As cyber threats evolve, do firewalls still have a role?

The firewall, almost from the beginning, has been the keystone device for any organization’s cybersecurity program, and in many cases it still is. However, with the evolution of threats now aimed at organizations, the traditional firewall can no longer handle the most sophisticated attacks.

But next-generation firewalls can. Or at least they provide the basis for a more complete enterprise cybersecurity plan. By including things such as application and deep packet inspection (DPI), they combine the capabilities of existing stateful firewalls with those of intrusion-detection and -prevention devices, and add capabilities such as malware filtering and Secure Sockets Layer (SSL) inspection.

The traditional firewall was not designed to look beyond IP addresses, ports and protocols, said Jeff Falcon, a senior solutions architect at CDW, which gives them a very limited ability to provide security for application classification and control. That’s a key need today, as organizations need to know who is using certain applications and the data they can access.

A widely accepted description of next-generation firewalls by Gartner Research defines a range of minimum capabilities they need to have:

  • Non-disruptive, in-line configuration.
  • Standard legacy firewall capabilities, such as network-address translation, stateful protocol inspection and virtual-private networking.
  • Integrated signature-based intrusion prevention system engine.
  • Application awareness, full stack visibility and granular control.
  • Ability to incorporate intelligence from outside the firewall, such as directory-based policy, blacklists and white lists.
  • Upgrade path to include future information feeds and security threats.
  • SSL decryption to enable identifying undesirable encrypted applications.

With next-generation firewalls, “an organization may now begin to shift from a static ‘on-off’ switch for ports, protocols and known URLs to more of a dimmer switch strategy for safely on-boarding applications,” Falcon wrote in a recent blog post.

Most next-generation firewalls are also designed to help organizations maximize the cloud, support malware analysis and sophisticated sandboxing techniques, and enable true IPS capabilities in a single architecture, he said.

Application awareness is one of the more significant differences between next-generation firewalls and their ancestors. With that, IT administrators can get visibility into network traffic based on such things as information on actual users rather than just IP addresses, in addition to details on potential threats associated with certain applications.

Allied with DPI and intrusion detection, security can be based on patterns of activity rather than just blocking certain ports, which can obstruct necessary traffic along with that which might contain malware and other threats. Administrators can detect how certain applications behave and build knowledge of threats based on that, which is the signature of today’s more sophisticated, targeted attacks.

They can also build up information about how and when certain applications are used, giving them a better idea of when to allow the use of various non-essential applications and what they need to throttle back when the network is needed for more critical applications.

That same ability to pick and choose also allows for more careful oversight as to who has access to various functions such as networking configurations and who can set security policies or view logs, which also helps improve overall security.

Next-generation firewalls can, however, be even trickier to set up and manage than traditional ones because of this granularity and the complexity of the rules and policies associated with that.

Ultimately, however, there’s an even bigger question: Will firewalls be needed in the future? Firewalls are perimeter defenses and with the rise of the cloud and the development of increasingly clever security threats that easily pierce those defenses, the persistent question about if the perimeter even exists anymore is gathering steam.

Last year, in comments to armed forces media, DISA Director Lt. Gen. Ronnie Hawkins said his agency was looking at a more data-focused way of defending information rather than using a “firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA.”

“We’ve got to remove those and go to protecting data,” he said.

It is unlikely that firewalls will disappear completely. How next-generation technology can fit into that kind of data-centric security, however, is the question.