Next-Gen Walls for Next-Gen Threats

By Matthew O’Brien, CSC Cybersecurity

Gartner first mentioned Next Generation Firewalls (NGFW) in 2009 and since then analysts have made a lot of noise about them, but what are they really and why would you need one?

Firstly, whether you call them next generation firewalls, unified threat managers or security gateways, today’s perimeter defense technologies do far more than their first-generation counterparts.

Instead of simply blocking and forwarding packets based on source and destination, today’s NGFWs inspect packets and perform deeper analysis against their data. Application-aware, they provide far greater granularity and control over the information that you pass through a device. They also can use both signature-based controls and heuristics, or behavioral-based analysis, to detect and block threats.

Their advanced capabilities — intrusion prevention, threat management, Web filtering, deep packet inspection, data loss prevention and application control — better address the ever-changing threat landscape. However, just because all of these new services are available, does it mean you need them all? The short and not overly helpful answer is maybe; the longer one I’ll try now to detail.

These new integrated firewall solutions offer a number of advantages, such as centralized management, operational efficiencies, reduced capital costs and an increased ability to control compliance and regulatory requirements. However, they also can introduce limitations. For example, if you use an integrated platform, you cannot adopt a defense-in-depth strategy for protecting your perimeter.

Organizations that adopt an integrated solution should also understand their vendor’s development strategy to ensure that the company keeps pace with changing technologies. Organizations effectively need to understand the strategic and operational limitations of a vendor’s integrated solution.

Think about it this way: If I’m a CISO and I want to consolidate infrastructure and services, and reduce my operational costs and security footprint, I might move to a NGFW and shut down my other solutions that the NGFW can now replace. However, this can damage my defense-in-depth strategy if not performed properly because this would move a number of my controls to the perimeter, such as controls that may have been protecting me from spreading threats, or lateral movements, in my network. Unless I understand my new firewall’s limitations and how to counteract them, I may expose my organization to more risk.

So what do you do?

Organizations should be wary of shutting down existing services just because the new NGFW can do what the existing technologies do. You need to consider your entire security environment and requirements before making broad changes.

While NGFW platforms simplify management and support, organizations that want to maintain a defense-in-depth strategy or those that have specific technical requirements when looking to implement controls, such as data loss prevention, advanced threat protection and deep-packet inspection, may want to consider using specialized technologies designed for those requirements. Organizations should be cautious of adopting more advanced and technical capabilities since these specialized and adaptive technologies require higher levels of support, resources and maintenance.

On the whole, NGFW solutions offer an effective way to implement an integrated network defense strategy, catering to a wide rage of security controls through a singe device. But not all NGFW vendors are created equal, so ensure you understand your requirements and the capabilities of the technologies and partners you choose. The must haves when you’re set on implementing NGFW services include intrusion prevention, application control, Web/URL filtering and threat management.


As Global OMatthewOBrienfferings manager for CSC’s Managed Security Services, Matthew O’Brien leads strategic global security initiatives, including CSC’s Risk Management Centers and Threat Intelligence, Network Security and Situation Awareness programs. With more than 25 years’ experience in the IT Industry, Matthew’s expertise spans IT governance and strategy, risk management, enterprise architecture, technology planning, and solution and policy design

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: