IT administrators try to deliver critical corporate solutions efficiently, but also have to deal with employees using wasteful and often dangerous applications. In order to increase network and user productivity, IT needs to prioritise critical application bandwidth and throttle — or completely block — social media and gaming applications.
The stateful packet inspection firewalls used by many organisations, unfortunately, just don’t cut it. They rely on ports and protocols, and are not able to identify cloud and software-as-a-service applications, along with many of the Web 2.0 services that rely on the browser for the delivery of application. They therefore can’t weed out the good from the bad, productive from unproductive. As a result, IT is left with a binary approach to traffic control – block or allow. Should you block ports or entire protocols just to block a few undesirable applications? Or do you open the floodgates and allow access to any application that might be useful, even at the risk of sapping productivity and exposing your organisation to threats? Neither is a satisfactory choice.
Today’s leading companies avoid this dilemma with a next-generation firewall that can deliver comprehensive intelligence, control, identification and visualisation of all the applications on their networks. It is effective because next-generation firewalls can tightly integrate application control with other intrusion prevention and malware protection features.
To manage applications effectively, your next-generation firewall must meet each of the following criteria:
1. Scan all application traffic
First, your next-generation Firewall needs the capability to scan all traffic, including network layer and application layer traffic. It goes beyond simple stateful inspection to conduct deep packet inspection, regardless of port and protocol. Additionally, the firewall’s deep packet inspection engine should be updated dynamically to identify the latest intrusion threats, malware attacks, spyware, and Web sites that could affect the security of your network. Most importantly, the firewall should be able to block those security threats without introducing latency and degrading the network to unusable levels.
2. Fingerprint and show applications coming through the firewall
To allow you to create and adjust application policy controls based upon critical observation, your Next-Generation Firewall must let you monitor and visualise all your network application traffic. To do this effectively, the device needs to fingerprint the specific applications running on your network, and understand for whom the traffic is destined. It needs to present this information in an intuitive graphical form, allowing you to observe real-time application activity, aggregate trend reporting on applications, ingress and egress bandwidth, websites visited, and all other user activity.
3. Create granular application control policy
A next-generation Firewall must let you to create application-related policies easily and flexibly, based on contextual criteria, such as by user, group, application, or time of day. For example, you might grant access to a particular application based upon the business need of the person in the organisation using it. Somebody in your marketing group may have legitimate reasons to access Twitter and Facebook for social media campaigns, while somebody in accounting may not. For effective and easy management, a policy should be centralised, unified, and object-based. Next-generation firewalls with application intelligence and control allow you to create granular, application-based firewall policy, to help regain full control over application traffic by managing bandwidth. It increases productivity, prevents data leakage and protects against application-borne malware.
4. Manage application bandwidth
To help manage application bandwidth, a next-generation firewall must let you prioritise bandwidth allocated to essential and latency-sensitive applications (for example, Salesforce.com, LiveMeeting, or VoIP). At the same time, it needs to let you limit bandwidth allocated to non-essential applications such as YouTube, MySpace or Facebook, for example. The firewall should also help you increase productivity further by controlling access to Web-based application sites, such as ESPN. At the least, it should allow you to limit access to specific feature sets within applications; you could allow access to Facebook, but block access to Farmville and other gaming features.
5. Block application-borne malware
Malware no longer requires user intervention to run. Distribution of malware has evolved from simply sending virus-laden executables and attacking systems on local networks to exploiting documents, files and browser features traditionally considered safe. For example, Adobe PDF files and Flash are now prime targets for exploits due to their ubiquity and the invisibility of attacks embedded inside of them. These threats come into networks through various channels, and can only be prevented by devices that support dynamic security services and that continuously receive malware intelligence from dedicated research labs.
6. Control distributed applications
Once you upgrade to a next-generation firewall at your central gateway, the next logical phase is to apply application control and bandwidth management policy at any distributed branch sites. Because today’s branch networks connect directly to the internet, you need to be equally vigilant in securing application traffic to and from branch sites. Managing bandwidth is also crucial to optimising distributed network performance and remote employee productivity. Application controls enable you to set policy based upon any unique geographic or site-specific needs - for example, a retail branch location requiring prioritised bandwidth for a cloud-based transactional application. The same granular controls also ease administration by enabling you to push standardised policy for object-based roles and groups across distributed sites from a centralised console. Moreover, robust visualisation capabilities are critical to widely distributed network security, as they let you monitor and track usage, traffic and performance trends, and adjust policy accordingly across the globe.
7. Deliver optimal performance
None of this matters if your firewall doesn’t have the horsepower to get the job done. A firewall needs the performance capability to control applications fully, without bogging down your network throughput. Performance technology such as multi-core architecture and non-buffering reassembly-free scanning can dramatically increase the viability of your application intelligence and control solution.
In summary, a firewall needs to keep up with the times. It must fully control the application layer (not only the network layer), and provide the capability to:
- Scan all application traffic
- Fingerprint and show applications coming through the firewall
- Create granular application control policy
- Manage application bandwidth
- Block application-borne malware
- Control distributed applications
- Deliver optimal performance
Application intelligence and control, along with real-time visualisation, should be integral components of your next-generation firewall. They help manage both business and non-business applications, and help increase network and user productivity.
Dean Redman is country manager for SonicWALL in Australia and New Zealand.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.