next generation firewall myth, legend & realitysfbay.issa.org/comm/presentations/2011/feb.pdfnetwork...

Fortinet Confidential

Next Generation Firewall Myth, Legend & Reality

Jared Hufferd (FortiJared)

Major Accounts

Why Next Generation Firewall?

• ―To meet the current and coming generation of network

security threats, Gartner believes firewalls need to evolve

yet again to what we have been calling ―next-generation

firewalls‖

* Gartner, Defining the Next-Generation Firewall , John Pescatore, Greg Young


3

―As service-orientated

architectures grow in use, more

communication is going through

fewer ports (such as HTTP/S)

and via fewer protocols,

meaning port/protocol based

policy has become less

relevant and less effective.‖


• Real-time, integrated security intelligence

• Hardware-accelerated performance

• Lower total cost of ownership

• Easy to deploy / manage / use

4

• Stand-alone, non-integrated security

• Mix of off the shelf systems and applications

• Higher total cost of ownership

• Difficult to deploy / manage / use

NGFWTraditional Network Security Solutions


NGFW

What is a Next Generation Firewall?

• NGFW — not quite a scientific term but more than just

pure marketing — remains unsettled.

By Ellen Messmer, Network World

December 01, 2010

5

http://www.networkworld.com/newsletters/sec/2010/072610sec1.html?page=1http://www.networkworld.com/Home/emessmer.htmlhttp://www.networkworld.com/Home/emessmer.html

6

Myth 1:

NGFW is nothing like existing

―First Generation Firewalls‖

What is a Next Generation Firewall?

• ―As a minimum, an NGFW will have the following

attributes:

• Support in-line bump-in-the-wire configuration…

• Act as a platform for network traffic inspection and network security

policy enforcement, with…

• Standard first-generation firewall capabilities.

• …Use packet filtering, networkaddress translation (NAT), stateful

protocol inspection, VPN capabilities and so on.

• Integrated rather than merely colocated network intrusion prevention

• Application awareness and full stack visibility

• Extrafirewall intelligence: e.g.: directory integration



• What NGFW is NOT…

8

What NGFW is not

• Stand alone Application Control solutions

• Network based data loss prevention (DLP) appliances

• Secure Web gateways (SWG)

• Messaging security gateways

• SMB multifuntion firewall / UTM …do not provide

application awareness…integrates single-engine

products.

Enterprise UTM?

• What about Enterprise class Unified Threat

Management appliances with application

awareness, multi-engines, tight integration?

11

Myth 2:

The analyst all agree on NGFW

12

Enterprise UTM – Covered by IDC

Antivirus/

Antispyware

Data Loss

Prevention

AntispamWAN

Optimization

Endpoint

Protection

Firewall

VPN

IPS

Web

Filtering

App

Control

Vulnerability

Mgmt

Wireless

LAN

IPv6,

Dynamic

Routing

SSL

Inspection

Endpoint

NAC

Fortinet Confidential13

Myth 3:

There is only one NGFW vendor


Who’s in the game

User Control

Content Control

Application Control

Common Abilities Above 1st Generation

DLP AV WCF

SSL Insp

Processing Power is Key

Page 16 |© 2009 Palo Alto Networks. Proprietary

and Confidential.

Up to 10Gbps, Low Latency

Offload

Processor

Multi-Core

CPU

17

Myth 4:

NGFW are widely adopted

"Today we believe that less than 1% of interconnections

secured today are using NGFW," says Gartner analyst

Greg Young. But he predicts that number will hit 35% by

2014.

18

Recommendation

Recommendations

• If you have not yet deployed network intrusion

prevention, require NGFW capabilities of all vendors

at your next firewall refresh point.

• If you have deployed both network firewalls and

network intrusion prevention, synchronize the

refresh cycle for both technologies and migrate to

NGFW capabilities.

• If you use managed perimeter security services, look

to move up to managed NGFW services at the next

contract renewal.

19


next generation firewall myth, legend & realitysfbay.issa.org/comm/presentations/2011/feb.pdfnetwork...

Documents