penetrate if you have a flat network," says John Kindervag, vice president and principal analyst with Forrester. If the mega retailer had segmented the HVAC system access, the attackers may only have been able to make the Target facilities cooler or warmer, but they couldn't have stolen the customer data, he says.

Kindervag calls next-gen firewalls "segmentation gateways."

"Instead of at the edge, you put them at the center where they can be more effective," Kindervag says. "I'm excited to see Cisco jump into the fray with [its new] segmentation gateway."

Kindervag says the PAN-Skyhigh integration is a significant move. "You have the two sides of the security business pulling together -- the on-premises side and the cloud side," he says. "They have figured out a way to have visibility and control across both those vectors with a single pane of management."

End of a legacy?
Meanwhile, PAN's Gainey concurs that the label of "firewall" indeed has become outmoded and is more a function of its familiarity. It's now more of a platform for multiple functions, he says.

"It's a legacy term. No one has really come up with anything more creative."

Look for more next next-gen firewalls -- or segmentation gateways -- to add endpoint security features. "A tremendous amount of knowledge can be gained listening to" endpoint traffic, he says. "Endpoints have the potential to see a lot of the network you won't see otherwise, especially if the endpoint is operating off-network."

Cisco's Harrell says his company's platform already supports endpoint security with "multi-vector correlation." He says the new ASA firewall comes with the same advanced malware protection features as FirePower, and also integrates with endpoint AMP technology.

Bottom line, though, is that none of the new features in today's next-gen firewalls are especially advanced, notes Adrian Sanabria, senior analyst with the Enterprise Security Practice at 451 Research. "The playing field is pretty level with these products nowadays, and if enterprises don’t have products labeled 'next-gen' and ‘advanced' at this point, they might not be able to defend against stuff that has become pretty normal nowadays," Sanabria says.

He sees the cloud app control market -- Skyhigh's sector -- as the next big thing. "This is truly a new market, though it builds on existing technologies. Earlier this year, I wrote that I expected acquisitions to heat up in this area, and pegged Palo Alto Networks and Cisco as potential acquirers," Sanabria says.

So is the firewall as we knew it dead? "I think this is the next evolution. And like all transitions, it can take some time, so [I'm] not ready to say it's dead. Also, different use-cases require different functionality," IDC's Grady says. "I think in the data center, a firewall closer to what we’ve known remains relevant -- at least until SDN really takes hold. Performance, scalability, and virtualization support are all more important in that scenario. At the edge, application visibility and advanced threat capabilities are important."

Says Forrester's Kindervag: "The traditional firewall is dead like the traditional network is dead. The traditional network falls down all the time," so it has to be rebuilt, he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
9/18/2014 | 4:27:05 PM
Re: Meaning of Next Gen
Agreed, we can't rely on "generational" technology.  New threats occur on almost a daily basis and we need defenses that are agile and dynamic enough to meet those threats.  Sadly, even these "next-gen" firewalls are already outdated.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
9/17/2014 | 11:00:17 AM
Re: Meaning of Next Gen
It's all in the name! I really do wish vendors would stop calling them firewalls, but I get that enterprises and their execs are familiar with the term, so it's good for the sales side. =) 

It is really interesting just how far the firewall/segmentation gateway has come, though.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:35:26 AM
Meaning of Next Gen
Changes are occurring so quickly in technology in general and security in particlarthat the the term "next gen" is so overused that is practically meaningless! In terms of descriptive accuracy, I like Forrester's John Kindervag's term --"segmentation gateways" but it's not nearly as intriguing as the term "next gen."

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.