New Data Security Pressures Driving Next Generation Firewalls

The firewalls and intrusion protection systems in use by educational organizations to protect their enterprise networks may not be keeping up with the new security demands of virtualized data centers.

According to ABI Research, while virtualized operations can improve efficiencies, the majority of organizations are still relying on the same security tools — basic antivirus and firewalls — to protect their virtual setups as they did for their physical ones. The problem, the research firm said, is that existing security solutions may fail to keep up with the fast pace of change in a virtualized environment. For example, they may not be able to track policies related to virtual machine creation or movement or even the sheer amount of traffic, leaving schools open to cyber attacks and data breaches.

ABI recommended that organizations running virtualized data centers consider implementing a growing set of "next-generation" security products to address functional gaps. This category is surfacing from a number of companies, including HP, Trend Micro, Cisco, Imperva, NTT Com Security, Centrify and Veeam.

Next-generation firewalls (NGFWs) "deliver much more granular control than traditional firewalls by being application and user aware, which in turn ensures better security without impacting user productivity," said Monolina Sen, ABI's cybersecurity senior analyst, in a statement.

NGFWs go beyond old-school port and protocol examination and perform "deep packet" inspection, integrating application-level inspection with intrusion prevention to sort out traffic as it's traversing the network, applying appropriate policies and learning on the go by monitoring how the applications behave. When behavior deviates from the norm, administrators can receive alerts. The application identification provided by this new type of firewall also gives IT greater control over network traffic by allowing for application blocking, bandwidth throttling and quality of service by multiple criteria.

Loyola University Chicago, for example, is using HP's TippingPoint Next-Generation Intrusion Prevention System (NGIPS) and TippingPoint Digital Vaccine Labs (DVLabs). The latter is a weekly service that delivers a digital vaccine package with updated vulnerability and application filters.

Loyola's 16,000 students bring 4.5 devices on average, said Brett Weston, information security administrator. "Given the number of devices we have on campus, we need to be sure that when a device is compromised, we can identify that 'patient zero' and prevent it from spreading through the network — putting information at risk and slowing productivity."

Weston said that with TippingPoint the university has been able to block an average of 2 million threats per week; the addition of DVLabs has increased blocking to 8.5 million threats per week.

Weston recently put in place geo-filtering on the IPS appliance, which allows the IT user to block IP addresses originating or traveling to certain countries or specific geographies specifically for the university's payment card operations. "Unfortunately, the university IT environment is a hostile network with tons of devices trying to connect to it. My goal is to leverage the geo-filtering capabilities HP TippingPoint provides ... to limit bad traffic and keep our PCI environment secure," he said.

Implementing the geo filter based on IP address was "pretty easy," he noted. "I created a geo filter in about two minutes and implemented in permit and notify mode. I wanted to watch the network behavior for the first month and then decide what to block. We are now in block mode and it is working like a charm."

He said he anticipates using geo-filtering in the future on the live network and maintaining certain problematic countries on a blacklist to keep the problems out of the network.

Next-generation security systems are not inexpensive. ABI's Sen noted that the cost of "just one of the many virtualization [firewall] solutions available" was $375,000.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured