May 15 2013

Next-Generation Firewalls Simplify Security for Government

Agencies report enhanced functionality and greater visibility from the latest crop of devices.

Aaron Tripp, systems administrator for the Tacoma Housing Authority in Washington, deployed a next-generation firewall to simplify the management burden imposed by multiple security devices.

A few years ago, the Tacoma Housing Authority had a separate firewall, spam filter and web-filtering device. “It just became too much to log into the different systems and also train the staff to use the different interfaces,” Tripp says. “I needed something that would let me train the staff one time, a system they could pick up easily.”

The solution came in the form of a WatchGuard XTM 520 firewall and XTM 2 series devices for the agency’s seven remote locations. The firewalls include the multiple features Tripp sought, such as antivirus, reputation defense, an intrusion prevention system, web URL filtering, application control and even tools for securing a virtual private network.

The WatchGuard system provides the IT staff with an intuitive interface that deepens visibility into the network. “In one instance, I could see that an IP address inside our network was attached to a botnet that was sending out multiple emails that got us put on a blacklist,” Tripp says. Once he discovered that, he was able to identify the culprit and remove the malware.

Tripp notes that the WatchGuard firewall also enables the organization to more easily manage employees’ personal tablets and other mobile devices. When an iPad device connects to the network, the traffic is filtered, and the device must comply with all security policies set by the agency.

“In the past, the devices we used had much more generalized policies,” Tripp explains. “We get more functionality, enhanced security and more visibility from the single WatchGuard device than we had when we used three separate devices.”


The percentage of security professionals who believe that staff access to social networking sites increases the likelihood of an advanced persistent threat or other sophisticated malware attack on the organization

SOURCE: “A Prudent Approach to Next-Generation Firewalls” (Enterprise Strategy Group, January 2013)

John Grady, a research manager for IDC’s security products group, says IT managers such as Tripp opt for multifunction devices because they deliver high value at an affordable price.

“I see this as the gradual evolution of the UTM,” Grady says. “The latest devices offer better integration between technologies, as well as application control and the ability for systems administrators to set very granular policies for users or groups of users.”

Vegas Gets into the Act

Milan Marovich, systems administrator for the Las Vegas Convention and Visitors Authority, says the agency’s WatchGuard firewalls offer multiple benefits.

The organization used to run separate devices for its web traffic, firewalls and VPNs. Now, with a WatchGuard XTM 810 installed at the main facility, Marovich can manage all network traffic and two remote WatchGuard XTM 5 devices from a single console. “The management convenience alone saves us at least an hour a day in maintenance,” he says.

What’s more, the application filtering offered in the latest WatchGuard products enables the IT department to set policies so certain Las Vegas Convention and Visitors Authority workers can access the tools they need to accomplish their work. “If someone needs IM or Facebook for their job, I can give them the rights. But we can block those apps for those who don’t,” he says.

The XTM firewalls are also a big cost saver, Marovich says. When he ran the three separate devices, the annual contracts consistently increased in price. The XTM devices reduce the authority’s licensing costs by 10 to 15 percent per year.

3 Elements of a Next-Gen Security Architecture

Jon Oltsik, a senior principal analyst for the Enterprise Strategy Group, advises organizations to adopt a broad, next-generation security architecture of tightly integrated network services that can be applied throughout the network.

Next-generation network security includes these elements:

  • Central management. A major aspect of next-generation security is the ability to centrally manage security policies, service orchestration/provisioning, monitoring and reporting.
  • Distributed policy enforcement. This capability expedites network security service provisioning throughout the network. For example, a systems administrator can deploy a firewall service at the network perimeter, in the data center, at remote offices or within a physical server hosting multiple virtual servers.
  • Any network security service in any form factor.Next-generation network security can be applied in any type of device or set of services, including fixed-function, multifunction or virtual appliances, or cloud-based managed services.

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT