Are you using a "next generation" firewall?

[David Curry <David.Curry () NEWSCHOOL EDU>]

The New School is currently looking at several candidates to replace its
Internet firewalls. We're looking at some of the "next generation"
features that several vendors are now offering, especially:
 
- application identification (writing rules based on applications
rather than simple port/protocol)
- ability to block/control peer-to-peer traffic (usually a subset of
application identification)
- automated blocking based on intrusion prevention signatures and/or
reputation services
- integration with Active Directory/LDAP (writing rules based on
users/groups and logging with user data)
 
We'd like to hear from other schools that are using (or have tried
using) these technologies:
 
- which vendor did you choose?
- which of the above capabilities are you using, and how/for what?
- which of the above capabilities did you try using and gave up (and
why)?
- if your firewall supports it, are you using the SSL decryption
features, and if so, for what?
- do you think the new capabilities have practical value over
"traditional" firewalls, or are they just hype?
 
Thanks,
--Dave
 
 

--
David A. Curry, CISSP • Director, Information Security
The New School • 55 West 13th St. • New York, NY 10011
Tel: +1 212 229-5300 x4728 • david.curry () newschool edu