What’s wrong with my next-generation firewall?

Next-Generation Firewalls (NGFWs) are a foundational component for many traditional network security strategies. While nothing is technically wrong with today's NGFWs, much is wrong with the approach. Most solutions in the market today do exactly as advertised -- combine traditional packet filtering with some application control and rudimentary IPS layered on top. While these capabilities are still important, traditional NGFWs were designed for a more simple time, before advanced threats began burrowing into enterprises through new and innovative means.

Today's sophisticated attacks leverage an array of threat vectors that can take endless form factors. We are now seeing attacks that we couldn't have anticipated just a few years ago. The traditional network security approaches in place to address these challenges have been built from disparate point technologies, amounting to considerable complexity, that create gaps in these defenses that attackers exploit.

NGFWs continue to be a vital part of an organization's protection, but they weren't created to address advanced threats that often go undetected until it's too late. To protect against the advanced threats that are now prevalent, many organizations have had to add new layers of defense and resort to complex, expensive options that bloat the size of their network.

Evolving to Meet Today's Requirements

NGFWs must evolve to stay relevant in a world that is dealing with dynamic threats. It's time for a shift in mindset regarding the level of protection an NGFW must provide to improve visibility to detect multi-vector threats, close security gaps that attackers exploit, and combat sophisticated threats. In order to deal with today's security challenges, an NGFW must offer capabilities that address these three strategic imperatives:

Visibility-Driven. To address today's era of threats, a visibility-driven approach enables insight into all users, devices, OS, applications, virtual machines, connections, and files to provide real-time contextual awareness, give network defenders a holistic view of the network and make it easier to pinpoint suspicious behavior when it happens. Full stack visibility and contextual awareness for automated, integrated security serves as the basis for both streaming and automating defense responses. Granular application visibility and control and URL filtering are also crucial to reduce the attack surface.

Threat-Centric. This entails delivering integrated threat defense across the full attack continuum -- before, during and after the attack. Threat-centric protection must combine market-leading NGIPS, with advanced malware protection (AMP), that is third-party tested to confirm security effectiveness. Because today's advanced malware is designed to evade "point-in-time" security layers, threats can still get through, so organizations now require technology that can not only scan at an initial point-in-time to detect, understand and stop threats, but also make use of continuous capabilities which can "go back in time" to alert on and remediate files initially deemed safe that are later determined to be malicious.

Platform-Based. IT professionals are now under tremendous pressure to reduce complexity in their environments, keep operational costs low and maintain the best defenses to keep pace with the dynamic threat landscape. In today's world, platform-based now entails delivering a simplified architecture and reduced network footprint with fewer security devices to manage and deploy. To meet today's requirements, a next-generation firewall must combine proven firewall functionality, leading intrusion prevention capabilities, and advanced malware protection and remediation in a single device. These firewalls must be highly-scalable and enabled by open APIs with security across branches, the Internet edge, and data centers (physical and virtual environments) in order to cope with growing demands.

As organizations continue to seek ways to capitalize on the vast opportunities the Internet of Everything (IoE) and the Internet of Things (IoT) bring, the number and type of attack vectors will only continue to expand, creating even greater challenges for companies and those responsible to defend the infrastructure.

In short, organizations will continuously evolve their extended networks and must have defenses in place that can address the dynamic threat landscape. To remain relevant, an NGFW must offer next-generation security capabilities that are visibility-driven, threat-focused and platform-based. Addressing these three imperatives is crucial in enabling organizations to maintain a robust security posture that can adapt to changing needs and provide protection across the attack continuum -- before, during and after an attack.

Scott Harrell is the vice president of product management at Cisco Security Business Group.

Photo Credit: xavier gallego morell/Shutterstock