Firewall products from the 90 's to the present, although through the system architecture and software form of many innovations, but in technology development and users, bandwidth growing today, but increasingly difficult to meet the challenges of many aspects. Especially in the current hottest data center and cloud computing environment, the Ethernet standard starts from million trillion to 40g/100g forward, our country all kinds of data center and engine room total already reached 50余万个. Low latency, high reliability and intelligent security management have put forward new requirements for the performance and function of gateway security products.
This year, Ruijie network, pike, deep conviction in the domestic release Next generation firewall (Next generation Firewall, hereinafter referred to as NGFW) products, plus already in the market SonicWALL, Juniper, Check Point and other manufacturers, The product, defined by Gartner in 2009 to describe the evolution of the firewall, appears to be in the spring.
The traditional security architecture is now being tested and questioned by CIOs in the face of a more decentralized and comprehensive security requirements for large-scale consolidation and interconnection, cloud computing and mobile computing brought about by data centers, and whether NGFW's birth was a "stimulant" for security "kind". After we visited and contacted several security and NGFW manufacturers found that the definition of NGFW is different, but the development of the demand is consistent. In the reference to NGFW can replace the network firewall, IPS, UTM, the various families are also different opinions, there is a definite say yes, there is a thought should be based on the network environment to treat differently, there is thought to a product can be completely replaced, and also mentioned will be on other network products to form impact, Believe you can find an answer when you hesitate or face a decision. For users, not only to high-performance, multi-functional security products, in the face of threats, a location in the border defense of security products can show stability and high reliability is essential, to this, we found that the response of the manufacturers are also different, but after all, after the market application test. In fact, many CIOs also found that in the face of the evolution of the network architecture and more sophisticated terminal equipment and user applications, the traditional defense poses challenges, but as the emergence of a new product NGFW can provoke the beam, it is worth attention and discussion.
Compared with traditional network firewalls and UTM products, what is the difference between NGFW and hardware architecture? NGFW relative to the traditional independent network security architecture is stable and reliable? What should be the preparation of enterprise deployment, how to choose? Recently, ZDNet security channel interview dozens of domestic and foreign mainstream security and ngfw manufacturers, to take you through the clouds. At the same time, and planning a special topic "came into being, see the next generation firewall can smile proud Lake", please everyone attention.
FW Powerless Firewall in evolution
At present, whether it is network manufacturers, professional firewall manufacturers, IPS or application control gateway vendors are in the plot of this field, in Gartner, the definition of product characteristics based on the manufacturers also according to their own traditional advantages of interpretation of NGFW's understanding.
Enterprises will face the Internet from viruses, Trojans, DDoS attacks, phishing, SQL injection, such as a wide range of threats, H3C network security technology director Li Yanbin in an interview with ZDNet, said H3C that next-generation firewalls in the data center and cloud computing should have "virtualization, high performance, high reliability, and intelligent" four features that will evolve toward high-performance, high reliability, virtualization, and intelligence.
For SonicWALL, the next-generation firewall includes the following elements, the first is intrusion prevention services, the other is the Gateway antivirus service, as well as firewall protection. It also includes the following features, such as content filtering, anti-spam features, and the ability to manage applications through policies, as well as ensuring visibility of the network and the ability to fully detect each ongoing stream of data in the network, SonicWALL, a technology manager in China, said Cai Yongshen.
NSFocus Product Marketing Manager Ji Jiping that NGFW in addition to the web2.0 application of the identification and management capabilities, but also emphasizes the distinction between UTM one of the most important indicators of performance. and able to integrate Ips,gartner think NGFW need to integrate IPS functionality, but not like UTM do a simple overlay, but to integrate IPs seamless functionality into the NGFW products. and user integration, emphasizing the integration of user identity and NGFW strategy. These 4-point features of the NGFW have been improved for UTM existing short boards and have highlighted the convergence of current security trends.
Although NGFW does not have a unified standard, after interviews we found that the company's development of the NGFW is consistent, the traditional firewall will access control objects from the network layer, Transport layer (L3-L4) to adjust to the application layer (L7) protocol, and to identify users, applications and content, A high-performance next-generation firewall with complete security protection capabilities.
NGFW can replace FW, IPS, UTM
As we all know, the traditional firewall in the last century in the 90 's has been widely used, there are more kinds. The UTM concept was published in 2004 by IDC, and NGFW was published in 2009 by Gartner. Under the new network environment, what new security threats, the user security requirements are changing, how traditional security devices become increasingly powerless.
In this respect, Barracuda Product manager Pan told reporters that the traditional firewall can only provide the general sense of packet forwarding and interception functions, as well as some simple packet detection mechanism. UTM does add a lot of filtering capabilities, including application layer identification and filtering, compared to traditional firewalls. But UTM's fatal flaw is due to the use of serial scanning methods, inefficient processing. Even with the addition of a single point of solution, can provide for the email business, Web applications, remote access, instant messaging software, such as virus protection, but the operating costs will be significantly increased. The NGFW uses the efficient parallel processing mechanism, and integrates network security, content security and network access control protection based on seven layer application management to resist attack from the application layer and effectively solve the essential defects of UTM.
UTM was born because of the early network firewalls in IPs, anti-virus, malicious code, anti-spam and other features of the missing, and on the basis of these features, McAfee China Gateway Security Product Director Guo stressed that the essence of UTM products is still based on traditional network firewall architecture of the transitional products, Its underlying architecture is no different from a traditional network firewall.
"NGFW more attention to the customer experience in the Web2.0 era, such as the adoption of customized GUI, multi-core CPU concurrency processing. With the development of enterprises, the need for more active, more intuitive, more customized, higher performance of the security products, this is the characteristics of NGFW. For enterprises, NGFW more fit with the existing network environment, the enterprise business protection more comprehensive. "The day melts the letter plan and promotion Vice President Hui said."
The major manufacturers almost invariably said that, whether the traditional firewall or UTM, has been unable to deal with Web2.0 exchange of a variety of applications under the real-time change of security threats. When the reporter asked the NGFW will be the network firewall, IPS, UTM the replacement of the problem. "Yes, this is a process of continuous innovation and evolution based on a new generation of architectures and philosophies," Tan Jun, a marketing manager at Juniper Network Greater China. Yinhao, Director of marketing and marketing, said that the traditional firewall, UTM due to low-cost procurement costs, in a few simple network environment or will become a user choice. But finally face the user's application layer Security requirements, FW, UTM will eventually evolve to NGFW product form. McAfee China Gateway Security Product Director Guo's answer is more conservative, he believes that for some low security requirements of the network environment such as the enterprise's visitor network, Non-core Business Network, the traditional network firewall still has its application needs, and can and NGFW to achieve ECHELON configuration, to achieve differentiated layered protection. The advantage of IPs products is to use the signature technology for fast and no time delay retrieval of network traffic, requiring high forwarding rate characteristics, good at retrieving known network threats, preventing DDoS attacks, and so on, so it has different focus than NGFW. But when it comes to UTM, Guo that, wherever UTM can be deployed, NGFW can be seamless replacement, more UTM has been a performance bottleneck, so UTM products will eventually replace NGFW. MA, Deputy manager of the Border Safety Product department, highlighted NGFW's impact on the Internet Behavior Management market, MA that NGFW will eventually replace the Internet behavior management products, with FW, UTM and IPs products will form a new market layout, and form a relatively long-term competitive posture, mutual function will continue to integrate, With various forms of gateway product market formation of a more rational layout.
(Responsible editor: The good of the Legacy)