Why It's Time for Next-Gen FirewallDell SonicWALL's Patrick Sweeney on Security, Productivity Gains
Threats have evolved, and so have our Internet needs. This is why organizations need to explore the security and productivity gains of the next-generation firewall, says Patrick Sweeney of Dell SonicWALL.
"We live in a new world," says Sweeney, Executive Director of Product Management at Dell SonicWALL. "Our employees have to go out onto the Internet continuously, to utilize applications that are directly work-related."
But this access also opens the door to employees visiting unauthorized sites that might be infected by malware - opening up a whole new set of risks that can be mitigated by the next-generation firewall.
Next-gen firewalls provide greater security by inspecting every packet of data that comes through the web, Sweeney says. But they also offer a new level of application control. "They allow us to quite literally determine what web applications should come in, for whom, and they allow us to bandwidth-manage - to provision bandwidth for the ones that are critical to us, and allows us to eliminate from the network ... the ones that are not germane."
In an interview about next-generation firewall, Sweeney discusses:
- Why organizations need a next-gen firewall;
- How to get started;
- Where to turn for unbiased information.
Sweeney has over 20 years experience in high tech product management, product marketing, corporate marketing and sales development. He oversees Dell SonicWALL's Network Security, Content Security, Business Continuity and Policy & Management product lines. Previous positions include Vice President of Worldwide Marketing, Minerva Networks; Senior Manager of Product Marketing & Solutions Marketing for Silicon Graphics Inc; Director of Worldwide Sales & Marketing for Articulate Systems; and Senior Product Line Manager for Apple Computer. He holds an MBA from Santa Clara University, CA.
Why a Next-Gen Firewall?
TOM FIELD: Let's talk about the question up-front. Why do we need a next-generation firewall?
PATRICK SWEENEY: Most companies today have a firewall in place, and that's great. It does some basic things. However, today the problem is really two-fold. One, the problems are coming through. The malware is coming through in the payload, and [traditional] firewalls don't inspect the payload. What we need today are next-generation firewalls because they have deep-packet inspection and the deep-packet inspection is going to allow us to look through every single byte, across every single interface, across every single protocol. That will allow us to find malware intrusions and spyware coming through in the packets. That's half the equation.
The other reason why the next-generation firewalls have become so important is that we live in a new world where it's the Web 2.0, with cloud-based computing and where our employees have to go out onto the Internet continuously to utilize applications that are directly work-related. However, it also means that our employees have complete unfettered access to the Internet, and they can go to places they shouldn't be going to. They're going to sites that have been infected. That creates two problems: the security problem and a productivity problem. With next-generation firewalls, they give us the security side because they're going to inspect every single packet and give us a whole new level of security. They also give us something called application control, which allows us to identify all of those different webified applications, all the traffic coming out over Port 80 and Port 43, and they allow us to quite literally determine what web applications should come in, for who, and it allows us to bandwidth-manage and provision bandwidth for the ones that are critical to us and allows us to eliminate from the network or throttle down the ones that are not germane. Next-generation firewalls give us productivity and they give us security.
FIELD: That's a great overview. How do you find organizations deploying next-generation firewalls and where?
SWEENEY: It's for any kind of company. Any size institution that you can think about is deploying next-generation firewalls today. I will give you a couple of examples. U.S. Cellular, a huge U.S. telecommunications company, one of the largest in the United States, is rolling out LTE and they have the need to go far beyond stateful. In order to be able to keep LTE productive in the world where you have so many different mobile devices connecting with all different applications, they needed to be able to have something that would offer security and also manage and throttle appropriately the connections coming through. They deployed in their very largest deployment of LTE next-generation firewalls to be able to manage the traffic and provide security and productivity.
Then, you can go to other institutions like universities. It's a very troubling network environment because you've got freedom of information, but at the same time you've got very, very dirty networks. You want to be able to provide real high-level security on all the traffic flowing across the network. At the exact same time, you want to make sure that the academic courseware gets prioritized bandwidth and things that are not germane to academics have reduced bandwidth associated with them. Universities are another great example.
Then a third area would be retail POS. Anyone who has a very large, distributed network, because they have small boxes and large boxes, the most important characteristic is that they've got lots of different physical locations, and they need to offer a high level of security. They've got to be PCI compliant and so what we find is large POS companies are deploying next-generation firewalls at the branch offices, at the small retail locations and they're all the way at the central site.
FIELD: For many organizations, this concept of next-generation firewall is new to them. Where can they go to get more information about the topic and to gain some confidence in the concept?
SWEENEY: Obviously, companies like Dell SonicWALL have lots of materials that are available on the web. But most companies and CIOs I talk to, they're looking for third-party sources where they can read about it, understand to what degree it will provide a high level of security, how it will operate in their network environment without introducing latency and the like. I probably recommend that people go to three major sources. One is NSS Labs. It's a very well-known testing agency. It's one of the organizations you cannot pay to write nice things about you. They have an entire next-generation firewall test report out, a lot of writings about how they're deployed, to what degree that they're efficient, and which competitor's products are ranked the best and the worst and things like that. The number-one place to go if you're more technically-minded would be the NSS Labs website. It has fantastic information.
Number two, if you're looking for a higher-level view, Network World has actually written a very good series of articles on next-generation firewalls and they have a very good roundup of the top qualifiers of next-generation firewalls, all ranked against each other. They talk about performance, efficacy and all the criteria that you'd be highly concerned about. It's another great source of knowledge.
The third source of knowledge is most CIOs I talk to want to have validation and they want to have certification, so ICSA is probably the best-known security certification that you can get in the world of firewalls. What they have out is an ICSA firewall certification, ICSA enterprise firewall certification, and an ICSA next-generation firewall test. That would be the third area. Go get their writings and their publications on next-generation firewall tests and how they exist and help the enterprise network. Those are the three sources, great unbiased sources of knowledge for next-generation firewalls.
Where to Begin?
FIELD: Based on your own experience with customers, where do we start? What advice would you give to organizations to begin their journey to the next-generation firewall?
SWEENEY: First, recognize that the security that we had historically is not going to deal with the current threats, with advanced persistent threats, with the fact that the threats are coming through the payload. You've got to recognize that you've got to progress and offer better security. It doesn't mean more cost. Generally, costs are aligned and there's high TCO.
Number two: security is not just about stopping the bad stuff from coming into the network. It's also about controlling the applications that are critical to your network. You have applications that rank as critical to you. Not every application is equal. One of the great things about a next-generation firewall is that it can identify every single application coming into your network and then in a very English-language way, you can define which applications must always have the best bandwidth and for which employees. The sales department is probably always going to have great access to Salesforce.com; finance to the Oracle System, etc. You can offer this added layer of security to your productivity and I think that when you recognize the benefits of both those things, you'll see that next-generation firewalls are really the most important security addition you can probably put into your network environment today.