If next generation firewalls don't evolve, they'll soon be irrelevant

When Gartner coined the phrase "next generation firewall", in 2003, it captured a then-nascent approach to traffic classification and control. Combining traditional packet filtering with some application control and IPS layered on top, today's 'legacy' NGFWs do pretty much what they say on the tin.

However, while NGFWs continue to be a vital part of an organisation's protection, they were designed for a time before advanced targeted threats started attacking our enterprises – threats which often go undetected until it's too late.

Most organisations today secure their networks using disparate technologies that don't – and can't – work together. They leave gaps in protection that today's sophisticated attackers exploit. These point solutions lack the visibility and control required to implement effective security policy to accelerate detection of all threats and response. In addition, disparate solutions add to capital and operating costs and administrative complexity.

From my own discussions with security professionals I know that they are frustrated with disparate point solutions and the cost, complexity and administrative headaches they create – not to mention the gaps in security.

So what's to do?

NGFWs must evolve to stay relevant in a world that is dealing with dynamic threats – threats that we couldn't have anticipated just a few years ago. It's time for a shift in mindset regarding the level of protection an NGFW must provide, to improve visibility, detect multi-vector threats, close security gaps that attackers exploit, and combat other sophisticated threats.

Until now, NGFWs have focused on policy and application control and have been unable to address advanced and zero day attacks. In short, existing detection mechanisms – even the latest innovations around sandboxing – simply won't protect against the advanced malware and zero-day attacks we're seeing today. In order to combat today's dynamic threats a different approach is needed – one that delivers continuous monitoring and full contextual analysis of threats before, during and after the attack.

In order to deal with today's security challenges, an NGFW must offer capabilities that address these three strategic imperatives:

Visibility-Driven

To address today's era of threats, a visibility-driven approach enables insight into all users, devices, OS, applications, virtual machines, connections and files, to provide real-time contextual awareness, give network defenders a holistic view of the network and make it easier to pinpoint suspicious behaviour, when it happens. Full stack visibility and contextual awareness for integrated security serves as the basis for both streaming and automating defence responses. Granular application visibility and control and URL filtering are also crucial to reduce the overall attack surface.

Threat-centric

This entails delivering integrated threat defence, across the full attack continuum – before, during and after the attack. Threat-centric protection must combine market-leading NGIPS, with advanced malware protection (AMP), that is third-party tested to confirm security effectiveness. Because today's advanced malware is designed to evade "point-in-time" security layers, threats still get through, so organisations now require technology that not only scans at an initial point-in-time to detect, understand and stop threats, but also makes use of continuous capabilities, which can "go back in time" to alert on and remediate files initially deemed safe, that are later determined to be malicious.

Platform-based

IT professionals are now under tremendous pressure to reduce complexity in their environments, keep operational costs low and maintain the best defences to keep pace with the dynamic threat landscape. In today's world, platform-based now entails delivering a simplified architecture and reduced network footprint, with fewer security devices to manage and deploy. To meet today's challenges, a next-generation firewall must combine proven firewall functionality, leading intrusion prevention capabilities, and advanced malware protection and remediation in a single device. These firewalls must be highly scalable, and enabled by open APIs, to deliver security across branches, the internet edge, and data centres (physical and virtual environments) in order to cope with growing demands.

Organisations are continuously evolving their extended networks and must have defences in place that can address the dynamic threat landscape. To remain relevant, an NGFW must offer next-generation security capabilities that are visibility-driven, threat-focused and platform-based.

Addressing these three imperatives is crucial in enabling organisations to maintain a robust security posture, that can adapt to changing needs and provide protection across the attack continuum - before, during and after an attack.

Sean Newman is a security strategist for Cisco Security Business Group