Network Security

Report: Security Pressures Making Older Firewalls Obsolete

• By Dian Schaffhauser
• 10/27/14

The firewalls and intrusion protection systems in use by educational organizations to protect their enterprise networks may not be keeping up with the new security demands of virtualized data centers.

According to ABI Research, while virtualized operations can improve efficiencies, the majority of organizations are still relying on the same security tools — basic antivirus and firewalls — to protect their virtual setups as they did for their physical ones. The problem, the research firm said, is that existing security solutions may fail to keep up with the fast pace of change in a virtualized environment. For example, they may not be able to track policies related to virtual machine creation or movement or even the sheer amount of traffic, leaving schools open to cyber attacks and data breaches.

ABI recommended that organizations running virtualized data centers consider implementing a growing set of "next-generation" security products to address functional gaps. This category is surfacing from a number of companies, including HP, Trend Micro, Cisco, Imperva, NTT Com Security, Centrify and Veeam.

Next-generation firewalls (NGFWs) "deliver much more granular control than traditional firewalls by being application and user aware, which in turn ensures better security without impacting user productivity," said Monolina Sen, ABI's cybersecurity senior analyst, in a statement.

NGFWs go beyond old-school port and protocol examination and perform "deep packet" inspection, integrating application-level inspection with intrusion prevention to sort out traffic as it's traversing the network, applying appropriate policies and learning on the go by monitoring how the applications behave. When behavior deviates from the norm, administrators can receive alerts. The application identification provided by this new type of firewall also gives IT greater control over network traffic by allowing for application blocking, bandwidth throttling and quality of service by multiple criteria.

For example, Collinsville Community Unit School District 10 deployed HP's TippingPoint NGFW to monitor and prioritize network traffic. The Illinois school system also adopted HP's TippingPoint Digital Vaccine Labs (DVLabs), a weekly service that delivers a digital vaccine package with updated vulnerability and application filters.

The district was put to the test right from the start of the deployment when an end user downloaded malware that created its own spam server, and the entire district was put on a spam blacklist, which meant district users couldn't receive email from external sources. Director of Technology Mike Kunz said the new firewall "enabled us to identify the machine and mitigate the infection."

Once that was done, he placed a filter on the new firewall to block outbound SMTP mail unless it originated from the IP address of the district's own mail server. "The firewall literally captures that data and doesn't let it go anywhere — it just kills it right there," Kunz says. "Having the ability to block the compromised machine, log it, and review everything was just tremendous."

Kunz expects the firewall to prove its value particularly when PARCC online assessments take place. IT will be able to throttle non-testing traffic, such as YouTube viewing, to make sure test-takers have the network resources they require.

Next-generation security systems are not inexpensive. ABI's Sen noted that the cost of "just one of the many virtualization [firewall] solutions available" was $375,000.