Brian Brannon, Director of R&D
Anyone who has ever used a cloud-based storage service such as Dropbox or Box understands the usefulness and convenience that these types of solutions provide. On the other hand, anyone who has ever dealt with data leakage can also identify with the potential problems and risks of these types of solutions. New conveniences that services such as Dropbox and Box provide, also present new hurdles that Information Security Officers must overcome.
Just the possibility of data leakage alone is frightening, but recent events such as the recent seizure of Megaupload by federal authorities can be a horrific experience. However, these concerns don’t stop at just cloud storage services. They also extend into services like Google Talk, Google Docs, flickr, Skype, LogMeIn, and numerous other online cloud services.
The number of cloud-based services that are being used by end users has exploded over the last five years. This recent adoption of cloud solutions does not seem to be slowing. For this reason, Information Security Officers and administrators need new tools to address these new risks. Most of these new threats and concerns can be handled by a Next-Generation Firewall.
In the last five years, firewall manufacturers have changed the way firewalls interact with traffic that traverses the appliances. Historically, firewalls were only able to view packet information such as source IP, destination IP, and service port. This meant that a firewall administrator could only block traffic based on this packet information. Later, firewall vendors began packaging extra services, such as IPS and content filtering into their products. These new additions helped firewall administrators protect their networks from a myriad of ever-changing problems. However, new problems have arisen, and Next-Generation Firewalls can be used to address these problems.
Next-Generation Firewalls have changed the way firewall administrators can configure and protect their networks. As previously mentioned, former firewalls could only view packet information such as source IP, destination IP, and port. Next-Generation Firewalls on the other hand, can actually identify traffic at layer 7 of the OSI model. This means that the firewall can distinguish between YouTube and Google Docs traffic. Additionally, the new firewalls can integrate with Microsoft Active Directory. The merger of these new features and benefits are tremendous. Now administrators can direct which users can use which cloud services. For example, administrators can now configure the Next-Generation Firewalls so that employees of a management group could access Facebook, but tellers could not. This could be previously accomplished using web content filtering techniques, but it was a little more difficult. Also, web content filtering begins to fall apart when you start to discuss denying individual portions of a website. For instance, many financial institutions have blocked Gmail solely based on the Google Talk feature. With a Next-Generation Firewall, administrators can allow users to access Gmail, but deny their use of the Google Talk features. Additionally, these features lend themselves to better reporting. For those of you who have ever looked at firewall logs and reports, you know that it can be difficult to truly understand what your users are accessing. When a firewall can report on users rather than IP address and applications rather than ports, reports become much easier to comprehend. Administrators no longer have to determine which users were on specific workstations at different times of the day.
The first Next-Generation Firewalls began to appear roughly five years ago. Gradually over time, most firewall vendors have noticed the enhancements that Next-Generation Firewalls provide and they have developed their own versions that are available today. Many current firewalls that are in production only require a firmware update to obtain these features. Otherwise, a new firewall appliance would need to be obtained.
In conclusion, Next-Generation Firewalls give firewall administrators more granular control than previously available. With user and application identification, controls can be more clearly and easily defined. Many banks and credit unions have a Next-Generation Firewall in place, but they just need to update the appliance firmware. For the reasons identified, Information Security Officers and firewall administrators should evaluate if a Next-Generation Firewall has a place in their bank or credit union. An evaluation of Next-Generation Firewalls should be high priority if your financial institution is looking at a firewall replacement in the foreseeable future.