Many organizations today are being led to believe that all they need for a secure network is a next generation firewall (NGFW) solution. As countless point-product firewall vendors try to position their product as a silver bullet for all security issues, top security analyst Jon Oltsik of Enterprise Strategy Group unveils the truth: today’s CISOs need to consider employing a layered strategy in order to effectively protect their networks from external attack.
The constant struggle of budget constraints can easily lead to embracing the alluring idea of consolidating security solutions (firewall, IPS, application control, user visibility, and anti-malware) with just one NGFW system. However, for enterprise networks especially, there may not be a one-size-fits-all solution that also provides optimal security, and it can be necessary to add a web gateway in addition to NGFW support. Here are 4 critical items for any CISO to consider when making the choice.
When it comes to security, firewalls are the primary and most crucial line of defense against network threats. A NGFW monitors all inbound/outbound network traffic, using multiple capabilities. If you’re serious about protecting your organization’s network, you need to deploy a NGFW for first line defense.
A web gateway, however, is optimized to perform in-depth web traffic analysis that goes deeper than a NGFW, without compromising network performance. A web gateway cannot replace a firewall (since it only examines web traffic, not all network traffic), but it directly complements and extends the scanning and filtering performed by the NGFW. In-depth content analysis that goes beyond URL filtering, reputation analysis, and signature analysis, is important in order to detect more sophisticated malware strategies, such as obfuscation or zero-day attacks.
2. Proxy management
NGFWs and web gateways offer complementary proxy management capabilities. NGFWs are configured as transparent proxies, while web gateways also support explicit proxy capabilities. This is important if your organization needs to inspect SSL or TLS encrypted traffic. Analysts report that 25% of enterprise web traffic is encrypted. It’s therefore critical to decrypt SSL traffic in order to search for and block malware or botnet communications, or to enforce acceptable use policies, a process which is easier to manage in an explicit proxy scenario.
3. Data Loss Prevention
Data loss prevention (DLP) is another consideration to make when weighing the options between a NGFW and a web gateway. Most NGFWs include basic DLP protection, inspecting traffic for common sensitive data formats, like 9-digit social security numbers or 16-digit credit card numbers. While that is essential, there can be other sensitive data formats that also need protection against leakage.
Dedicated web gateways often provide broader DLP capabilities for specific industry data, which can be customized for many different use cases. Some web gateway vendors even provide the ability to encrypt files as they are being uploaded to file-sharing sites, protecting them against unauthorized access.
4. Mobile User Protection
While a few NGFWs are offered as cloud-based services, they’re usually deployed as on-premises devices. This keeps users behind a firewall safe, but it may not protect mobile workers unless they use a VPN.
A web gateway deployed as a cloud service can, however, offer protection for mobile workers accessing the Internet. There are hybrid web gateway solutions that provide common policies, management, reporting, and user experience. These systems enable enterprises to protect mobile users, contractors, or external business partners accessing cloud-based corporate assets.
Ultimately, no single security solution works for every enterprise network. Therefore, CISOs should seriously consider how a NGFW and web gateway can work together synergistically to create the most secure and cost-effective environment.