Wednesday, July 9, 2014

Perimeter Security Devices Evaluation - Part 1

Firewall (Next Generation Firewall, UTM) Selection Criteria – Part 1

Firewalls and other perimeter defense appliances are the most essential security devices of today's IT infrastructures. Almost all security administrators have their favorite vendor when it comes to the selection of the appropriate device for their environment. I have even seen people supporting vendors and products like supporting a sports team.

I for long times have thought about the criteria to be considered when choosing an appropriate perimeter defense device and this article is the result of it. I am not going to criticise or praise any specific product or vendor, I will just try to give a view of the points that should be considered. One should know that a perimeter device to  be used in an SMB may  (and must) differ from a large enterprise and sectors in which the company operates is another important factor.

So, let’s begin naming those criteria one by one.

Functionality

We all know that the days in which firewalls were used just as IP and port filter ACL devices and session state checkers are over a long ago. Everybody expects more from those devices providing efficiencies in many terms starting by cost and efforts.

But how far should a firewall go with functionalities?

Today most firewall products offer additional functionalities such as Intrusion Prevention, Web Content Filtering (Web Proxy), Remote Connectivity Gateway (SSL VPN), Data Loss Prevention, Malware - Spyware Protection, Security Event Management, Endpoint Protection Console Services and Bot Protection. This list may include other functionalities and capabilities according to different vendors but most common ones are these.

While SMBs would like to have all-in-one solutions and they may be right on their approach, special care must be taken at this point. Licensing is the keyword in the selection of many security products and firewalls are no exception to that. SMBs with low information security maturity levels really should not opt in for too many capabilities as it will not serve them that much other than increasing their Operational Expenditure budgets. I believe the key functionalities to be selected as a minimum should be Next Generation Firewall, Intrusion Prevention, Web Proxy and SSL VPN. Administrators should also pay attention to not to put all the functionalities in one box even though they may have cluster configurations.

Leaving security intelligence for several functions to just one vendor is another risk to be aware of.

For larger enterprises, the pros and cons of selecting a multipurpose perimeter security device is more obvious. From one angle having the least number of devices to manage is very important in a time where collecting logs from a big number of different sources is really  a burden for security administrators not even mentioning the cost and licensing advantages.

However, till what moment we can put different functionalities into the same basket.
Vendors all have different hardware designs for their appliances and even one vendor proposes very different products according to the segments. Having multiple functionalities means that a problem in one function may have damaging effects on other functionalities, even though the processes may be isolated the hardware in most cases is not isolated in many vendors (the cost goes higher if hardware isolation exists). You may have to sacrifice certain capabilities in some situations in favor of others, which is really a not desired situation for most people.

Briefly, adding too much in the same basket has its risks and each enterprise should take its decision independently on that subject. In a world where there are really no standard metrics for measuring the computing power of these  appliance, this is the truth security administrators should face.

My experience on this subject is that more and more enterprise should migrate over security products which have hardware isolation for different functionalities starting from separating the management plane from the data plane. I believe many security administrators at least once faced that annoying situation which prevented them to access their devices in case of a serious problem just because data plane is too busy and consuming all the resources. In today's world resource exhaustion attacks are still a major issue to be resolved and until it is resolved processing cycles must be allocated and consumed very very carefully.

No matter what the size of the company some functions should be very carefully thought of in the selection process. In a company where data classification scheme, data roles (owner, custodian, user, etc.) and responsibilities are not clear Data Loss Prevention functionality should not be added to the list. Basic clear text filtering options are present in most of the products present in the market and can be used for basic needs, whenever needed.

Choosing Endpoint Protection Management functionality on the appliance may be wise if you have an enterprise up to 50 employees. From that number on, it is wiser to use a separate system for such a need than consuming very precious resources which may be attributed to more important security functions.

Final observation on perimeter security devices is the Next Generation Firewall capabilities which may be resumed basically to application (including applets and modules) recognition and domain integration (user recognition). These are the musts of such appliances in today's world and must not be taken lightly. Even the biggest vendors with considerable market share are performing these functionalities on the paper, which actually means that they are not performing those functionalities in a stable manner or simply just pretend to do it. In many products they say that the appliance recognizes thousands of applications while in fact those thousands of applications consist of different social media modules and old chat programs. The most needed and critical business applications ( ERP, CRM, Database, Productivity suites) are not recognized and they give you no insight about your business critical data flow.