Traditional firewalls are no longer good enough

Your business needs connectivity to survive. But is your firewall keeping up?

Johannesburg, 17 May 2018
Christo van Staden, Regional Manager, sub-Saharan Africa, Forcepoint.
Christo van Staden, Regional Manager, sub-Saharan Africa, Forcepoint.

Your business needs connectivity to survive. But is your firewall keeping up? Not many organisations are asking this question. Instead they regard their firewall as evergreen, where admins simply adjust policies as threats evolve. After all, changing a firewall is no small feat and, like the walls of a castle, once it is locked in you have a certain level of guaranteed protection.

Only, those castle walls no longer exist. Today's connected world has rendered parameter thinking extinct. Drawing a line around an enterprise and bouncing attacks away is no longer sufficient. A workforce is able to connect to the company network whenever and wherever they want. Resulting productivity gains are amazing. But is security keeping up? No, says, Christo van Staden, Forcepoint Regional Manager: "Historically we would have wide area networks, consumed from the service provider in a very expensive fashion, with site-to-site links. The market is moving away from that and onto mature Internet infrastructure. You can connect to the Internet from anywhere to anywhere, with no need for dedicated lines. But this requires the right type of security."

Firewalls have evolved

Traditional firewalls stay in one place and apply a general barrier effect. By using ports and policy rules, they decide what enters and what stays outside. But the above change in connectivity has massively diluted that strategy, and at the same time criminals are developing creative ways to sidestep firewall protection. The use of malware hidden in e-mail attachments is a common example of this.

A second major problem with traditional firewalls is a lack of control and visibility. Typical enterprise firewall environments can eventually accrue tens of thousands of rules with little clarity on which are useful. They rarely can report on the types of attacks they have blocked, they do very little proactive threat analysis to spot new attack types, and it is a chore to manage multiple firewalls.

These needs collectively gave birth to the next-generation firewall (NGFW). A best-of-breed NGFW is virtual: though there can be a hardware component, NGFWs can be deployed anywhere inside a network environment and has considerable heft in software-defined networks.

Multiple instances of an NGFW can be launched across different points in a network, each copying a core set of policies or using their own. Likewise, central administration, reporting and monitoring are seamless. This can be on-premises, in the corporate's virtual network and even extend to cloud environments.

"I can have the same flexibility to fire up a software firewall in Azure or AWS or other public clouds anywhere and apply the same controls, management and policies that sat with traditional firewalls at the parameters," says Van Staden. "It's definitely one of the key requirements of a next-generation firewall."

Security for the software-defined era

NGFWs are relatively new, only surfacing a few years ago as software-defined networks became more applicable and practical. But they don't exist purely for the cutting edge of networks. Firewall technology has been running into several dead ends, such as the strain of managing policy rules across a large environment. According to Van Staaden, a typical large enterprise may have as many as 50 000 or 60 000 rules, most of which are not used.

This not only complicates the firewall environment, but makes it less effective. Rules that don't help tend to encumber, creating blind spots that crafty adversaries will look to exploit, and encouraging a lax security culture. But reporting on an NGFW helps separate the wheat from the chaff, often whittling the rule-set down to a few dozen effective ones. That same efficiency applies to scale and deployment: whereas a traditional firewall often needs heavy configuration and integration on site, an NGFW can be reconfigured, quickly deployed, and then integrated by liaising automatically with parent firewalls to inherit the same policies.

However you look at it, a firewall is no longer the secure barrier that it once was. Times have changed and so did security threats. But an NGFW is not just about improving security. It also creates operational efficiency and heightened awareness of the environment. These elements are changing the game for the firewall industry, Van Staden concludes: "Firewalls have fallen behind the curve. The evolution of establishing a soft-defined WAN, making use of the infrastructure that is already available to everyone, that concept has changed business interactions. But there are not many firewall vendors that are leading at the front of this. It's a next-generation business world. For that, you need a next-generation firewall."