By Anish Chauhan, Network Consultant
A traditional firewall is no longer adequate protection against the internet and its users. Traditional firewalls are packet filtering devices that allow access based on IP addresses and protocol port numbers. This was fine when the perimeter of the network was rigidly defined and protocols were used solely for their intended purpose; however this is no longer the case.
More recently, the introduction of Next Generation Firewalls or Application Layer Gateways has meant that it is now possible to have complete control over web users. As an example, a traditional firewall will be able to permit or deny web traffic as a relatively blunt instrument meaning that web traffic from the inside network to the outside world will more often than not be invariably permitted. An ALG, on the other hand will be able to permit web traffic based on specific application types within the web session – as an example ALG will commonly give the administrator the ability to permit access to Facebook but deny the specific applications that can be accessed through Facebook.
Driven by the evolution of Web 2.0, many of these ALG’s can provide a breakdown of exactly what is going on inside the web-based session and permit or deny traffic on a far more granular basis than was ever capable before.
For example, the Check Point Application Awareness Blade and SonicWALL’s ALG’s can permit the Facebook traffic but deny the chat or games.
Check Point has always put ease of firewall administration and reporting capability high on its agenda and that continues to be the case with the integration of other UTM (Unified Threat Management) capabilities such as Anti-Virus, Anti-Malware, IPS, URL Filtering and Application Layer Gateway capabilities. Some performance sacrifices may be made when activating some of these features on appliances that are pitched at the SME end of the market.
SonicWALL is continuing to grow its market share and prides itself on using Cavium chipsets that are designed with “deep-packet” inspection in mind. It is this capability that enables ALG’s to be able to differentiate between common web traffic, Facebook traffic and chat/ games within that session. The faster these devices can inspect this traffic the less performance degradation will be experienced – therefore throughput is paramount. Performance capabilities (of their rather amusingly titled “Super Massive” series) are at some of the highest in the industry, however, and by SonicWALL’s own admission, logging is an area that is regularly being improved.
Being able to prevent users from using web applications that have questionable business justification is one thing but the real value add comes in being able to proactively prevent malware from infesting your network which rather than being an inconvenience are actually more likely to render businesses inoperable. This is where well implemented content security solutions play a real part in network security and the continuation of effective business communications.
So where does Cisco fit into this?
Although seeming to have not brought anything to the ALG party, Cisco has in fact been somewhat ahead of the game for some time. Of the Security Services Modules the Content Security & Control (CSC) module provides a notable degree of malware protection. This is in part through the integration of Trend Micro’s award-winning capability. Preventing the infiltration of malware into the network combined with URL filtering, content filtering and anti-phishing technology that can integrate into perimeter firewalls combine to provide a comprehensive perimeter network security solution. Not attempting to re-invent the wheel, Cisco has acknowledged that this level of inspection and protection, should be undertaken by dedicated hardware combined with the integration of well-established content security experts.
It is widely accepted that the web is the source of the vast majority of malware, in fact when you think about it – where else can malware be ultimately sourced from?! So how do you protect your network from the Internet-based threats that are continually growing in quantity, complexity and the potential impact to your business?
To receive an electronic copy of Networks First’s ‘How to Guide’ on Network Management for the 21st Century please click here.
other things being equal, the network has to keep pace with our almost insatiable demand for data – whether this be real-time voice, streamed or live video, business or social applications (or both).
