INTELLIGENT ENTERPRISE SECURITY should feature product capabilities like compression, data-deduplication or application-based prioritisation and bandwidth guarantees.
Meanwhile, businesses are facing an unprecedented wave of ransomware attacks. These generally come in through email, but you could also have computers calling home to the Command & Control server to install stealthware. With the right firewall, often described as next generation, in place these activities can be detected and curbed.
In addition to the protection on the perimeter, you can deploy more firewalls internally to create zones. Zoning or segmentation makes it harder for malware and attackers to cross network boundaries.
Often it makes sense to allow for direct access to cloud applications from each branch office location, effectively moving away from the traditional centralised access approach.
Allowing internet access from branch locations may now mean deploying firewalls at these locations. The practical challenges here are threefold:
Does the deployed, smaller firewall
1 device at each branch provide all the security controls needed and is it still affordable? Must-haves would be nextgeneration firewall features such as app control, user awareness, integrated IPS, the ability to intercept SSL, and advanced threat and malware detection.
Can these devices be effectively
2 managed from a central user interface? This is important, because it means that only one security policy needs to be defined and maintained across all the deployed firewalls, even though enforcement now takes place in multiple physical locations.
What does the associated operational
3 cost look like? Firewall devices need to
be trouble-shot, logs need to be managed, updates applied.
My own suggestion is that conservative approach of going with a well-established player that will continue to invest in threat defences and upgrades is the best route
As with all things IT, Next Generation Firewalls are subject to more hype than reality. While many are fully featured, some are overmarketed versions of older technology and despite there being plenty of choice, there can be a blurring around the capabilities and performance on offer.
The customer should start by determining their needs, as they differ by organisational type, size, performance requirements, security concerns and of course compliance requirements. While there is a wide variation of prices in Next Generation Firewalls, often they are not matched directly to capability, which is why needs precedes budget considerations.
Some of the elements to consider and prioritise for Next Generation Firewalls include application firewalling using deep packet inspection, intrusion prevention, encrypted traffic inspection TLS / SSL, website filtering, bandwidth management, and third party identity management integration LDAP, Radius active directory.
Other features can include antivirus, sandbox filtering, logging and auditing tools, network access control, DDoS protection and of course cloud capabilities.
Clearly different organisations will have a divergent range of needs driven by their own size, performance and security requirements. With the significant range of solutions on offer, the challenge can often be selection, particularly with the significant number of new suppliers entering the market with innovative offerings.
Budget and management capabilities are also key elements in this equation. Given that a firewall often is deployed for considerably more than three years it is crucial to make the right decision to protect your environment, not only against today’ s threats but also those that will be the centre of attacks in the future.
Having been around security for more than 40 years, my own suggestion is that the conservative approach of going with a well-established player that can and will continue to invest in threat defences and upgrades is the best route.
Subject to the size and potential cost of your deployment, putting one or more suppliers through a full proof of concept ahead of the decision can be a very effective investment. This is to protect an organisation in a radically changed risk environment from three years ago, and one which will continue to change at potentially an even faster rate.
Ian Kilpatrick is Executive Vice-President Cyber Security for Nuvias Group and Chairman Wick Hill Group
39