Palo Alto Networks announced this week the PA-200, a $2,000 next-generation firewall with 100 Mbps throughput. SonicWall announced last week two branch office-grade next-generation firewalls, the NSA 220 and NSA 250M, with starting prices of $1,095 and $1,495 respectively. The application intelligence and control features that define next-generation firewalls are optional on the SonicWall devices and are activated with additional license fees that were not detailed with the release. When used in next-generation firewall mode, the SonicWall devices operate at approximately 110 Mbps.
Legacy, stateful firewalls inspect ports and protocols in order to determine whether, for instance, traffic accessing TCP Port 80 is indeed legitimate HTTP traffic. A next-generation firewall typically goes beyond the ports and protocols security approach, applying deep packet inspection to identify the application that is using HTTP to request a connection to Port 80. This capability is especially important today when an increasing number of enterprise applications are Web-based and consumer Web applications become legitimate for business use.
Today enterprises are deploying large and relatively expensive next-generation firewalls in central locations, according to Zeus Kerravala, principal analyst with ZK Research. To get application-aware security in their branches, enterprises either backhaul branch network traffic to a central firewall for inspection or deploy less powerful security devices like unified threat management (UTM) appliances in the branch.
By deploying next-generation firewalls directly in the branch, enterprises can decentralize wide area network (WAN) security and save on the bandwidth consumed by backhauling traffic.
“If you’re going to run all your Internet traffic through your core you don’t need it, but if you want to move to a model with a split tunnel and you want your users in the branch to have direct Internet access, then you need that same [application-aware firewall] functionality in the branch as you do in the core. You want a low price and as high a throughput as possible [with branch office next-generation firewalls],” Kerravala said. “Obviously your branch technology can’t be too expensive so that it outweighs the cost of backhauling Internet traffic.”
SonicWall customer Connex Credit Union backhauls traffic from its bank branches to a central SonicWall NSA 3500 unified threat management (UTM) firewall in its network core, according to Michael Giorgio, director of information technology.
“I would love to decentralize from a resiliency standpoint, and it lightens the load on my network,” Giorgio said. By eliminating the need to backhaul traffic to the hub of his WAN, a next-generation firewall at each branch might allow him to downgrade the WAN links at his branches, Giorgio said.
Next-generation firewall capabilities at the branch: Nice to have or required?
It remains to be seen how much demand there is for the application intelligence of next-generation firewalls at branch offices in a highly distributed enterprise, said Andrew Braunberg, research director with Current Analysis.
Having a stateful firewall at a branch is a “no brainer” he said, but small branches might not need the granular application control of a next-generation firewall.
“If you’re going to put this functionality out in every box, where is it going to be turned on and to what degree? You know you’ll take a performance hit when you turn on that additional deep packet inspection. I think this functionality will make it out to the branch, but I’m curious to see the use cases and how these things are used in practice,” Braunberg said.
He believes that many enterprises will deploy the SonicWall devices as stateful firewalls that can be upgraded to next-generation firewalls in the future if proven necessary.
Palo Alto’s PA-200 runs natively in next-generation firewall mode, noted Chris King, Palo Alto's director of product marketing. The PA-200 decides to allow or deny traffic based on its recognition of applications. He noted that other vendors, including SonicWall, make decisions based on port. Then they apply a separate deep packet inspection engine to the traffic to identify applications and make a separate policy decision. Whether one approach is superior to the other is open to debate.
Let us know what you think about the story; email: Shamus McGillicuddy, News Director.
Dig deeper on Internet and application security