<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

Next-Generation Firewall: Changing The Threat Landscape

August 27, 2014

Combining application awareness and deep packet inspection, the next-generation firewall is changing the landscape of network threats and security. Giving you more control over applications, this firewall detects and blocks malicious threats unlike traditional firewalls do.


Next-generation firewalls are able to identify the applications you use and distinguish between them. Rather than allowing traffic to pass through typical Web ports, these network tools apply different policies based on your business’ rules for Internet applications, such as YouTube or your CRM, or for desktop applications like Microsoft Outlook.

How And Why Firewalls Evolved

New-age firewalls are a product of new-age threats. These attacks – of the Web-based malware, targeted, application-layer and other varieties – are creating a more threatening network landscape. The simple packet filtering capabilities of Stateful Packet Inspection (SPI) firewalls were once enough to block unwelcomed applications, as most applications met port-protocol expectations and could be blocked. Preventing user access to unsafe applications was swift and effective.

But with the advent of the aforementioned “new-age” threats, the landscape has changed. The issue has not been the network components so much as the application changes and weaknesses. Over 80 percent of all new malware and intrusion attacks exploit those application weaknesses.

Establishing protection guidelines using IP addresses, protocols and ports no longer gets the job done. Applications such as Microsoft 365 are now hosted over the Internet to accommodate new business practices and norms, such as using cloud-based services or enabling team members to work from home. But this change has made it impossible for SPI firewalls to distinguish between business and personal programs.

Obstructing an application that uses Port 80 by blocking that port would also mean obstructing applications that your team needs to do its job. In essence, you would be blocking needed programs like Microsoft 365 and those for personal use because they all use that port.

The response has been next-generation firewalls.

These network tools have better awareness of individual applications because of their deep packet inspection capabilities. They enable you and other network administrators to create detailed rules to regulate the use of any application on your network.

 

What Your Network Is Missing 7 Tools To TAP


Connecting To Your Network

Next-generation firewall appliances need to be installed in-line, and this creates a risk of network downtime. Should the firewall fail or need maintenance, the network link has to be brought down for repair. With a bypass or network TAP, you’re able to ensure that your network continues to be operable if maintenance is required.

As a firewall technology solution brief explains, “Should the inline device lose power or need to be taken offline for scheduled maintenance, the TAP will ‘bypass’ the device and keep traffic flowing through the network. If the TAP should lose power, it will fail-safe without impacting network traffic.”

To more efficiently and effectively manage your network and safeguard it from applications that might threaten your network, a next-generation firewall is far better equipped to get the job done and maintain the productivity of your business.

Want to learn more about the many network tools that help you manage your network? Download What Your Network Is Missing: 7 Tools To TAP

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES