When people travel, they probably don’t want to board a plane unless their fellow passengers have undergone some sort of security screening process. The same can be said for accessing the Internet.
Users can’t surf the wild frontier of the Internet without some sort of safety and security measures.
Organizations need the equivalent of the Transportation Security Administration analyzing, reviewing and controlling access to their network: next-generation firewalls. A good next-generation firewall acts in much the same way as an airport security screener, using eight must-have features:
- Basic Filtering: A TSA agent often directs people entering airport screening into different lines. Without a boarding pass, travelers are prevented from proceeding. Similarly, a firewall performs basic filtering of protocol, IP and ports, directing traffic to one area or another based on set rules.
- Deep Inspection: Once flyers start down the screening path, their person and baggage are subject to a deeper inspection through pat-downs, X-rays or other sensors. In much the same way, next-generation firewalls inspect data passing through the systems. Deep packet inspection and stateful packet inspection are musts because each set of data should be thoroughly examined for errors, anomalies and malicious intent.
- Centralized Management: All inspections within an airport are managed either by the airport or by a centralized agency. Likewise, a robust and solid next-generation firewall will have a repository for data and logs. This single point of management will have a view across systems and enable security teams to quickly react and respond to threats. Centralized management allows for efficiency as well as automation.
- Hardware and Software: Travelers are part of a massive security database. Depending on their point of origin or other linked activity, a passport may be flagged. When the traveler reaches a checkpoint, connected software alerts screening agents. And if full-body scanners detect anomalies such as the presence of weapons, alarms will sound. In much the same way, a robust next-generation firewall should employ both hardware and software. Typically less expensive, software-based firewalls can link packets to the software sending and receiving them, and can potentially provide better analysis of malicious activity. Couple that with a hardware firewall appliance dedicated to security that is able to look at all of the traffic passing through it.
- Policies, Rules and Governance: Just as the TSA is part of a larger governing body, the Department of Homeland Security, complete with policies and new rules being implemented, a next-generation firewall will have rules, configuration and security policies that can be deployed across an organization and remote locations. Once security policies are defined, they can be implemented via the centralized management infrastructure.
- Enterprise Virtual Private Network: VPNs enable users to securely and privately connect to the network infrastructure. Think of this as the VIP Lounge at the airport: Once a user is authenticated, private services and facilities become available.
- High Availability: Security at the airport never sleeps. In much the same way, enterprise firewalls should be active at all times and provide automated failover. When performing maintenance, an active-active setup will ensure uninterrupted service and continuity.
- Plug and Play: Once trained, TSA agents can scale and adapt to other environments. A cloud-based firewall solution should be able to scale and accommodate remote deployments.
When evaluating next-generation firewalls, look for multiple levels of protection and security. Identify solutions that have hardware and software components, are scalable and easily deployable to multiple locations, and have a high level of configurability and support.
These solutions can protect the computing environment and reduce the risks of attack or compromise.