Next Generation Firewalls with Application Performance Monitoring In Mind

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Next Generation Firewalls with Application Performance Monitoring In Mind

When choosing a next generation firewall, consumers are fortunate in that these appliances have an array of functions to choose from.  Although the primary goal is a solution that will help the business protect the company’s crown jewels from Internet bots and other types of network threats, other features such as Application Performance Monitoring are a growing concern. 

First is Security

With the constant introduction of new types of malware that is often capable of modifying its own communication behaviors, the firewall is without a doubt an organizations premier security layer against most types of threats.  What capabilities make up a next generation firewall and why is it the most important network security layer maintained by just about every company connected to the cloud?

Years ago we only needed passwords and anti-virus software to protect ourselves from malware. With the introduction of the Internet came great freedoms and insight but, it also forced us to heighten our awareness.  Network threats now come in many forms as well as motivations.  Key loggers want the passwords to the sites you visit on-line (E.g. banks accounts) and Advanced Persistent Threats (APT) want your company’s intellectual property (E.g. customer lists, engineering designs).  To provide deeper protection against these types of insidious threats, many Next-Generation Firewalls (NGF) include features previously only found in Intrusion Prevention Systems (IPS).  These next generation firewalls can include features such as:

  • Deep Packet Inspection (DPI): were analysis on connections can even inspect SSL encrypted sessions for the deepest level of protection. DPI can also re-encrypt SSL traffic to allow security services to be applied to all traffic
  • Intrusion Protection System (IPS): helps prevent a comprehensive array of network and application layer threats by scanning packet payloads for exploits targeting critical internal systems
  • Content Filtering: blocks multiple categories of objectionable web content
  • Signature Scanning: watches every packet and scans for bit patterns or flow behaviors that match constantly updated signatures.
  • Application Intelligence: real-time insight and control of traffic which has been broken down by applications or even users or content.  The prioritization of traffic headed for the Internet is critical to most businesses leveraging important bottom-line cloud services

Second is Application Performance Monitoring

I have found that the last point above is where next-generation firewalls start to separate themselves from the other players in the market.  Features such as WAN acceleration and application prioritization are built-in features of the next generation firewalls that make it onto the short list of possible vendors. What then separates the men from the boys? Answer: The amount of support extended to Application Performance Monitoring (APM) seems like a natural feature that most of them would add yet, only one next generation firewall vendor actually delivers on application performance monitoring metrics and it is exported in the form of IPFIX.

IPFIX is the proposed standard for NetFlow and the technology that most firewall vendors are migrating to.  Although nearly all enterprise class firewalls today support either NetFlow or IPFIX, not all of them export details on layer 7 applications, usernames, URLs, jitter and packet loss.  Although some firewalls provide details such as “flow denied”, finding out exactly which ACL or specific policy blocked the flow can be cumbersome.  The SonicWALL has clear advantages.

The ability to perform DPI and recognize layer 7 applications such as, Webex or BitTorrent is just the beginning.  How do we know if a cloud service such as VoIP is experiencing priority if the firewall doesn’t export details such as jitter or packet loss?

next generation firewalls apm 

Above the SonicWALL Next-Generation Firewall not only provides details on packet loss and latency (I.e. jitter) it even provides caller ID.  When a user calls the help desk complaining about voice quality to a remote office, you can bet they won’t know the IP address they were trying to reach but, they will be ready to recite the telephone number they had called.  A firewall vendor claiming WAN optimization capabilities without Application Traffic Analytics isn’t ready to claim support for Application Performance Monitoring.  SonicWALL is a clear leader in this area. 

Related Articles to 'Next Generation Firewalls with Application Performance Monitoring In Mind'
Palo Alto Networks Firewall Events
Feedback for Next Generation Firewalls with Application Performance Monitoring In Mind

Leave a comment

Featured Events