In a rapidly changing IT landscape — one characterized by companies rushing headlong into the cloud, network traffic per cent increases in the double digits, and BYOD and remote work policies — cybercriminals are enjoying unprecedented opportunities. And protecting against these attacks is becoming increasingly challenging, as businesses need to protect multiple attack surfaces and implement the latest security controls just to keep up.
The enterprise perimeter now extends to anywhere work gets done. And regardless of whether the entry points are on-premises, in the cloud, in the data centre or at the branch
office, each one needs to be protected. The good news is that security defenses have evolved, too — particularly firewalls, the most important security defense to protect any enterprise perimeter, including those of distributed and diffuse enterprises.
Firewalls today are more agile, more capable and more powerful than when the technology debuted 20 years ago. As enterprises consider these next-generation firewalls (NGFW), there are several criteria that should be considered, including features, platform capabilities, performance and management.
Must have Capabilities for NGFWs:
- Zone-Based Firewall (ZBF)
ZBFs offer stateful inspection with advanced network security features for large enterprise network infrastructure. A ZBF or stateful firewall is the foundation for any NGFW, and a basic requirement to support other features. It is a wise thing to choose ZBFs over stateful firewalls for enterprises with large networks, as it is easier to configure and define policies with ZBFs.
- Virtual Private Network (VPN)
Distributed enterprises typically have remote branch offices that need secure access to the corporate network. The recent expansion in Work-From-Home (WFH) policies has also resulted in many employees working remotely. VPNs provide robust, secure access to corporate networks and resources, so it is essential to consider VPN as part of the NGFW.
It is important to make sure the NGFW provides a comprehensive VPN solution with site-to-site and remote-access encryption. It should include advanced features such as route-based VPN and easy VPN with dynamic routing. VPN configuration should be simple. It needs to be managed from within the NGFW user interface, with configuration wizards that provide step-by-step guidance in setting up the VPN tunnels. Enterprises should consider a VPN concentrator at the edge to manage both IPsec and SSL VPN connections.
- Intrusion Prevention System
Intrusion Detection and (or) Prevention System (IDS/IPS) originally developed as a stand-alone solution became part of the NGFW stack that provides an additional layer of needed security by stopping attacks that exploit vulnerabilities. The intrusion detection is done using signatures for known exploits or is based on anomaly detection.
- Application Control
NGFWs came into fruition with the addition of application control, IPS and URL filtering, forming a single enterprise-class platform. Application control allows enterprises to define firewall policies based on applications (e.g., Facebook, YouTube, Salesforce) and micro-applications (e.g., chat and IMs). Application Control gives granular control over network traffic based on user identity and email addresses while providing application-layer access control to regulate web browsing, file transfer, email exchange and email attachments.
Look at the type of applications that are included in an NGFW database to make sure all the applications that are in use within the enterprise are supported.
- Web Control (URL Filtering)
Web control compares requested websites against a massive database containing millions of rated URLs, IP addresses and domains. It enables administrators to create and apply policies that allow or deny access to websites based on individual or group identity, or by time of day, using pre-defined categories. It also dynamically caches website ratings locally onto the NGFW for instantaneous response times. An NGFW should be able to do URL filtering based on business point of view (block based on category – business) as well as based on security (block based on reputation – security).
Consider NGFWs with threat intelligence feeds that is supported by world-class research team for IPS, application control and web control to make sure NGFW stops
Criterion for Selecting Advanced NGFWs:
- Network and Cloud Sandboxing
For effective zero-day threat protection, enterprises need NGFWs that include malware-analysis technologies and can detect evasive advanced threats. Sandboxing technology scans traffic and extracts suspicious code for analysis, but unlike other NGFW security controls, it also analyzes a broad range of file types and sizes. This enables enterprises to stop zero-day and evasive threats that can slip through other security controls within NGFW.
- Multi-instance firewall
Multi-instance is a modern next-generation approach to legacy multi-tenancy that supports multiple firewalls with separate configuration on a single appliance. With this approach, each firewall instance is isolated with dedicated compute resources to avoid resource starvation. This allows enterprises to use containerized architecture.
Enterprises can run multiple independent firewall instances, software versions and configurations on the same hardware without managing different physical appliances.
- Dedicated Threat Intelligence
Most of the security controls in an NGFW should be augmented by threat intelligence to keep them up to date on the latest threats and signatures, among other things. Threat intelligence feeds should be supported by a research team that gathers, analyzes and vets information round the clock and across the globe.
Look for vendors with a dedicated team of cybersecurity professionals, advanced machine learning algorithms and security sensors that are spread around the globe to deliver up-to-date threat feeds that automatically block threats in nanoseconds. While looking into threat intelligence in NGFWs, it is important to consider DNS security that protects enterprises against malicious domains.
When it comes to solving business challenges, enterprises are generally eager to adopt new technologies, such as cloud computing, workforce mobility and automation. But now, many enterprises are finding their digital transformation journey laden with new challenges, including a surge in the number of connected devices, millions of encrypted connections, increased bandwidth needs, continually evolving evasive attacks and increased operational costs.
The solution lies in finding the right security services platform which has the next-generation firewall with multiple interfaces that can process millions of connections. High-speed connectivity and large port density coupled with superior IPS and TLS1.3 inspection support can make these firewalls an ideal threat protection platform for enterprise Internet edge and data centre deployments.