Monday, 01 August 2011 03:09
Traditionally, firewalls have been stupid, mindless beasts, which is a little disconcerting, given that for years we’ve been relying on them to protect our computers. Old-school firewalls are simple port-watchers. Leaving open the port used for typical Web traffic, such as HTTP, old-school firewalls simply relied on applications to play fair and use the ports they were intended to use.
But there are problems with that approach. First, there’s nothing that says that malicious traffic cannot use supposedly safe ports. And, while most firewalls will allow all traffic that originates from a supposedly safe, trusted network, outbound traffic need not be benign. Then the explosive growth of social networking sites (and the platform-based apps that can reside on them) has meant that there are legitimate business uses for such tools, and businesses have therefore had to allow (potentially malicious) traffic to and from those sites and devices. To top it all off, ubiquitous (and potentially insecure) mobile devices can now access corporate networks from anywhere.
The result? The firewall you installed can be a sieve, and no longer capable of protecting your computer.
Next-Generation Firewalls (NGFW) are a different animal. They are, by definition, capable of examining traffic at the application level, distinguishing one type of traffic from another, and taking action based not on the port being use, but on the behavior of the individual application that’s using the port. Rather than assuming a port is being used for friendly traffic, a NGFW is aware of the applications moving through it, and it enforces policies based not on the port in use, but on the specific identity of the application using it and on the rules set up to allow, or disallow, its behavior.
In other words, while NGFW may indeed offer standard firewall features, its salient feature is a more granular level of control that we characterize as “application awareness”. NGFWs thus identify, categorize, and control application tragic based on policies set by network administrators.
Because of this awareness, a NGFW can do much more than simply control port-based traffic. It provides a security mechanism that allows for intrusion detection and prevention, anti-malware, antispam, and more.
Rod Scher
PC Today
