TECH DOSSIER | NEXT GENERATION FIREWALLS

A NEW SET
OF NETWORK
SECURITY
CHALLENGES
A new IDG survey reveals
optimism about the ability of nextgeneration firewalls to help IT
balance productivity and security

ALSO INSIDE
+WHY PROTECTION & PERFORMANCE MATTER +

>

>

A NEW SET OF NETWORK SECURITY CHALLENGES

With two issues becoming increasingly crucial, IT faces conflicting mandates from

EMPLOYEES AT WORK, AND PLAY

the business. On one hand, employees demand access from devices beyond the

IT is stuck in an untenable position between the

firewallsmartphones, tablets, home PCs and laptops. On the other hand, risk man-

company and its employees. Companies love to have

employees stretch their hours by signing into corporate

agement dictates corporate data must remain protected. The overarching challenge:

systems from home; employees are used to the idea of

balance productivity and security.

time-shifting. The survey results show the upshot.

Within that mandate, however, lie several other challenges, according to a new survey
conducted by IDG Research Services on behalf of Dell. The survey was conducted in
October of 2012 and reflects the insight of more than 250 IT professionals at companies with more than 500 employees. It reveals the depth with which network administrators must juggle these competing factors. The issues facing IT go beyond security
to encompass network bandwidth as well.

For instance, 52 percent of IT professionals report that

employees tend to frequently or very frequently
perform tasks unrelated to their work on the Internet
or in other applications. Almost 40 percent report that
the creation and management of customized access or
use policies is difficult, and one-third believe that users
working on personal devices are exposed to increased
security threats. The latter problem stems from the
frequent inability of IT to monitor what happens on a

Just as technology has caused these problems, technology may also be the solution.

>

users home device.

A new generation of firewall technology, designed with current security and network-

In many cases, IT can install an agent on specific home

ing issues in mind, promises to give IT a way to solve its multisided puzzle.

machines to ensure adequate security software is

A NEW SET OF NETWORK SECURITY CHALLENGES

installed, as well as VPN software that allows users

YouTube to watch cat videos, or to download educa-

to connect securely. But just because traffic comes

tional videos that relate to improving their skills? Are

through a VPN doesnt mean its safe. It can be trans-

they visiting LinkedIn to catch up on old friends, or to

mitted securely but still be malware.

identify the next crucial addition to their team? Are they

>

>

visiting Facebook to play games or to discover whats

Survey respondents arent antediluvian about how they

being said on social media about the companys prod-

allow users to access corporate data. More than half of

ucts? As a result, many respondents report they are not

those who indicate the amount of work employees do on

regulating the use of Web sites that may or may not be

personally owned devices is on the rise also believe this

work-related and focusing their resources elsewhere.

is a positive trend. The company benefits from 24-hour

Given that most firewalls only offer a binary on/off

employee access to email, but there still must be some

method of allowing Web site access, this seems logical.

security policies in placesuch as the ability to erase

corporate data from a personal device if its lost or stolen.

4000% data growth at the edge? Learn how SonicWALL

saved U.S. Cellular operational costs while expanding services.

There may, of course, be unseen security implications.

Many Facebook users have been exposed to malware;

these same security issues, 30 percent deemed them

Security of personal devices is not the only issue. Given

its not that Facebook itself is to blame, but its adver-

somewhat or extremely ineffective. For instance,

that employees frequently must log on from remote

tising may have been compromised. In the light of ITs

even if an enterprise deployed Gigabit Ethernet, earlier

locations, two-thirds of IT professionals view as highly

inability to control access, and occasional orders to favor

generation firewalls could only deal with much slower

important their ability to provide adequate bandwidth

productivity over security, IT may feel it has no choice.

speedsperhaps as low as 50 megabits per second.

to ensure employees stay productive, no matter where

This slows down all the traffic on the network.

they are. Respondents also tend to view their organizaSimilarly, a traditional firewall doesnt have the ability

and as enablingrather than stiflingfor productivity.

A NEW TOOL IN THE ARSENAL:

NEXT-GENERATION FIREWALLS

More often than not, respondents tend to believe their

The fact is, though, that IT does have a choice. Firewall

application from accessing the firewall, but the appli-

organizations security technologies and policies are

technology has advanced sufficiently that the issues

cation developers could just as easily route it to port

a tactical necessity or a strategic enabler. More than

IT faces can now be addressed by next-generation

80, which handles basic Web traffic, or port 84, which

80 percent think such policies positively contribute to

firewalls (NGFs). These devices are designed to filter

handles Web browsing. NGFs allow IT to filter not just by

productivity. And its not just employees getting more

network and Internet traffic based upon the applications

IP address, or by port or protocol, but also by looking at

work doneits also their ability to avoid system down-

or traffic types using specific ports. They help IT detect

layer 7 dataactual application information.

time after they unintentionally access malware, whether

application-specific attacks, giving network and security

on an unauthorized Web site or through email.

administrators the potential to catch more malicious

Consider this analogy to explain the difference between

activity than traditional firewalls.

traditional and next-generation firewalls. A traditional

tions security technologies and policies as necessary

The question of what constitutes an unauthorized

to filter specific parts of applications. IT could block an

firewall is like an airport baggage handler, who makes

Web site adds to ITs conundrum regarding security,

IT understands the limitations of traditional firewalls.

sure that a piece of luggage (representing data) gets on

bandwidth and productivity. Are employees accessing

When asked about their effectiveness in addressing

the correct plane to the correct destination. A next-

>

A NEW SET OF NETWORK SECURITY CHALLENGES

>

concentrators no longer require a VPN agent on a client

research firm Gartner confirms this: it estimates that

device, but can instead accommodate VPN through

less than 5 percent of Internet connections are secured

a browser. This allows for broader support of mobile

by NGFs, but by 2014, the rate will jump to 40 percent.

clients that use browsers, whether on smartphones,

tablets or laptops, from any manufacturer.

Even though survey respondents associate certain

challenges with the deployment of next-generation
firewallsspecifically cost, increased complexity and

INCREASED AWARENESS,
INCREASED DEPLOYMENT

lack of staff resourcesissues that face any new

Based on the survey results, IT administrators are

because they incorporate featuressuch as VPN and

increasingly aware of next-generation firewalls; only 25

intrusion protectioncurrently handled by multiple

percent of respondents were unaware of their capa-

devices or not at all. They also feature more robust

bilities. When discussing the technologys features,

reporting capabilities than traditional firewalls. Its easy

generation firewall is like the airport security agent who

respondents cite NGFs most important capabilities

for administrators to see which users are accessing

opens the luggage, inspects its contents and makes a

as intrusion prevention, antimalware/URL filtering and

which applications, rather than sifting through logs.

decision about whether it allows the contents to travel.

basic firewall features. More than half of respondents

The decision is even more granular, based on the ability

indicate their organizations have either deployed, or

The majority of those familiar with next-generation

of NGFs to filter content within Web sites and between

plan to deploy an NGF in the next few years. Data from

firewall capabilities consider the technology effective

Learn how the industry leader in sales and lease-ownership

market leveraged Dell SonicWALL to assure secure growth.

technology. In fact, NGFs reduce cost and complexity

destinations; it may allow HR employees and managers

addressing a variety of security issues. Faced with

to visit LinkedIn, marketing to visit Facebook and techni-

multiple security scenarios, a majority of respondents

cians to visit YouTube, but not everyone.

cited NGFs as more effective than traditional firewall

technology. Given respondents also believe remote work

By instituting highly granular rules for applications, IT

now has the ability to either prioritize or throttle traffic
based on business need. It can also allow some functions within applications but not others; for instance,
allowing an IM application like Yahoo Messenger, but
not allowing attachments to messages. The result:
employees that need certain applications still have
access to them, but others are not unnecessarily
degrading bandwidth and putting data at risk.
NGFs also address the BYOD issue, through a capability
known as SSL VPN concentrators. Simply put, these

A NEXT-GENERATION
FIREWALL IS LIKE THE
AIRPORT SECURITY
AGENT WHO OPENS THE
LUGGAGE, INSPECTS ITS
CONTENTS AND MAKES
A DECISION ABOUT
WHETHER IT ALLOWS THE
CONTENTS TO TRAVEL.

arrangements will only increase in the future, the importance of having the capabilities of NGFs only increases.
The key to the value of NGFs is that they have the ability
to increase productivity all around. Its not just the
productivity of employees using mobile devices. Its also
the ability of the network to handle more mission-critical
activities without bandwidth constraint. And finally,
NGFs aid the productivity of IT administrators, who can
take advantage of an integrated device that outperforms
traditional firewalls in mitigating risks associated with
trends on the upswing. n

>

A NEW SET OF NETWORK SECURITY CHALLENGES

ADDITIONAL READING: WHY

>

PROTECTION & PERFORMANCE MATTER

By Daniel Ayoub, CISSP, CISA

Next-Generation Firewalls combine multi-core architecture with
real-time Deep Packet Inspection to fulfill the protection and
performance demands of todays enterprise network

Abstract
Protection and performance go hand-in-hand for NextGeneration Firewalls (NGFWs). Organizations should not have
to sacrifice throughput and productivity for security. Outdated
firewalls pose a serious security risk to organizations since
they fail to inspect data payload of network packets. Many
vendors tout Stateful Packet Inspection (SPI) speeds only, but
the real measure of security and performance is deep packet
inspection throughput and effectiveness. To address this
deficiency, many firewall vendors adopted the malware inspection approach used by traditional desktop anti-virus: buffer
downloaded files, then inspect for malware. This method not
only introduces significant latency and but also poses significant security risks since temporary memory storage can limit
the maximum file size. Independent NSS Lab tests demonstrate
that the Dell SonicWALL SuperMassive E10800 NextGeneration Firewall incorporating multi-core architecture and
Reassembly-Free Deep Packet Inspection (RFDPI) overcome
these limitations to provide enterprises with both extremely
high-levels of protection and performance that they require.

Defining Next-Generation Firewall

In basic terms, a Next-Generation Firewall (NGFW) leverages
deep packet inspection (DPI) firewall technology by integrating
intrusion prevention systems (IPS), and application intelligence
and control.
Industry definitions
Gartner defines an NGFW as a wire-speed integrated network
platform that performs deep inspection of traffic and blocking
of attacks.1 At minimum, Gartner states that an NGFW should
provide:
Non-disruptive in-line bump-in-the-wire configuration
Standard first-generation firewall capabilities, e.g., network-

address translation (NAT), stateful protocol inspection (SPI),

virtual private networking (VPN), etc.
Integrated signature based IPS engine
Application awareness, full stack visibility and granular
control
Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
Upgrade path to include future information feeds and
security threats
SSL decryption to enable identifying undesirable encrypted
applications

The evolution of Next-Generation Firewalls

Earlier-generation firewalls
First generation firewalls of the 1980s provided packet filtering
based upon criteria such as port, protocol and MAC/IP address,
and operated at layer 2 and 3 of the OSI model. Second generation firewalls of the 1990s incorporated stateful packet inspection (SPI), which verified that the state of inbound and outbound
traffic based upon state tables, and operated at layers 2, 3 and
4 of the OSI model. Third-generation firewalls of the past decade
have more processing power and broader capabilities, including
deep packet inspection (DPI) of the entire packet payload,
intrusion prevention, malware detection, gateway anti-virus,
traffic analytics, application control, IPSec and SSL VPN. Unified
Threat Management (UTM) represented the next trend in the
evolution of the traditional firewall into a product that not only
guards against intrusion, but also performs content filtering, data
leakage protection, intrusion detection and anti-malware duties
typically handled by multiple systems.
Next-Generation Firewalls
Web 2.0 applications (e.g., Salesforce.com, SharePoint, and
Farmville) now run all over TCP port 80 as well as encrypted
SSL (TCP port 443). Todays NGFWs inspect the payload of
packets and match signatures for nefarious activities such as
known vulnerabilities, exploit attacks, viruses and malware all
on the fly. DPI also means that administrators can create very
granular permit and deny rules for controlling specific applica-

tions and web sites (example: Yahoo instant messenger-chat

is allowed but not file transfers). Since the contents of packets
are inspected, exporting all sorts of statistical information is
also possible, meaning administrators can now easily mine the
traffic analytics to perform capacity planning, troubleshoot
problems or monitor what individual employees are doing
throughout the day. Todays firewalls operate at layers, 2, 3, 4,
5, 6 and 7 of the OSI model.

NGFW feature requirements

The following are feature requirements for Next-Generation
Firewalls:
Legacy features
An NGFW includes all standard capabilities found in a firstgeneration firewall; i.e., packet filtering, stateful packet
inspection (SPI), network address translation (NAT), and high
availability (HA).
Integrated IPS
Effective intrusion prevention systems require advanced
capabilities to combat evasion techniques and enable scanning
and inspection of inbound and outbound communications to
identify malicious or suspicious communications and protocols.
For effective threat protection as well as intrusion prevention,
organizations need best-in-class firewall and intrusion prevention, without the complexity of managing separate appliances,
GUIs, and deployments. NGFWs with IPS capabilities deliver
enterprise class resistance to evasion, powerful context and
content protection capabilities as well as comprehensive threat
protection and application control in a single integrated device.
Application intelligence and control
Application awareness and control includes protocollevel
enforcement, full-stack visibility with granular application
control, and the ability to identify applications regardless of
port, or protocol being utilized.

Defining the Next-Generation Firewall, Gartner RAS Core Research

Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210
04102010

>

A NEW SET OF NETWORK SECURITY CHALLENGES

ADDITIONAL READING: WHY

PROTECTION & PERFORMANCE MATTER continued

Extra-firewall input
User-ID awareness enables administrators to enforce application policies based on AD user/group (without having to trace
IP address to user ID), adding insight into usage and traffic.

wall vendors incorporated traditional malware protection and

methods that were used on file servers and PCs. The technique
was a band-aid fix to add malware protection on an SPI firewall,
as it had two significant flaws: latency and complexity.

Adaptability
Another important capability of NGFWs is the dynamic adaptation to changing threats. Dell SonicWALL constantly updates
their devices with new signatures to stop threats and stay on
top of the evolving malware landscape.

The first flaw was the introduction of latency while the file is
buffered with file size limitations. Firewall vendors have worked
around this issue by sending keep-alive packets to prevent this,
yet the overall effect is the introduction of latency. The use of
memory to buffer files for inspection causes not only additional
latency but also a space issue which is addressed by limiting the
overall file size to a preset amount (generally 100MB). The use of
the Internet is growing and sharing of larger files is increasing;
hybrid SPI/malware detection technology does not scale.

Payload scanning and performance

All of the above requirements demand full payload scanning at
optimal throughput rates in order to avoid having to sacrifice
security for performance.

Performance
In order to achieve the highest return on investment (ROI) for
bandwidth services and optimize an organizations productivity
level, while still ensuring maximum security, IT needs to make
sure that traffic is thoroughly scanned with minimal latency
for optimal throughput. To meet these requirements, multigigabit throughput rates have become standard for NGFWs.
Dell SonicWALL NGFW solutions can improve performance
significantly by applying patented Dell SonicWALL RFDPI2 technology to enable DPI without buffering and packet reassembly.
From a hardware perspective, Dell SonicWALL NGFWs can also
maximize throughput by incorporating parallel processing over
advanced multi-core architecture.

Why you need a Next-Generation Firewall

The SPI generation of firewalls addressed security in a world
where malware was not a major issue and web pages were
just documents to be read. Ports, IP addresses, and protocols were the key factors to be managed. But as the Internet
evolved, the ability to deliver dynamic content from the server
and client browsers introduced a wealth of applications we
now call Web 2.0.
SPI does not inspect the data portion of the packet and hackers
effectively exploit this fact. To address the new threats, SPI fire-

The second flaw was that traditional point solutions were

difficult to deploy, manage and update, increasing operating
complexity and overhead costs. Sophisticated malicious
attacks penetrate traditional stateful packet inspection products. These solutions simply do not provide sufficient, timely
and unified protection against increasingly complex threats.
To overcome these flaws, Dell SonicWALL offers the most
effective, highest-performance NGFW solutions available today.
Recently, NSS Labs conducted independent testing of the Dell
SonicWALLs Next-Generation Firewall at their labs facility in
Austin, Texas.
Dell SonicWALLs SuperMassive E10800 running SonicOS 6.0 is the
highest overall protection Next-Generation Firewall to earn the
NSS Labs Recommend rating. This proven SonicOS architecture
is at the core of every Dell SonicWALL firewall. The results of
those tests are explored further at the end of this paper.

What the enterprise requires

Organizations are suffering from application chaos. Network
communications no longer rely simply on store-and-forward
applications like email, but have expanded to include real-time
collaboration tools, Web 2.0 applications, instant messenger (IM)
and peer-topeer applications, Voice over IP (VoIP), streaming
media and teleconferencing, each presenting conduits for potential attack. Many organizations cannot differentiate applications
in use on their networks or legitimate business purposes from

those that are potentially wasteful or dangerous.

Today, organizations need to deliver critical business solutions,
while also contending with employee use of wasteful and often
dangerous web-based applications. Critical applications need
bandwidth prioritization while social media and gaming applications need to be throttled or completely blocked. Moreover,
organizations can face fines, penalties and loss of business if they
are in noncompliance with security mandates and regulations.
Protection and performance
In todays enterprise organizations, protection and performance go hand-in-hand. Organizations can no longer tolerate
the reduced security provided by legacy SPI firewalls, nor can
they tolerate the network bottlenecks associated with the
some NGFWs. Any delays in firewall or network performance
can degrade quality in latency-sensitive and collaborative applications, which in turn can negatively affect service levels and
productivity. To make matters worse, some IT organizations
even disable functionality in their network security solutions to
avoid slowdowns in network performance.
Scanning and controlling all content
Organizations large and small, in both the public and private
sector, face new threats from vulnerabilities in commonly-used
applications. Malware lurks in social networks. Meanwhile,
workers use business and home office computers for online
blogging, socializing, messaging, videos, music, games, shopping and email.
Application intelligence and control
Applications such as streaming video, peer-to-peer (P2P), and
hosted or cloud-based applications expose organizations to
potential infiltration, data leakage and downtime. In addition to
introducing security threats, these applications drain bandwidth
and productivity, and compete with mission-critical applications
for precious bandwidth. Importantly, enterprises need tools
to guarantee bandwidth for critical business relevant applications and need application intelligence and control to protect
both inbound and outbound flows of traffic, while ensuring the
velocity and security to provide a productive work environment.
Read the full article