So what is the so-called Next Generation Firewall?

By Simon Gallagher

Wow, what can I say, my vTARDIS project has won 2 awards at VMworld Europe 2010 in the following user categories;

• Best home office/remote office virtualisation project
• Best of Show

[..]

SonicWall directors have accepted a $717 million offer to sell the company to a group headed by Thoma Bravo, LLC, a private equity investment firm with the aim of growing the company faster and developing products quicker than it could as a public company.

In my research on Adaptive Security Infrastructure and Context Aware Security, I have concluded that future information security policy enforcement points must move security policy enforcement “up the stack”. As we move to virtualize our data centers and adopt cloud-based computing platforms, security policy can no longer be bound solely to physical attributes such as IP address or device.

SonicWALL recently started shipping six new firewalls to replace the low-end of their product line. The new firewalls are the TZ100, TZ200, and TZ210, each also available with 802.11n wireless integration. This product release completes SonicWALL's transition to the Cavium Networks' Octeon processor line, putting all of their firewalls on the same code base and with a similar feature set.

As security controls are virtualized (e.g. firewalls, IPS, web application firewalls and so on), one of the more significant concerns is performance and throughput. II remember a demonstration about a year ago where an IPS running in a VM virtual appliance easily consumed 2 out of 8 cores in a multicore system. A 25% overhead for security controls didn’t make sense. That was then. Hardware advances continue. Within the next year, 64 core systems will be common. Now 2 out of 64 cores is a different story. 3% overhead? That I’ll take.

VMWare's VMsafe program is bringing more security options to the world of server virtualization.

The Cisco Firewall Service Modules (FWSM) has a design limitation based on its ability to discriminate packet forwarding between multiple contexts. It also applies to ASA/PIX software. Lets review this in detail and learn the evil consequences.

There are a number of gotchas that can occur if you don't set up vShield Zones correctly, but you can avoid them with these pointers.

In modern Enterprise networks, you typically have many clusters of firewalls protecting assets in your network. Since we use two or more layers of firewalls, we can put our DMZ for intermediate security zones in different places in our network. Lets gather together the different options and consider the merits or not, and sometimes how they 'self-build'.