28
28
NETWORK SECURITY
• Can these devices be effectively managed from a central user interface ? This is important , because it means that only one security policy needs to be defined and maintained across all the deployed firewalls , even though enforcement now takes place in multiple physical locations .
• What does the associated operational cost look like ? Firewall devices need to be troubleshot , logs need to be managed , updates applied etc .
generation of security threats . The firewall that has done a perfectly good job over the past five years , may not be enough to protect your business in the future .
For example , firewalls deployed across a multi-site environment today , should be able to offer extra features such as the ability to optimise and protect business-critical traffic from being swamped by less important network activities . So , ideally your active firewall should feature product capabilities like compression , data deduplication or application-based prioritisation and bandwidth guarantees .
Meanwhile , businesses are facing an unprecedented wave of ransomware attacks . These generally come in through email , but you could also have computers ‘ calling home ’ to the command & control ( C & C ) server to install stealthware . With the right firewall – often described as next generation in place , these activities can be detected and curbed . In addition to the protection on the perimeter , you can deploy more firewalls internally to create zones . Zoning or segmentation makes it harder for malware and attackers to cross network boundaries .
Often it makes sense to allow for direct access to cloud applications from each branch office location , effectively moving away from the traditional centralised access approach . Allowing internet access from branch locations may now mean deploying firewalls at these locations . The practical challenges here are threefold :
• Does the deployed , ‘ smaller ’ firewall device at each branch provide all the security controls needed and is it still affordable ? Must-haves would be next-generation firewall features such as app control , user awareness , integrated IPS , the ability to intercept SSL , and advanced threat and malware detection .
Next generation firewalls As with all things IT , next generation firewalls ( NGFW ) are subject to more hype than reality . While many are fully featured , some are over-marketed versions of older technology . And despite there being plenty of choice , there can be a blurring around the capabilities and performance on offer .
The customer should start by determining their needs , as they differ by organisational type , size , performance requirements , security concerns and of course compliance requirements . While there is a wide variation of prices in NGFW , often they ’ re not matched directly to capability – which is why needs precedes budget considerations .
At the risk of creating a boring feature list , some of the elements to consider and prioritise for Next Generation Firewalls include application firewalling ( using deep packet inspection ), intrusion prevention , encrypted traffic inspection TLS / SSl , website filtering , bandwidth management , and third party identity management integration ( LDAP , Radius active directory , etc .) Other features can include antivirus , sandbox filtering , logging and auditing tools , network access control , DDoS protection and of course cloud capabilities .
Clearly different organisations will have a divergent range of needs driven by their own size , performance and security requirements . With the significant range of solutions on offer , the challenge can often be selection . Particularly with the significant number of new suppliers entering the market with innovative offerings . However , these can often create more cloud than light in this area . Plus , there ’ s a real risk that if they have a genuinely innovative solution they ’ ll be acquired by a bigger player .
Budget and management capabilities are also key elements in this equation . Given that a firewall often is deployed for a considerably longer period than three years , it ’ s crucial to make the right decision to protect your environment ; not only against today ’ s threats but also those that will be the centre of attacks in the future .
Having been around security for more than 40 years , my own suggestion is that the conservative approach of going with a well-established player that can and will continue to invest in threat defences and upgrades is the best route – there are many organisations that fit this bill . Subject to the size and potential cost of your deployment , putting one or more suppliers through a full POC ( proof of concept ) ahead of the decision can be an effective investment to protect your organisation in a risk environment that ’ s radically changed from three years ago , and one which will continue to change at a potentially faster rate . n
www . networkseuropemagazine . com