By Daniel Schrader
Director of Product Marketing, Application Delivery and Cloud
A Next-Generation Firewall (NGFW) is the cornerstone for securing your cloud workloads and data. A true NGFW needs to provide the security tools required to ensure legitimate traffic is appropriately routed while illegitimate traffic is blocked. And it also needs to be able to scan traffic for attacks, identify malware, block phishing efforts, and prevent data loss. Whether an organization’s compute is on-premises, in a cloud, or across multiple clouds, a next-generation firewall is essential for building your cyber-defense strategy. And for those organizations running a hybrid network, choosing an NGFW solution that provides consistent protection across the distributed network is especially critical.
Of course, no matter how powerful it may be, a firewall is just one component in building a secure infrastructure. But at a minimum, that infrastructure needs to be able to provide broad visibility and control. That is why organizations looking to stay ahead of cybercrime should not focus on buying more point products and services but rather on assembling a platform approach that can support consistent and well-defined security policies across clouds and data centers. A proper platform approach, like the Fortinet Security Fabric, should support all the security tools necessary to implement system-wide policies, like a Zero Trust Network Access, along with centralized management, monitoring, and analytics of security policies and events.
Microsoft has recently acknowledged the need for a next-generation firewall by introducing their latest security offering, the Azure Firewall Premium. However, customers looking to secure their applications and data in the Azure Cloud should think deeply before using Microsoft’s latest offering.
The Cloud Doesn’t Exist in a Vacuum—Neither Should Your Firewall
Gartner famously predicted that by 2023, 99% of security failures would be due to human error. While that figure may seem high, the point is well taken. Whether human error accounts for 99%, 75%, or 50% of security failures, security is hard, often complex, and mistakes are easily made. That’s why most security professionals oppose the proliferation of one-off security tools in favor of deploying an integrated and interactive security framework that can provide unified security management and consistent visibility across clouds and data centers.
Organizations should consider the bigger picture of needing security tools designed to work across platforms and clouds to secure compute on all platforms —whether on-premises or in the cloud. This is where Fortinet’s industry-leading NGFWs – as part of the Security Fabric – stand out against other industry firewalls that are yet another point product doesn’t offer end-to-end security, such as the recently released Azure Firewall Premium.
Who Do You Trust with Your Most Valuable Assets within a Cloud?
Your business runs on data and applications. Even a basic security breach can cost millions. So, when it comes to security, reputation and experience should play a significant role in your selection process of the tools protecting your most valuable assets. Third-party testing, analyst reports, customer reviews, and leadership quadrants help organizations separate actual functionality from marketing hype. And seasoned developers with years of experience under their belts help ensure that a solution is sufficiently mature. Adding to that, most leading NGFW vendors also augment their solution with things like threat intelligence feeds and partnerships with third-party developers. They participate in development and threat-sharing forums and work closely with law enforcement and threat researchers. The outstanding ones provide a portfolio of solutions enhanced with things like AI and machine learning, advanced services like access control and traffic shaping functions, and designed to interoperate regardless of where or in what form factor they are deployed.
This raises the serious question of whether any organization should trust their critical data to the fledgling release of a point security product that most independent labs and analysts haven’t reviewed. The Azure Firewall Premium wasn’t included in Gartner’s “Critical Capabilities for Network Firewalls,” and its placement in Gartner’s latest Magic Quadrant for Network Firewalls was hardly stellar. Beyond that, there is little to go on. So, if your data and workloads are indeed mission-critical, it may be wise to rely on better established products—ones proved to be effective through years of field-testing on the front lines of today’s cyber battlefields.
What Makes NGFW Enterprise Class?
An NGFW is only as good as its ability to provide the broad set of tools organizations need to protect their businesses. And in today’s rapidly evolving threat landscape, that means advanced technologies designed to keep your business a step ahead of cybercriminals. Here are just a few that have become mission-critical for many organizations that Fortinet provides:
TLS inspection: TLS inspection allows you to decrypt TLS traffic so that it can be inspected for hostile actions, malware, or sensitive data. To support evolving business innovations, inspection should support both TLS 1.2 and 1.3. And inspection should also happen bi-directionally. While inspecting outbound encrypted traffic is essential, inspecting inbound is just as critical. For example, inspecting inbound SSL/TLS traffic can detect malicious content from a client to a targeted network server—a common step in many cyberattacks. Azure Firewall Premium, for example, does not support TLS 1.3 or inspect inbound traffic.
Intrusion Prevention Service (IPS): IPS is essential in detecting attacks and malware used by cybercriminals to steal data, disrupt operations, infect systems, and deliver malicious payloads. The first IPS systems did this by matching attack patterns against a list of known signatures. But sophisticated attackers learned that they could modify attacks to achieve their objectives without triggering an IPS signature. So, IPS vendors developed the ability to monitor behaviors and added essential application awareness and application control services to detect new malicious activities. Other industry firewalls, like Azure Firewall Premium, only offer signature-based IPS capabilities, which means it will not detect and block more sophisticated attacks.
Sandboxing: A true, enterprise-class NGFW solution needs a fully integrated sandbox solution to provide real-time analysis of unknown or untrusted programs and traffic and prevent zero-day breaches. But while sandboxing has been an essential component of any NGFW solution for years, many firewalls, like Azure Firewall Premium, do not offer integrated sandboxing.
Secure SD-WAN: Many organizations rely on SD-WAN so remote users can access critical data and applications in the cloud. But that is just one SD-WAN use case. SD-WAN is also used to establish dynamic intra-cloud, cloud-to-cloud, and cloud-to-data center connections. However, adding security to these connections as an overlay is often expensive and time-consuming. The most effective SD-WAN solutions address this challenge by including a fully integrated suite of advanced security solutions so that protection can adapt to the dynamic nature of most SD-WAN use cases. Secure SD-WAN running on an NGFW platform is an ideal solution. However, other vendors such as Azure Firewall Premium does not offer a Secure SD-WAN option, even though SD-WAN is commonly used to access and connect services located on vendor platforms.
Bot Protection: Anti-botnet services prevent botnets and other threats from communicating with command-and-control servers. They also identify specific strings, sensitive data (project code names, for example), or data matching patterns (credit card numbers, licenses, passports) that may indicate the exfiltration of sensitive data.
Data Loss Prevention (DLP): The ability to identify sensitive information in transit and then block its extraction is essential for meeting certain internal security and regulatory compliance requirements for many organizations. Most native cloud firewalls, including Azure Firewall Premium, lack DLP functionality.
Today’s NGFW – Good Enough is Never Good Enough
This is by no means a comprehensive list of the critical NGFW features and functions of today’s NGFW solutions need to provide. But it is sufficient to demonstrate the challenges inherent in adopting immature, unproven, and isolated point solutions to protect your critical digital assets. Any solution missing the essential features and functions needed to provide comprehensive security is also likely to miss the threats directed at your workloads and data. And that is never good enough.