Next-generation firewalls bring a new level of application control and identification to the enterprise. However, not every remote site within the organization is populated enough to justify its own firewall appliance. These micro-branch locations, staffed with a handful of employees, may not merit the expense of high end hardware appliances and MPLS connections. Fortunately, there are a number of options for both connecting remote users and keeping them within corporate policy.
Application control and next-generation firewalls are almost more critical at micro-branch locations than they are at central offices that are connected via high-bandwidth WAN links. Small remote sites are more likely to use low-cost, lower bandwidth connectivity like basic DSL, so application control can ensure that bandwidth is reserved for business critical applications and processes. While a rich media application accessed over Facebook would barely impact network utilization at a corporate headquarters, it would have a relatively larger effect on the slow links at a micro-site. However, policy enforcement at a micro-branch is difficult to achieve since next-generation firewalls and other application control products tend to be expensive. However, WAN managers have several options for applying application control when designing a remote access solution in micro branches.
Scaling application visibility down to size
Micro-branch support in the product lines of next-generation firewalls varies by vendor. Fortinet, for example, offers application control functionality all the way down to the smallest of its sub-$500 Fortigate appliances, which are designed for home office or very small branch deployments. Application aware firewalls at the branch site offer the best of both worlds: simplified connections to headquarters as well as the ability to process user requests for external access directly at the source with consistent, centralized usage policy enforcement. Using its own application identification engine, a branch firewall can quickly block or approve a user request and allow direct access to the link from the local network connection.
Application control, one user at a time
If small branch firewalls are still too pricy for an enterprise's budget, engineers can treat micro-branch users as remote users and provide each of them with an individual mobile VPN client. A VPN connection can route all of a user’s network traffic back to the corporate data center where a central next-generation firewall can inspect all outbound traffic.
This centralized approach introduces increased latency and network traffic for each micro-branch user. Fortunately, newer VPN solutions, such as Palo Alto’s GlobalProtect and Cisco’s AnyConnect products, attempt to minimize the impact of these multiple hops by redirecting traffic through the gateway nearest to the user. This reliance on a VPN for application control would isolate micro-branch users from on-site network resources, such as a network-capable printer. Taking a remote user approach does not account for other network devices deployed at the micro-branch, like IP phones. Network administrators would have to engineer a unique path back to the enterprise network for every device in the micro-branch.
Small and comparatively inexpensive routers designed for home-based workers could serve as an alternative to VPN connections for users at a micro-branch office. These devices establish a single VPN connection back to the corporate office, and enable a small number of devices to connect through it. Cisco Systems' Integrated Services Router (ISR), Astaro’s RED (Remote Ethernet Device) and Aruba Networks' Remote Access Point (RAP) products are able to create a secure tunnel over an Internet link back to their larger counterpart back at headquarters. These small devices support multiple devices on a shared network, enabling not only networked printers to be shared, but also IP phones have always-on access to the corporate network. However, these small routers lack application policy and control features, so engineers will have to route any and all outbound network traffic through corporate links, rather than through the broadband connection at the local site, introducing more latency to users.
Branch application control has a future in the cloud
Cloud-based security services could solve the application control dilemma in micro branches. Vendors and service providers have mature Web and email filtering services that can compare a users’ Web request against lists of known sites and categories and block or allow access to the site based on policy. These service providers are developing deeper application awareness to their filtering processes.
“The SaaS content security vendors are starting to do more than just URL filtering. The trend is to bring more context to their filtering,” says Paula Musich, senior analyst for Business Technology and Software at Current Analysis. “Vendors like Websense and Check Point Software both bring greater recognition of Web 2.0, interactive Web applications to the fray.”
With a cloud-based application aware firewall solution, all internal traffic from a remote branch could be sent over a VPN connection, while external traffic would be directed at the cloud firewall. The service would apply its application awareness to a network request, and only allow connections that comply with corporate policy. No additional hardware would be necessary at the micro-branch site.
Beyond identifying and applying policies to applications and users in both on-premise hardware and in the cloud, the next steps for firewall vendors will be to unify both local and cloud-based security solutions into a single management platform. Websense, for example, currently has unified management through its hybrid Triton architecture.
This was first published in March 2011