Conversations around NG Firewalls usually focus on application awareness and control. Let's take some time to talk about what application control is and why it should be deployed at the perimeter of your network.
In simple terms, application control provides control, identification, and intelligence around cloud-based Web 2.0 applications. These features allow IT administrators to prioritize and manage application bandwidth. By deploying application control at the perimeter of your network, you can control exactly how these Web 2.0 applications can access your network.
For an example of how this can be helpful, let's consider the following scenario for Company ABC:
- The marketing team uses a Facebook page to promote Company ABC brand
- The executive team uses video conferencing
- The office is equipped with VoIP phone system
- Media streaming is prohibited
- Remote access is allowed through a secure VPN only
- There is a mission critical app in the cloud that must be available at all times
This scenario could be a disaster if left unmanaged. Application control allows the IT administrator to configure access policies according to the needs of the network. For example, Facebook pages may be allowed, but chat and games may be prohibited. Video conferencing might be allowed only for the executive group. VoIP and mission critical traffic might be prioritized while streaming media is blocked. This type of granular policy configuration is only available with application aware firewalls.
Application control is a relatively new technology and it's one of the primary differences between a firewall and a next-generation firewall. Older firewalls use a technology called stateful packet inspection, which means that they monitor the connection state of the packets. This connection state information is then used to determine good traffic from bad. Stateful firewalls are not application aware.
If you are interested in a next-generation firewall, there are certain qualities you should look for.
- Next-Generation features: Although some older UTM technology may have application control features, these devices are processor hogs. Next-generation architecture runs on a single-pass architecture, which means it only needs to inspect traffic once. Older UTM with application control features require inspection to take place several times, depending on which services are configured. These repeated inspections cause performance issues with the hardware. You’ll have better application control inspection performance with newer next-generation hardware.
- Large application database: Application control relies on a database of known applications. The firewall compares all traffic to the contents of the database, and cannot act on applications it doesn’t know. The application database should be updateable, similar to a virus definition DAT file.
- Granular policy creation: Application control rules and policies are similar to firewall rules. Rules define what application features should be allowed and blocked. Granular policy features should also provide granular control features based on the user and time.
- Bandwidth control: The situation may arise where IT administrators would like to allow access to cloud applications but limit the amount of bandwidth used. Sites such Skype are typically used for business but are resource intensive. Application control should integrate with next-generation firewall QoS (Quality of Service) features to limit bandwidth to intensive applications while still allowing access. This should also be allowed on a per-user and per-time basis.
And of course, if you are interested in a next-generation firewall, take a look at the Barracuda NG Firewall. It has powerful application control capabilities, along with firewall, IPS, and URL filtering.