Industry Trends

Extending Your NGFW for Complete Application Security

By Mark Byers | June 09, 2016

Security vendors have been touting the advantages of next-generation firewalls (NGFW) that provide application inspection for several years now. As application traffic became more prevalent, criminals found that hiding malware inside application traffic was an excellent way to bypass traditional security. 

They still do. But now, application traffic is ubiquitous. The number of devices on our networks is growing exponentially, along with the volume of application and transactional traffic. While much of it is still passing through the traditional perimeter, that border is becoming increasingly porous. And at the same time, application traffic is flowing laterally across the network, and unless it is being rerouted out to the NGFW, it is largely not being inspected.
And the types of applications needing inspection are evolving as well. Personal devices now run thousands of applications, many of which are prone to infection. Web applications have become routine and are available in the tens of thousands. And cloud-based applications are being used prolifically by organizations - oftentimes without the knowledge of the company - in a trend that has been dubbed “Shadow IT.” Increasingly, NGFW deployments simply don’t provide enough coverage for today’s web application threat landscape.

A recent IDG survey entitled  “Enterprise Web Application Security Challenges and Priorities” sponsored by Fortinet highlights some of these challenges. Executives were asked to identify those elements that they felt constituted a complete, end-to-end application security solution. While nearly everyone agreed that firewalls were a key requirement, they also named web application vulnerability scanning, Intrusion Prevention System (IPS) platforms, and HTTPS/SSL offloading as critical tools needed to identify and fight off application-based threats.

When asked to identify the top three challenges for protecting internal and external web applications, a third pointed to securing cloud-based applications as their top concern. This was followed closely by securing legacy/older applications and mobile applications. These executives view legacy applications and mobile apps as the weakest links in their application infrastructure. This creates a complex challenge to secure existing applications while simultaneously needing to secure the burgeoning number of new mobile applications running inside or passing through their distributed networks.
What is clear is that many organizations understand that they need a multi-pronged approach in order to adequately protect themselves from application-based attacks. While traditional and NG firewalls and IPS systems continue to provide a critical security foundation, these executives also identify web application vulnerability scanning, advanced threat protection, DDoS protection, email security, and database monitoring as crucial elements for web application security.
Of course, this creates an entirely new problem. Security teams already have to monitor an average of 14 security management consoles to identify and respond to threats. And they frequently have to hand correlate threat information and policies between these different systems. Adding to that complexity is hardly comforting from a logistics point of view.
At Fortinet, we don’t believe that the answer to an increasingly complex challenge is more complexity. You can only keep so many balls in the air at the same time before you start dropping them. The best answer to complexity, ironically, is simplicity.
Which is why Fortinet doesn’t just provide organizations with the entire suite of application security tools that key executives have identified that they need most. We have also designed them to work together as an integrated and collaborative solution. We call this the Fortinet Security Fabric.
These different, purpose-built technologies share a common operating system framework, share local and global threat intelligence, can be managed and orchestrated through a single management console, and can automatically coordinate a response to an identified threat anywhere across the entire distributed network environment, from IoT to mobile devices to the cloud. This approach not only dramatically reduces the complexity of managing and orchestrating an effective application security strategy, but also introduces a level of sophisticated visibility and granular control that has never been available before.
So, when considering how to best combat the escalating challenge of protecting your application infrastructure. also consider that sometimes the cure can be worse than the disease. Overwhelming your security and IT staff isn’t really a strategy. An integrated security architecture, however, is.