The Defense Information Systems Agency sees great value in next-generation firewalls.
DISA initially deployed an NGFW for secure web gateway functionality, and recently tapped the device for antimalware and intrusion prevention. “By expanding the role of the NGFW, DISA has eliminated the need for separate devices for those enterprise capabilities,” says Mark Orndorff, chief information assurance executive and program executive officer for mission assurance and network ops.
By using an NGFW to fulfill multiple enterprise perimeter protection roles, DISA reduces overall operations and maintenance costs, as well as the costs of training operators and computer network defense personnel, Orndorff says.
While the device’s management interface affords the Defense Department greater visibility into the network, DISA has elected to integrate the same information into existing logging and analysis capabilities. Orndoff notes that this enables the agency to cross-correlate and analyze the firewall data with other computer network defense data.
Another benefit is application control. Orndorff says NGFWs are application-aware and support development of custom signatures. The Defense Department plans to use this capability to prioritize applications to ensure that mission-critical interactions with the Internet are maintained during periods of high traffic volume.
Percentage of security professionals who believe that staff access to social media increases the likelihood of an advanced persistent threat or other sophisticated malware attack on the organization
SOURCE: “A Prudent Approach to Next-Generation Firewalls” (Enterprise Strategy Group, January 2013)
John Grady, a research manager for IDC’s security products group, says IT managers such as Orndorff opt for multifunction devices because they offer enhanced capabilities.
“I see this as the gradual evolution of the UTM,” Grady says. “The latest devices offer better integration between technologies, as well as application control and the ability for systems administrators to set very granular policies for users or groups of users.”
The Department of Interior relies on NGFWs at each of its five Trusted Internet Connection gateways to provide visibility into the application layer.
Because of the complexity of the agency’s network and the diverse needs of its nine technical agencies, the Interior Department isn’t quite ready to replace traditional security devices with NGFWs for primary security, says Larry Ruffin, the agency’s chief information security officer.
The devices work well to offer supplemental capability, however. “For example, the BitTorrent protocol would be difficult to identify and control using traditional firewalls and security devices,” Ruffin explains. “However, BitTorrent can easily be identified and controlled using the next-generation firewalls.”
Moving forward, Ruffin says replacing the traditional security environment with NGFWs will require a complete change of mindset. “The difficulty is not learning the devices themselves, but to change the way that traditional security professionals think,” he adds.