Protection with Next-Generation Firewalls
Modern enterprise networks are not only having to cope with growing demands but also with growing threats. This calls for smart solutions as protecting the network must not come at the expense of performance. A next-generation firewall is an indispensable building block in every security architecture when it comes to warding off aggressive threats and reaping administrative benefits. Enterprises such as Juniper, Fortinet and Palo Alto provide the right technology.
Dangerous malware as well as direct access by third parties resulting from external attacks can wreak enormous destruction on an enterprise’s assets. These threats need to be countered without having a negative impact on network bandwidth and latency. The approaches required to achieve this goal have to be as holistic as possible: they have to consider the entire network and work with specialised hardware.
Future viability is a further key aspect. Due to the constant rise in the number of mobile and IoT devices, large enterprises have hundreds or even thousands of different devices and applications that have to run simultaneously on the network. This makes it difficult for administrators to monitor where and when specific applications are permitted. Threats cannot be effectively countered if monitoring is inadequate.
Increased security with reduced complexity
Networks have not only become larger but also more diverse and complex. This created a need for a constant supply of new solutions that were frequently integrated into the network one by one. Instead of one single firewall, additional safety mechanisms were implemented thus leading to numerous security levels within the network.
As a rule, such methods are effective but not efficient. What is more, new gaps and vulnerabilities can arise as a result of the patchwork of different security systems. Then there is often the problem that the security solutions impair network performance. This becomes particularly problematic when solutions from different vendors are deployed that may not be completely compatible and could impair each other’s performance.
One solution is a next-generation firewall: a new element has been added to the concept of the conventional firewall. The greatest problem of the simple firewall is that traffic now runs almost completely via the internet, which means that protocol and port inspections no longer make sense. Security architecture therefore now focuses on the data packets themselves.
The added value of next-generation firewalls
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are needed to analyse data packets and recognise threats and attacks. Both systems work according to the same principle, but unlike IDS, IPS is a proactive mechanism. Both scan the data packets (deep packet inspection) and compare them with known signatures and patterns of malware and attack scenarios. If any irregularities are discovered, the system can issue an alarm or take action itself to reject packets or block connections.
As an increasing amount of traffic is encrypted, simple IDS or IPS concepts can no longer analyse all data moving across the network. Encrypted data packets cannot be compared, which is why the process is supported by SSL inspection. This decrypts, examines and re-encrypts encrypted data before sending it on to its actual destination. These systems are included in the basic functions of next-generation firewalls and are integrated in Juniper’s SRX firewalls and Fortinet’s FortiGate firewalls, for example.
Substitute for complex systems
Manufacturers also provide further protective mechanisms that focus on the network as a whole while offering uniform and simple administration. For example Juniper offers Unified Threat Management, while Fortinet has Security Fabric. These contain classical defence measures against typical malware in the form of viruses, Trojans and worms. These solutions also detect phishing attempts as well as potentially highly dangerous crypto-Trojans at an early stage so that damage can be prevented. Other mechanisms include zero-trust network access and the protection of LANs and wireless networks to ensure enhanced monitoring of network access.
There is no general answer to the question of which solution is right for your network; it depends on your specific requirements and the network technology you are currently using. We can give you detailed advice based on your requirements.