Follow Orion Security Solutions on Facebook Follow OrionSSolutions on Twitter Orion Security Solutions on LinkedIn Orion Security Solutions on YouTube

You Need Next-Generation Firewalls!

Posted by on

Wikipedia defines a firewall as: A software or hardware-based network security system that controls the incoming and outgoing network traffic based upon a set of rules. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted.

Traditional, first generation firewalls, allow traffic in and out of a network based upon ports and protocols rules. These firewalls only operated up to layer 3 of the Open System Interconnection (OSI) reference model.

As more and more computers started connecting to the public Internet, it was soon realized that Internet Protocol version 4 (IPv4) addresses would quickly run out. Industry quickly solved this problem with the creation of network address translation (NAT) and port address translation (PAT). Second generation firewalls included a stateful filter that operated to layer 4 (transport layer) of the OSI model. These firewalls were able to track the state of each connection to determine if communications were allowed to pass through the device.

Third generation firewalls operated all the way to layer 7 (application layer) of the OSI model. These firewalls were able to understand certain applications and protocols. As the explosion of the web continued and companies began delivering more dynamic content and applications over the Internet, application layer firewalls were not able to keep up with all the different applications. Malware took advantage of these weaknesses and began to exploit and fool firewalls in order to evade them. To combat this, third generation firewalls started to “bolt-on” deep packet inspection, virus scanners, and intrusion prevention system in an effort to create a unified threat management (UTM) environment. However, these “bolt-on” technologies don’t really work because the foundation that they are being connected to is weak to begin with.

Next-generation firewalls enable the firewall to be the cornerstone of enterprise network security by classifying traffic by the application’s identity in order to ensure visibility and control. According to Lawrence Miller as published in Next-Generation Firewalls for Dummies, the essential functional requirements for an effective next-generation firewall include the ability to:

  • Identify applications regardless of port, protocol, evasive techniques, or SSL encryption before doing anything else
  • Provide visibility of and granular, policy-based control over applications, including individual functions
  • Accurately identify users and subsequently use identity information as an attribute for policy control
  • Provide real-time protection against a wide array of threats, including those operating at the application layer
  • Integrate, not just combine, traditional firewall and network intrusion prevention capabilities
  • Support multi-gigabit, in-line deployments with negligible performance degradation

Orion Security Solutions is a Palo Alto Networks partner and can help you take back control of your network. Please contact us if you would like more information or to demo the benefits and features of the Palo Alto Networks Next Generation Firewalls.

Tune back in next time to cover more of the features of Next Generation Firewalls and why you need them. Thank you for reading and see you next time on The O.

Rate this blog entry:

Mark Lawrence joined Orion Security Solutions as the Senior Vice President of IT Security. Mark will build on Orion Security Solutions "layered" security methodology as more technical security devices are connected to an Internet Protocol network.

Mark formerly worked with the United States Department of State as a Security Engineering Officer with the Bureau of Diplomatic Security Service (DSS) for eleven years. Mark joined Diplomatic Security from North Carolina State University where he obtained his Masters of Science degree in Computer Network Engineering and his Bachelor of Science degree in Biological Life Sciences with a minor in Genetics. Mark also interned with Cisco Systems in Research Triangle Park while he was studying for his Network Engineering degree. Mark received advanced computer security training from the Department of State to include forensics, vulnerability scanning, computer security assessments, information assurance, to include, systems certification and accreditation, and also compliance and auditing.