The days when port = protocol = application are over.

An ever increasing number of applications are tunneled over a few well-known protocols. In addition ports are being dynamically assigned as opposed to statically defined as they have been previously. More often than not application traffic is encrypted. Within the IT industry the phrase "Next Generation" is often used by product manufacturers to describe their product version upgrades. In most cases, the difference between the upgraded product and its predecessor is merely better performance and expanded functionality. However, in the area of ​​perimeter/firewall security, completely revised demands should be placed on functionality due to the changing nature of applications, how ports are assigned and due to more and more data being encrypted.

RADPOINT believes that a true "Next Generation" product must be fundamentally different from anything else on the market. Our implicit definition of the next generation is that the product does a significantly better job at solving one of the IT organization's important problems, which cannot be addressed with existing products (in this case the firewall).

The following criteria should be met in order for a firewall to be called "next generation":

• Application identification

The firewall should be able to identify any application that communicates. Since there is no standard way to identify applications, an extensive library of application identifiers should be available that includes signatures and behavioral analysis. In order for all ordinary business, entertainment and Internet-based applications to be correctly and comprehensively identified, the library must be continuously updated. It must also be possible to add custom applications.

• Increased Stateful Inspection

The firewall must be able to detect anomalies at the application level that are typically correlated with different types of intrusion and policy abuse.

• SSL decryption/encryption

The firewall must be able to decrypt SSL traffic (https) to perform the above described application recognition. If the traffic complies to the policy then it shold be re-encrypted. This functionality is referred to as an SSL Proxy. This eliminates the now very common problem associated with applications that "hide" in encrypted https traffic over port 443.

• Control

Traditional firewalls are based on simple allow/deny decisions. Today's reality is much more complex when many Internet applications require a policy that allows certain divisions within an organization to access a given application, or sub-component of an application, while denying access to other departments. Reports must be able to show which applications pass through or are stopped at the firewall. Policies must be created based on the application or application groups that should or should not be accessible by different organizational units.

• Multi-gigabit throughput

For firewalls implemented on major, internal LANs, all the above functions are handled at speeds of up to 10Gbps. Metropolitan area networks also need perimeter firewalls today to manage Internet access at speeds of in excess of 1Gbps. This requires an entirely different architecture "under the hood" for the firewall. Programmable custom hardware is required as opposed to standardized components (such as PC processors) used in traditional firewalls. The founders of RADPOINT have unfortunately seen far too many examples of firewall products, from industry leading manufacturers, that almost or partially satisfy the above functional requirements for 'Next Generation' but fail miserably when it comes to performance. This is confirmed by countless independent reviews of so-called UTM Firewalls (Unified Threat Management) that come close to RADPOINTs definition of "Next Generation". The reason many UTM firewalls are positioned by the manufacturer for smaller environments is that they simply cannot build them with better performance, using the existing architecture, while maintaining reasonable prices.

Palo Alto Networks products comply to RADPOINTs definition of a next generation firewall. Its firewalls use different unique identification technologies to properly identify applications, map users' identity, while constantly inspecting traffic for any policy abuse. All of this is achieved without performance being sacrificed.