Info Security PG: What is the difference between traditional network security devices and next-generation network security devices?
Dr. Avishai Wool: Traditional firewalls enable administrators to define security policies based primarily on a connection’s source IP address, destination IP address, and service. But with the increased use of applications, the demand for mobility, virtualization and use of the cloud, as well as the evolution of sophisticated threats, we’re seeing the shift to more granular security policies – by application and user.
Next-generation firewalls enable administrators to define application and user aware policies. This provides the admins with more control, especially over port-hopping applications that cannot effectively be managed with a traditional firewall policy.
Info Security PG: What should an organization consider before making the move to next-generation security devices?
Dr. Avishai Wool: It is clear that at least for certain parts of the network, next-generation firewalls make a whole lot of sense. However, generally speaking, more granular network security policies equal more complexity. So the big question becomes, how can organizations take advantage of the clear benefits of NGFWs while minimizing the complexity, administrative burden and risk from improper configurations?
You must think through your policy decisions and understand their impact. If you decide to whitelist at the application level (i.e. block outbound TCP/80 and only allow those web-applications you know about), how many more change requests per week will you be processing? Can your existing team handle the extra load without degradation to turnaround time? Will you require additional headcount? What is the impact if you define policy via a blacklisting approach, via rules like “block social networks, file sharing and video streaming, and allow all other web traffic”? How do you manage these next-generation devices in the context of your broader network (i.e. you still have traditional firewalls, secure web gateways, etc.).
In today’s environment and with NGFWs, IT must understand what applications are needed by what users and provide access. Without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing http, and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk.