You've probably seen this term, but what exactly is a “nextgeneration” firewall? According to the commonly accepted wisdomsuch devices include an intrusion prevention system (IPS) and afirewall on the same device, closely integrated and workingtogether. They also have to have the ability to correlate firewallrules to user names rather than IP addresses; and finally they needto be able to recognize protocols based on traffic and not onpre-assigned ports, to be able to block such protocols even if theport used is not the one you would expect–for example, being ableto block HTTP even if not being sent on port 80. For credit unions,a traditional IPS would normally be placed as an isolated device infront or behind a firewall–or sometimes you would place two, one infront and one behind. In this configuration the IPS must assumethat there is no other protection, and try to do it all on its own.This has a few drawbacks: 1) You need to keep all availablesignatures and block traffic that a firewall could block becauseyou can't assume the firewall's capabilities or that there even isa firewall. Blocking traffic coming from knowingly infectednetworks is very inefficient with an IPS. 2) Since there is noconnection to the firewall, once the IPS drops a packet, it willneed to scan the next packet of the same connection because thatconnection cannot be dropped. And what if the next one doesnot look “suspicious” and the IPS does not drop it? If the firewalland IPS are closely integrated, things work in differently. Thefirst line of defense for the credit union becomes the firewall.Only traffic on open ports passes through. If a port is closed,traffic is dropped and there is no need to scan it. This alonereduces the need for the IPS to scan traffic as much as 90% in mostcases. Because the two parts are working together, whenthe IPS drops a packet, it can communicate to the firewall toinstruct it to tear down that connection. The IPS does not need toscan it, and there's no chance that something could be missed andyour network could become compromised. And is application filteringnecessary for you? To be able to recognize a protocol to know thata certain application is trying to use an alternate port and tryingto bypass the firewall, it's often necessary to allow a few packetsthrough to properly recognize the protocol and not incur falsepositives. This alone can be a source of problems. The real issuehere is that too many credit union firewalls are configuredconsidering the LAN a trusted network. A well-configured firewallwill be configured with ports open only with specified sources anddestinations, whereas some older ones don't have a way to lock upoutbound traffic. Traffic that does not fit the configurationis simply blocked, and recognizing a protocol on a port it is notsupposed to be using becomes a moot point. This is very goodpractice to stop Trojans from “calling home” on ports that shouldnot be open. Is establishing firewall rules based on user namerather than IP address worth the cost? If this is applied only toWeb access, this is nothing more than Web filtering. If we want toapply this feature to any protocol, it's whether it is worth theexpense. The devices available to credit unions in the market todayoffer no AV filtering, no anti spam, no special routing features,nothing else but what was outlined above. So when you are doneinstalling one of these devices, you still have not solved yourmost pressing problems regarding security; you may be able to blockyour users except 'Joe' from going to that certain application, butyou do not have AV protection to stop all the malware that will beattacking your network. So when you compare these to a unifiedthreat management (UTM) device, the UTMs offer a lot moreintegrated features and solve more problems for credit unions thana next generation firewall does. As the UTM devices evolve tointegrate the IPS and the firewall, they will certainly become evenmore competitive against the next-generation devices and these newdevices will need to either offer all the features ordisappear.

Pierluigi Stella is chief technology officer for managedsecurity services specialist Network Box USA.