NGFWs will be most effective when working in conjunction with other layers of security controls.



Similar documents
Organizations Must Employ Effective Data Security Strategies

Key Issues for Identity and Access Management, 2008

Research Agenda and Key Issues for Converged Infrastructure, 2006

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

Now Is the Time for Security at the Application Level

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

Emerging PC Life Cycle Configuration Management Vendors

Toolkit: Reduce Dependence on Desk-Side Support Technicians

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

Key Issues for Data Management and Integration, 2006

Q&A: The Many Aspects of Private Cloud Computing

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

Understanding Vulnerability Management Life Cycle Functions

The Current State of Agile Method Adoption

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

The Five Competencies of MRM 'Re-' Defined

Addressing the Most Common Security Risks in Data Center Virtualization Projects

Business Intelligence Platform Usage and Quality Dynamics, 2008

How to Develop an Effective Vulnerability Management Process

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

Data in the Cloud: The Changing Nature of Managing Data Delivery

Eight Critical Forces Shape Enterprise Data Center Strategies

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

Strategic Road Map for Network Access Control

IT asset management (ITAM) will proliferate in midsize and large companies.

Discovering the Value of Unified Communications

The What, Why and When of Cloud Computing

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

Cloud IaaS: Service-Level Agreements

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

Overcoming the Gap Between Business Intelligence and Decision Support

Research. Mastering Master Data Management

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

Best Practices for Confirming Software Inventories in Software Asset Management

Real-Time Decisions Need Corporate Performance Management

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

Tactical Guideline: Minimizing Risk in Hosting Relationships

The Seven Building Blocks of MDM: A Framework for Success

Gartner Clarifies the Definition of the Term 'Enterprise Architecture'

Business Intelligence Focus Shifts From Tactical to Strategic

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

From Secure Virtualization to Secure Private Clouds

Cloud IaaS: Security Considerations

Managing IT Risks During Cost-Cutting Periods

IT Operational Considerations for Cloud Computing

Gartner's View on 'Bring Your Own' in Client Computing

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

Networking for Caribbean Development

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

Evaluating Microsoft, Oracle and SAP CRM Application Strategy

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

Next-Generation Firewalls: Critical to SMB Network Security

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

X.509 Certificate Management: Avoiding Downtime and Brand Damage

How BPM Can Enhance the Eight Building Blocks of CRM

Roundup of Business Intelligence and Information Management Research, 1Q08

Successful EA Change Management Requires Five Key Elements

Repurposing Old PCs as Thin Clients as a Way to Save Money

Choosing a Replacement for Incumbent One-Time Password Tokens

Private Cloud Computing: An Essential Overview

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Consider Identity and Access Management as a Process, Not a Technology

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Solution Path: Threats and Vulnerabilities

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

The IT Service Desk Market Is Ready for SaaS

Government 2.0 is both citizen-driven and employee-centric, and is both transformational and evolutionary.

NAC Strategies for Supporting BYOD Environments

IT Architecture Is Not Enterprise Architecture

Agenda for Supply Chain Strategy and Enablers, 2012

Security and Identity Management Auditing Converge

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

Make the maturity model part of the effort to educate senior management, so they understand the phases of the EIM journey.

Bankinter Differentiates Itself by Focusing on Innovation and CRM

ERP, SCM and CRM: Suites Define the Packaged Application Market

Governance Is an Essential Building Block for Enterprise Information Management

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Document the IT Service Portfolio Before Creating the IT Service Catalog

Transcription:

Research Publication Date: 12 October 2009 ID Number: G00171540 Defining the Next-Generation Firewall John Pescatore, Greg Young Firewalls need to evolve to be more proactive in blocking new threats, such as botnets and targeted attacks. Enterprises need to update their network firewall and intrusion prevention capabilities to protect business systems as attacks get more sophisticated. Key Findings The stateful protocol filtering and limited application awareness offered by firstgeneration firewalls are not effective in dealing with current and emerging threats. Using separate firewalls and intrusion prevention appliances results in higher operational costs and no increase in security over an optimized combined platform. Next-generation firewalls (NGFWs) are emerging that can detect application-specific attacks and enforce application-specific granular security policy, both inbound and outbound. NGFWs will be most effective when working in conjunction with other layers of security controls. Recommendations If you have not yet deployed network intrusion prevention, require NGFW capabilities of all vendors at your next firewall refresh point. If you have deployed both network firewalls and network intrusion prevention, synchronize the refresh cycle for both technologies and migrate to NGFW capabilities. If you use managed perimeter security services, look to move up to managed NGFW services at the next contract renewal. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

WHAT YOU NEED TO KNOW An NGFW is a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks. There are products today with NGFW characteristics, but these must not be confused with well-marketed first-generation firewalls or products more appropriate for small businesses (see Note 1). ANALYSIS Changing business processes, the technology that enterprises deploy, and threats are driving new requirements for network security. Increasing bandwidth demands and new application architectures (such as Web 2.0) are changing how protocols are used and how data is transferred. Threats are focusing on getting vulnerable users to install targeted malicious executables that attempt to avoid detection. Simply enforcing proper protocol use on standard ports and stopping attacks looking for unpatched servers are no longer of sufficient value in this environment. To meet these challenges, firewalls need to evolve into what Gartner has been calling "next-generation firewalls." If firewall vendors do not make these changes, enterprises will demand price concessions to reduce first-generation firewall costs substantially and look at other security solutions to deal with the new threat environment. What Is a Next-Generation Firewall? To meet the current and coming generation of network security threats, Gartner believes firewalls need to evolve yet again to what we have been calling "next-generation firewalls" (see "Toolkit: Evaluating Information Security Budgets, 2007 Update"). For example, threats using botnet delivery methods (see "Case Study: Early Detection of PCs That Have Been Compromised via Botnet Clients") have largely been invisible to first-generation firewalls. As service-oriented architectures and Web 2.0 grow in use, more communication is going through fewer ports (such as HTTP and HTTPS) and via fewer protocols, meaning port/protocol-based policy has become less relevant and less effective. Deep packet inspection intrusion prevention systems (IPSs) do inspect for known attack methods against operating systems and software that are missing patches, but cannot effectively identify and block the misuse of applications, let alone specific features within applications. Gartner has long used the term "next-generation firewall" to describe the next stage of evolution to deal with these issues. Gartner defines a network firewall as an in-line security control that implements network security policy between networks of different trust levels in real time. Gartner uses the term "nextgeneration firewall" to indicate the necessary evolution of a firewall to deal with changes in both the way business processes use IT and the ways attacks try to compromise business systems. As a minimum, an NGFW will have the following attributes: Support in-line bump-in-the-wire configuration without disrupting network operations. Act as a platform for network traffic inspection and network security policy enforcement, with the following minimum features: Standard first-generation firewall capabilities: Use packet filtering, networkaddress translation (NAT), stateful protocol inspection, VPN capabilities and so on. Integrated rather than merely colocated network intrusion prevention: Support vulnerability-facing signatures and threat-facing signatures. The IPS interaction with the firewall should be greater than the sum of the parts, such as providing a suggested firewall rule to block an address that is continually loading the IPS with Publication Date: 12 October 2009/ID Number: G00171540 Page 2 of 6

bad traffic. This exemplifies that, in the NGFW, it is the firewall correlates rather than the operator having to derive and implement solutions across consoles. Having high quality in the integrated IPS engine and signatures is a primary characteristic. Integration can include features such as providing suggested blocking at the firewall based on IPS inspection of sites only providing malware. Application awareness and full stack visibility: Identify applications and enforce network security policy at the application layer independent of port and protocol versus only ports, protocols and services. Examples include the ability to allow Skype use but disable file sharing within Skype or to always block GoToMyPC. Extrafirewall intelligence: Bring information from sources outside the firewall to make improved blocking decisions, or have an optimized blocking rule base. Examples include using directory integration to tie blocking to user identity, or having blacklists and whitelists of addresses. Support upgrade paths for integration of new information feeds and new techniques to address future threats. Examples of enforcement by an NGFW include blocking or alerting on fine-grained network security policy violations, such as the use of Web mail, anonymizers, peer-to-peer or PC remote control. Simply blocking access to known sources of these services by destination IP addresses is not enough. Policy granularity requires the blocking of only some types of application communication to an otherwise permissible destination, and redirectors make a definitive blacklist impossible to achieve. This means that there are many undesirable applications that an NGFW can identify and block even when they are designed to be evasive or are encrypted with SSL. An additional benefit of application identification can be bandwidth control, since removing, for example, undesired peer-to-peer traffic can greatly reduce the bandwidth usage. What Is an NGFW Not? There are network-based security product spaces that are adjacent to NGFW but not equivalent: Small or midsize business (SMB) multifunction firewalls or unified threat management (UTM) devices: These are single appliances that host multiple security functions. While they invariably include first-generation firewall and IPS functions, they do not provide the application awareness functions and are not generally integrated, single-engine products. They are appropriate for cost saving in branch offices and for use by smaller companies, but they do not meet the needs of larger enterprises. This category of exclusion includes first-generation firewalls paired with low-quality IPS, and/or having deep inspection and application control features merely colocated in the appliance rather than a tight integration, which is greater than the sum of the parts. Network-based data loss prevention (DLP) appliances: These perform deep packet inspection of network traffic, but focus on detecting if previously identified types of data are transiting the inspection point. They implement data security policy with no real-time requirement, not wire-speed network security policy. Secure Web gateways (SWGs): These focus on enforcing outbound user access control and inbound malware prevention during HTTP browsing over the Internet, through integrated URL filtering and through Web antivirus. They implement more usercentric Web security policy, not network security policy, on an "any source to any destination using any protocol" basis. Publication Date: 12 October 2009/ID Number: G00171540 Page 3 of 6

Messaging security gateways: These focus on latency-tolerant outbound content policy enforcement and inbound mail anti-spam and anti-malware enforcement. They do not implement wire-speed network security policy. While these products may be network-based and use similar technology, they implement security policies that are the responsibility and authority of different operational groups within most businesses. Gartner believes these areas will not converge before IT and security organizational responsibilities have radically changed (see "Findings: Next-Generation Firewalls and E-Mail Security Boundary Gateways Will Evolve Separately"). An NGFW is also not an "identity firewall" or an identity-based access control mechanism. In most environments, the network security organization has neither the responsibility nor the authority for enforcing user-based access control policies at the application level. Gartner believes that NGFWs will be able to incorporate user identity information at the group level (that is, shadowing Active Directory) to make better network security decisions, but they will not be routinely used for enforcing granular user-level enforcement decisions (see"introducing the Identity-Aware Network"). NGFW Adoption Large enterprises will replace existing firewalls with NGFWs as natural firewall and IPS refresh cycles occur or as increased bandwidth demands or successful attacks drive upgrades to firewalls. Today, there are a few firewall and IPS vendors that have advanced their products to provide application awareness and some NGFW features, and there are some startup companies that are focused on NGFW capabilities. Gartner believes that changing threat conditions and changing business and IT processes will drive network security managers to look for NGFW capabilities at their next firewall/ips refresh cycle. The key to successful market penetration by NGFW vendors will be to demonstrate first-generation firewall and IPS features that match current first-generation capabilities while including NGFW capabilities at the same or only slightly higher price points. Gartner believes that less than 1% of Internet connections today are secured using NGFWs. We believe that by year-end 2014 this will rise to 35% of the installed base, with 60% of new purchases being NGFWs. RECOMMENDED READING "Magic Quadrant for Enterprise Network Firewalls" "Magic Quadrant for SMB Multifunction Firewalls" "Magic Quadrant for Network Intrusion Prevention System Appliances" Note 1 First-Generation Firewalls First-generation firewalls came about when connecting trusted internal systems to the Internet resulted in the rapid and disastrous compromise of vulnerable internal systems, as evidenced by the impact of the Morris worm in 1988. Their use evolved to include implementing security separation of internal network segments at different trust levels as well, such as DMZ layers in an extranet or in data center zones. A network firewall can be implemented in a wide range of form factors, but it must always operate at network speeds and, at a minimum, cause no disruption to normal operation of the network. Publication Date: 12 October 2009/ID Number: G00171540 Page 4 of 6

Standard network security policy consists of two parts: Block all that is not explicitly allowed: Early firewalls blocked connections at the source/destination IP address level and then evolved to do so at the port and protocol level. As firewalls matured, this enforcement of proper protocol state became mainstream. More recently, advanced firewalls have developed the capability to recognize and block connections: At the application level Based on characteristics of the source address associated through external information sources (such as geolocation, known sources for malware, or which user is connecting) Inspect what is allowed to detect and block attacks and misuse: In the early years of firewalls, proxy-based firewalls performed more detailed inspection of the traffic allowed to pass through the firewall and attempted to detect and block malicious actions. However, early proxy firewalls were software-based and did not have the horsepower to keep up with the increasing speed of networks or the increasing complexity of applications and attacks, and the increase in new applications outstripped the ability to create new application-specific proxies. IPSs based on purpose-built appliances, to perform deep packet inspection, have evolved as the primary network security control implementing this function. Publication Date: 12 October 2009/ID Number: G00171540 Page 5 of 6

REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 12 October 2009/ID Number: G00171540 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information