When the first firewalls were developed and deployed, their primary role was to act as sentinels monitoring traffic moving into, and sometimes out of the network. These devices would look at packets, network addresses, and ports to determine if data should be allowed through or blocked. A good analogy is airline travel. In the first few iterations of the firewall, data was simply checked to see if it had a ticket, and if its credentials were in order it were allowed to board the plane.
Then application traffic took off, and first generation firewalls could no longer keep up. That’s because criminals were able to hide malware inside application traffic, where the firewall ticket taker couldn’t see it. So second generation, or Next Generation Firewalls were born. This new tool could see into application in order to find and block malware. Think of it as adding an x-ray machine to your airline boarding process. You may have had a ticket, but if there was something dangerous in your luggage you were still denied access. Over time, compatible security inspection technologies were added to the process, such as IPS, Application Control and Anti-Malware. Think of these as the equivalent to body scanners and wiping down luggage looking for bomb-making residue. Unfortunately, as inspections became more frequent, the security gateway became a serious bottleneck.
Today, things are more complicated than ever. Rather than networks becoming borderless they have become porous, with points of access and endpoint multiplying at an unprecedented rate. Almost 60% of enterprise traffic is encrypted, and cyberattackers are increasingly deploying encrypted malware. As a result, the Gartner Enterprise Firewall MQ 2017 predicts that almost 50% of enterprise customers will soon require SSL inspection capabilities, compared to only 10% today. In addition, increasingly sophisticated, multi-vector cyberattacks are being designed to bypass traditional edge security and evade conventional detection.
Decryption, deep packet inspection, and threat correlation are extremely CPU-intensive, and are notorious for bringing even high-end commercial NGFWs to their knees. And as malware and threats become increasingly difficult to detect at the access point, it is absolutely necessary that security span across the network in order to monitor behaviors in order to uncover intent.
These requirements are redefining the NGFW.
The reality is that nearly all currently available firewall devices and platforms are simply not up to the task. Which is part of the reason why organizations spend billions of dollars on security every year and the prevalence and severity of cyber crime still shows no signs of slowing down.
The next generation of firewall security needs to include three things:
1. Power and Performance.
There are two undeniable truths about networks: the volume of data, driven by things like IoT and the Cloud, is going to continue to increase, and the scope and scale of networks is going to continue to expand. Security tools need to enable this growth without compromising data and resource protection. Unfortunately, most firewalls today have the following two fatal performance characteristics:
- They are often a collection of different security technologies cobbled together. Security inspection requires running traffic through an inspection mill that requires lots of overhead to deliver redundant security processing. These tools often even have separate management interfaces, making event detection difficult. Add new necessary functionality like threat intelligence and Advanced Threat Protection and most security devices quickly becoming a bottleneck.
- They are built using off the shelf CPUs and other components. And because the security tools that make up the NGFW are usually developed separately, even the security software is barely optimized. If automobiles were built the same way most firewalls are, they would cost a million dollars, get five miles to the gallon of gas, and not drive over 20 miles per hour.
This is why when most firewalls today encounter real world traffic environments that require layers of simultaneous inspection, the decryption of SSL traffic, and escalating network traffic volume they collapse.
What’s needed is a new generation of firewalls designed with the performance requirements of today’s networks in mind.
2. Deep Visibility Beyond the Application
It’s not enough to simply inspect traffic. To catch many of today’s most sophisticated threats, intelligence gleaned from such inspections needs to be shared in real time with the rest of the network. Unfortunately, most of today’s NGFW solutions function in isolation. Many don’t even share information between the different security tools loaded on a single platform, let alone with other security tools deployed across the distributed network.
But cross-platform integration and the direct correlation of threat information are essential for securing today’s networks. And that functionality needs to scale across today’s highly distributed networks that include physical and virtual domains, IoT and other endpoint devices, and multi-cloud environments that can include multiple IaaS and SaaS providers.
As a result, attacks can come from anywhere, originating either inside or outside of one of the network perimeters. To detect and respond to these threats today’s NGFW solutions require Advanced Threat Protection capabilities such as Sandboxing and Threat intelligence.
Security devices and tools need to be integrated together to scale and adapt to even the most elastic network environments. This enables granular visibility of users, IOT devices, cloud applications and access devices end-to-end. The complexity of both network infrastructures and the threat landscape requires an integrated Security Fabric that combines easy-to-use, unified management and orchestration, broad visibility, granular control, and centralized compliance capabilities to reduce complexity while enabling next-generation protections such as intent-based security.
3. Automation, Deep Inspection, and AI
Performance and correlation across distributed networks are still not enough. Today’s attacks can begin stealing data or ransoming resources within minutes of breaching a network. Security needs to be able to respond to detected threats at digital speeds.
Security automation allows networks to respond in a coordinated fashion to a detected threat. Once malware or a breach has been detected, all devices connected to the Security Fabric need to be able to respond in real time. Affected devices and malware need to be detected and isolated. Today, this requires deep inspection in real-time. Rather than running sandbox tools as separate appliances or services – with all the challenges and time delays that separate management and correlation tools impose – sandbox capabilities need to be a core requirement of today’s NGFWs. Which is why this capability requirement is reflected in Gartner 2017 Magic Quadrant for Enterprise Network Firewalls.
Threat intelligence needs to be shared so that sensors can begin scanning the network for other incidences of the detected attack. Shields need to be raised to prevent similar breaches from occurring. Remediation needs to take place to get resources back online. And forensic analysis needs to begin in order to determine how a breach occurred, what resources were compromised, and how to shore up defenses to prevent that from happening again.
Increasingly, as the speed of compromises continues to increase, and infiltration techniques become more sophisticated, AI tools will need to be deployed to see and even anticipate attacks and more effectively coordinate threat response to shut down cybercriminals before that can achieve their objectives.
Fortinet is Ready for the Next Generation of Security
Fortinet continues to redefine NGFW deployment based on our security fabric vision of providing broad, automated, and powerful capabilities.
Fortinet’s patented security processors and highly optimized security software provide industry’s highest threat protection and SSL inspection performance, regardless of whether they are deployed at the network edge, in the core, or in the segments.
With FortiOS 5.6 release customers are able to leverage an automated fabric topology view to gain complete visibility across their distributed network ecosystems, including 360° visibility into access points, endpoints and threats. Additionally, the Fortinet Security Fabric provides granular visibility into applications – including SaaS applications – which is critical for enterprises transitioning to the cloud.
In today’s networked environment, broad, powerful, integrated, and automated solutions aren’t just nice things to have. They are essential components of the next generation of network security.
Learn more about Fortinet Next Generation Firewalls or download our paper which talks about the top trends that are impacting organizations today (Cloud, IoT, Ransomware, SSL Encryption), and outlines some of the key approaches one should consider for protecting against the cyber threats that come from these trends.