Fred Kost, Check Point's head of product marketing, says customers that require high throughput and low latency typically decide on dedicated functionality. But he points out that the small-to-midsized business customers often find multi-purpose firewall gateways and the unified threat management devices adequate. Check Point, also jockeying for the "next-generation" title, recently added a "threat emulation blade" as a firewall module. It can safely "explode" files in a sandbox to try and uncover zero-day attacks. It tackles a similar problem that Palo Alto takes on with its Wildfire threat-detection in its next-generation firewall.
The sandbox idea is catching on. McAfee just acquired firewall/VPN/IPS vendor Stonesoft as well as ValidEdge for its sandboxing technology.
NSS Labs analyst Iben Rodriguez says tests of firewalls and IPS indicate there can clearly be performance and efficiency drawbacks to running multiple security services on a firewall. Neohapsis Labs head of research Scott Behrens sums up a common-sense approach to the question: "If I'm the buyer, I need to ask, "Does this bundle line up with what are my enterprise needs?"
In Utah's Weber County government, where Matt Mortensen is Ogden's information security officer, the firewall/IPS throughput needs are not more than about 10Gbps, and the multi-purpose Dell SonicWall Network Security Appliance E8500 models with IPS, URL filtering and anti-virus have been a good right fit in the mid-range to support the network used by the county's 1,200 employees, though there are plans to upgrade to the more powerful SonicWall 9400. The county also maintains a few Cisco ASAs, including the Cisco ASA 5505 firewall dedicated to connections with the wider world of law enforcement for things such as telecommunications wiretap data.
Some valuable uses for the SonicWall firewalls have been application controls to block Skype or sometimes Java in some cases for security reasons. Mortensen also uses SonicWall for bandwidth throttling.
"I also do geo IP filtering, not allowing users to go to certain places, such as Eastern Europe, South America or China," says Mortensen, pointing out the Utah county has no business need to, and blocks it for security reasons. The county also does inbound geo-IP filtering, too. Mortensen has also set up the firewall to do egress filtering to watch for signs of botnet activity.
The world of the Internet is now perceived as so dangerous, that even the most open-minded of universities feel they are forced to clamp down. That's what Massachusetts Institute of Technology decided last April as part of an overall revised security strategy in the wake of a fake bomb threat.
"Today, systems on the MIT network are subjected to thousands of unauthorized connections per day from nearly every country around the globe and, as a result, MIT sees more than 10 compromised user accounts each day," the MIT memo to its Academic Council said in April, explaining MIT was going to start block traffic originating from outside MIT's network based on firewalling infrastructure.
Sign up for Computerworld eNewsletters.