Credit Unions and Next-Generation Firewalls

You’ve probably seen this term, but what exactly is a “next generation” firewall? According to the commonly accepted wisdom such devices include an intrusion prevention system (IPS) and a firewall on the same device, closely integrated and working together. They also have to have the ability to correlate firewall rules to user names rather than IP addresses; and finally they need to be able to recognize protocols based on traffic and not on pre-assigned ports, to be able to block such protocols even if the port used is not the one you would expect–for example, being able to block HTTP even if not being sent on port 80. For credit unions, a traditional IPS would normally be placed as an isolated device in front or behind a firewall–or sometimes you would place two, one in front and one behind. In this configuration the IPS must assume that there is no other protection, and try to do it all on its own. This has a few drawbacks: 1) You need to keep all available signatures and block traffic that a firewall could block because you can’t assume the firewall’s capabilities or that there even is a firewall. Blocking traffic coming from knowingly infected networks is very inefficient with an IPS. 2) Since there is no connection to the firewall, once the IPS drops a packet, it will need to scan the next packet of the same connection because that connection cannot be dropped.  And what if the next one does not look “suspicious” and the IPS does not drop it? If the firewall and IPS are closely integrated, things work in differently. The first line of defense for the credit union becomes the firewall. Only traffic on open ports passes through. If a port is closed, traffic is dropped and there is no need to scan it. This alone reduces the need for the IPS to scan traffic as much as 90% in most cases.   Because the two parts are working together, when the IPS drops a packet, it can communicate to the firewall to instruct it to tear down that connection. The IPS does not need to scan it, and there’s no chance that something could be missed and your network could become compromised. And is application filtering necessary for you? To be able to recognize a protocol to know that a certain application is trying to use an alternate port and trying to bypass the firewall, it’s often necessary to allow a few packets through to properly recognize the protocol and not incur false positives. This alone can be a source of problems. The real issue here is that too many credit union firewalls are configured considering the LAN a trusted network. A well-configured firewall will be configured with ports open only with specified sources and destinations, whereas some older ones don’t have a way to lock up outbound traffic.  Traffic that does not fit the configuration is simply blocked, and recognizing a protocol on a port it is not supposed to be using becomes a moot point. This is very good practice to stop Trojans from “calling home” on ports that should not be open. Is establishing firewall rules based on user name rather than IP address worth the cost? If this is applied only to Web access, this is nothing more than Web filtering. If we want to apply this feature to any protocol, it’s whether it is worth the expense. The devices available to credit unions in the market today offer no AV filtering, no anti spam, no special routing features, nothing else but what was outlined above. So when you are done installing one of these devices, you still have not solved your most pressing problems regarding security; you may be able to block your users except ‘Joe’ from going to that certain application, but you do not have AV protection to stop all the malware that will be attacking your network. So when you compare these to a unified threat management (UTM) device, the UTMs offer a lot more integrated features and solve more problems for credit unions than a next generation firewall does. As the UTM devices evolve to integrate the IPS and the firewall, they will certainly become even more competitive against the next-generation devices and these new devices will need to either offer all the features or disappear.