Gartner Note on Next-Generation Firewalls
In October, Gartner released a research note on Next-Generation Firewalls.
In the paper, Gartner states that an NGFW should at least:
- support bump-in-the-wire configuration
- act as a platform for network traffic inspection and network policy enforcement with the following minimum features:
- standard first-generation firewall capabilities: packet filtering, NAT, stateful inspection, VPN, etc.
- integrated IPS and threat prevention (not colocated like a UTM)
- application awareness
- Extrafirewall intelligence: Bring information from sources outside the firewall to make improved blocking decisions, or have an optimized blocking rule base. Examples include using directory integration to tie blocking to user identity, or having blacklists and whitelists of addresses.
- Support upgrade paths for integration of new information feeds and new technigques to address future threats.
The “Extrafirewall intelligence” paragraph is a long-winded way of saying URL filtering and LDAP integration.
Compare this to Gartner’s definition of a Secure Web Gateway from 2008:
Secure Web Gateway’s must, at a minimum, include URL filtering, malicious-code detection and filtering and application controls for popular Web-based applications, such as instant messaging (IM) and Skype.
and their SWG definition from the NGFW paper:
These focus on enforcing outbound user access control and inbound malware prevention during HTTP browsing over the Internet, through integrated URL filtering and through Web Antivirus. They implement more user-centric Web security policy, not network security policy, on an “any source to any destination using any protocol” basis.
The only difference that is that Gartner doesn’t explicitly call for URL filtering or user-centric policy control in their NGFW definition opting for a jargony paragraph on “extrafirewall intelligence” that readers will forget.
I don’t know why. Perhaps if they did, it would be harder to justify the SWG as anything other than a because-your-firewall-should-do-it-but-can’t solution.
NGFWs like Palo Alto Networks are not only replacing firewalls, but also SWGs like Blue Coat. This indicates that at least some customers view SWGs as superfluous in an NGFW environment. Time will tell whether or not SWGs have any merit in a network that is protected by an NGFW. I’m sure there are customers with workflows and requirements specific to URL/web access that could only be addressed by an SWG type solution but the number of customers that opt for SWGs is sure to dwindle in my view.
Download the Garnter NGFW Research Note