The Power of the Next Generation Firewall
Why You Need it; What it Will Deliver"Over the past 10 years or so, applications have evolved much more rapidly than firewalls, so the application market has left firewalls behind. Many of today's applications - the applications we use to get our jobs done - can easily bypass the traditional port-based firewalls." And so it's time for firewalls to evolve, too," Keil says. Hence, the next generation firewall.
In an exclusive interview about the evolving firewall, Keil discusses:
- Why current firewalls are failing us?
- The key requirements for next generation firewalls;
- How to find the best next generation solution.
For additional information please see this white paper.
Keil joined Palo Alto Networks in January of 2007 as a member of the products team. He played a key role in defining and implementing the market positioning for Palo Alto Networks. Cumulatively, Keil has 8 years of experience in the network firewall market, working for Juniper Networks, NetScreen and Check Point, prior to joining Palo Alto Networks. He is the author of the Palo Alto Networks Application Usage and Risk Report, a bi-annual analysis of the application usage and related risks on enterprise networks.
TOM FIELD: To start out, why don't you tell us a little bit about yourself and Palo Alto Networks please?
MATT KEIL: I'm the product marketing manager for Palo Alto Networks. I've been here for nearly five years, so I was one of the earlier employees. I joined from Juniper Networks. I've been working on their firewall products and I've been at Juniper via the acquisition of NetScreen. One of the reasons that I joined Palo Alto Networks was I knew the team that was developing the product, and I believe that the direction they were going, which was to control applications as opposed to ports, was the right direction for the firewall market. So I took the jump. The value that we brought to market was that we were able to start from scratch and address the problem that we'll talk about in just a few moments that firewalls were experiencing, and that was really the inability to identify and control applications.
FIELD: You've just created a new buyer's guide for the next generation firewall. Help us out here. What is the next generation firewall and why do we need it?
KEIL: The next generation firewall is addressing the problem in the market which was the inability for existing port-based firewalls, like those from Checkpoint, Juniper, and Cisco, to identify and control applications. To put it another way, over the last ten years or so applications have evolved much more rapidly than the firewalls. The application market has left firewalls behind. Many of today's applications, the applications that you and I might use to get our job done, can easily bypass the traditional port-based firewalls. They can hop ports. They can use non-standard ports, or even use a range of ports to not so much bypass the firewall on purpose but to make it easier for you and I to get our jobs done.
I'll give you a couple of examples. Anti-virus updates many, many years ago started being pumped through Port 80, the same port that you and I surf the web. They are not web applications, but the reason AV vendors and software vendors like Microsoft pushed the update through Port 80 is that Port 80 was always open on your firewall, so it made it easier for IT departments to get the updates to their end-users. Instant messaging applications started hopping ports back when AOL Instant Messenger first came to market. It made it easier for me and you to use the product. Then more recently, here is a great example, Microsoft Office Live, the brand new product Office 365, if you go to their support site you'll see that they require that you have Port 443, Port 478 and a range of ports, about 50,000 on your firewall, to be opened so that the application can be used. What that means is that all of those open ports are venues for attackers and we all know that applications are the threat vector. What we need to do is be able to allow those applications but scan them for threats. That's what the next generation firewall does. They are securely enabling any type of application so that it can help the business in the long run.
FIELD: You touched on this to some extent, but help me out here. How are the current firewalls, the current generation, failing us?
KEIL: I did touch on that briefly but let's reiterate that. In very short terms, current firewalls are dependent upon ports. They control traffic based on the port. They see Port 80 and they say this is HTTP and then they make a decision based on that limited information. Application developers, the folks like Microsoft, Facebook and all the instant messengers, they are port agnostic. They don't care what port they design their application to use. They just want to make sure that their application is usable by you and I and that's the bottom line. What needs to happen is the firewalls need to be able to identify and control those applications from the very start.
FIELD: Well what then are the key requirements for this next generation firewall?
KEIL: Key requirements for the next generation firewall are the ability to identify the application across all ports, all the time, no matter what type of application it is. The second requirement would be to identify and map that application traffic to the users, not the IP address, but the actual user identity that you and I might have within the active directory domain, the Citrix domain or whatever user repository my organization is using. Then once we've done that, we want to be able to scan those applications for a range of threats, application vulnerabilities, viruses, malware, spyware and that type of thing. We want to be able to do that all at multi-gigabyte speeds using a series of visibility tools and policy editor that are very straight forward and easy to use. Those would be the key requirements for the next generation firewall.
FIELD: Let's talk about finding the best next generation solution. How does an organization go about that?
KEIL: Most organizations that we market our products to would use what's known as the RFP, or request for proposal, or request for information, RFI, process, and it's on the vendor side. They are long and tedious documents that are kind of a necessary evil, but on the organization side, the buyer side, they are very instrumental in finding the right vendor or narrowing it down to the two or three vendors that the organizations want to bring in and then physically evaluate.
FIELD: Once you get down to say your two or three finalists as vendors, how should an organization go about evaluating a next generation firewall solution?
KEIL: That step would then be to build out an evaluation plan, and the RFP, just like the evaluation plan, should be very specific to the organization's traffic patterns and business case. Once the final two or three vendors are selected, the evaluation plan should require all of those vendors to come in and install the box on the network and using live traffic run through the evaluation plan, or using an in-house lab in the organization run that traffic through the devices so that the organization can really see the impact of the security policy on their traffic, on their own network and really see and feel what the product is going to act like, look like and react when their peak business traffic patterns might hit and things like that. Really the best thing to do is to bring it in-house and run it in your own environment for an extended period of time.
FIELD: We've talked about a lot here. You've defined the next generation firewall, told us why the current generation is failing us, and given us some insight on how to make that transition. If you could boil it all down, where would you say is the best place to start in this search for the next generation firewall?
KEIL: I think the best place to start would be to get a hold of a copy of the Palo Alto Networks Firewall Buyer's Guide and really start from there. We have a lot of other tools that can help educate the buyer on what to look for and what is out there and really separate the marketing hype from reality. That would be the best place to start.