NEWS


News Archive

July 2012

Gig.U Project Aims for an Ultrafast US Internet

June 2012

Bringing Location and Navigation Technology Indoors

May 2012

Plans Under Way for Roaming between Cellular and Wi-Fi Networks

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

Are Tomorrow’s Firewalls Finally Here Today?

by George Lawton
 
In an effort to efficiently meet the challenge of the new cyberthreats that arise almost daily, network administrators are beginning to adopt next-generation firewalls in significant numbers.

NGFWs represent an evolution of traditional firewalls to incorporate a variety of security functionalities into a single box or integrated platform.

John Grady, senior research analyst at market-analysis firm IDC, said NGFWs typically include firewall, intrusion-prevention, and identity-based access-control capabilities, as well as the ability to manage the execution of Web-based applications through the firewall.

Consolidating such functions in one device reduces the cost of installing and maintaining security functionality.

NGFWs also offer easier management of, as well as more granular inspection of, control of, and visibility into network traffic than traditional firewalls, explained Patrick Bedwell, security vendor Fortinet’s vice president of product marketing.

Despite such promise, the technology faces performance and implementation challenges that could hinder its adoption.

Firewall Basics

In 1988, AT&T developed the first firewalls, which offered the basic recognition and filtering of packets that represented potential network threats.

More advanced capabilities for closely monitoring connections going through the firewall—for information such as IP addresses, packet sequences, and ports that transmissions try to access—were introduced in the early 1990s.

Shortly thereafter, vendors began adding the ability to monitor traffic from some Web applications and protocols, and to deduce behaviors that could be associated with malware attacks.

Meanwhile, in 1984, researchers began working on intrusion-detection systems (IDSs), which evolved into intrusion-prevention systems.

In 2008, firewall vendors began incorporating IPS technology into their products. The approach monitors networks and other systems for malicious activity, logs relevant information, reports events, and tries to block problems before they can occur.

This led to the creation of NGFWs, which are beginning to become popular.

Leading NGFW products include Barracuda Networks’ NG Firewall, Check Point Software Technologies’ R75, Cisco Systems’ ASA 5500, Fortinet’s FortiGate 5001B, McAfee’s Enterprise Firewall v8, Palo Alto Networks’ PA 500, and SonicWALL’s Next Generation Firewall.

Next-Generation Firewalls

Traditional firewalls block some traffic from applications based primarily on the port or protocol used.

Most application traffic now enters corporate networks via HTTP, whereas in the past it might have entered via, for example, native TCP, native User Datagram Protocol, or Real Time Messaging Protocol.

Legacy firewalls can neither differentiate between wanted and unwanted traffic nor detect malicious applications tunneling within legitimate communications. To receive any HTTP traffic, users thus must let all HTTP traffic pass through their firewalls.

This renders such firewalls less than adequate for many organizations.

Improved Capabilities

Like similar security approaches, NGFWs rely on template-based pattern matching, in which they compare traffic against a database of known threats.

This complex evaluation requires NGFWs to analyze more packets than traditional firewalls handle and to use larger threat databases.

Rather than just monitor the ports or protocols that arriving packets use, NGFWs attempt to reassemble the packets in a way that reveals complex behavior patterns in packet activity; malware being transferred via e-mail, messaging, or Web applications; or unauthorized behavior during user visits to sites such as Facebook.

By looking for a wider array of security issues, NGFWs offer greater visibility than traditional firewalls into network traffic.

The new firewalls can also perform fine-grained analysis of application-traffic patterns. For example, these capabilities could let a firewall allow connections to Facebook but block communications from a problematic application running on the social-networking site.

New interfaces between unified NGFW management consoles and multiple types of security scanners traditionally managed separately let administrators better set fine-grained security policies and analyze suspicious traffic patterns more quickly and easily.

Intrusion Prevention

NGFWs offer intrusion-prevention capabilities, addressing a major problem that many organizations face.

Security experts developed IDS and IPS to conduct deep inspection into packets entering a network, said Greg Young, research vice president at market research firm Gartner Inc.

When an NGFW’s IPS component identifies a possible intrusion, it blocks the connection within the router from which the suspicious traffic is coming.

Reputation Management

Some vendors have added reputation-management capabilities to NGFWs.
This enables the new firewalls to run extra security measures, such as blocking traffic associated with IP addresses known to have been sources of malware or intrusion attempts.
These NGFWs work with either their own or other organizations’ threat-intelligence databases of problematic IP addresses.

Behavior Recognition

Another set of NGFW features identifies abnormal activities by using information from administrators about network users’ identities and expected behaviors.

For example, a Sales Department computer shouldn’t be adjusting router settings, explained Gartner’s Young.

If such activities occur, the NGFW blocks the suspicious internal traffic from the network.

NGFWs and Unified Threat Management

There is some question among experts and in the marketplace as to how NGFWs differ from unified-threat-management products.

IDC’s Grady said UTM devices generally include firewall, IPS, and gateway antivirus features, whereas NGFWs incorporate firewalls, IPS, and application-control and reputation-management features. NGFWs are also typically engineered to handle larger traffic loads.

Vendors generally sell UTMs to small and medium-sized businesses or smaller divisions of large organizations, according to Andrew Hoerner, McAfee’s director of marketing for network security.

They generally market NGFWs to larger organizations with higher performance and scalability requirements, he explained.

According to Grady, NGFW devices frequently use powerful processors, specialized chips for various purposes, faster buses, and improved parallel-processing techniques to provide their functionality.

NGFW Obstacles

Despite their promise, NGFWs pose potential problems in terms of performance, necessary upgrades to existing security infrastructures, and changes to organizations’ operations.

According to Hoerner, many NGFW vendors have yet to create the tools and services necessary to smoothly migrate existing firewalls and rule sets.

Host systems require substantially more computing horsepower to provide each new level of security that NGFWs offer. Using multiple capabilities can reduce system throughput to as low as 1 percent of previous levels, noted Gartner’s Young.

In addition, Hoerner said, many NGFW vendors have not invested enough in developing their own security intelligence for their products and instead have relied on third parties for such information.

In some cases, he explained, this reduces overall effectiveness and makes firewall management more difficult.

Grady said organizations often must get used to the way NGFWs operate in areas such as security-policy creation.

And, Young added, including too many functions in NGFWs can create complexity and reduce performance. Organizations thus might opt to maintain separate applications to provide security for their critical networks.

Looking Ahead

Technological improvements and economies of scale appear likely to drive down costs and improve NGFW performance.

Grady said the market for advanced security applications such as NGFWs will continue to grow as the potential cost savings increase and new threats emerge.