5. Your next firewall must scan for threats in allowed collaboration applications like SharePoint, Box.net and MS Office Online
Many infected documents are stored in collaboration applications, along with some documents that contain sensitive information. Some of these applications, such as Sharepoint, rely on supporting technologies that are regular targets for exploits (e.g., IIS, SQL Server). Blocking the application isnt appropriate but neither is allowing a threat into the organization. Part of safe enablement is allowing an application and scanning it for threats. These applications can communicate over a combination of protocols (Sharepoint, HTTPS and CIFS), and require a more sophisticated policy than block application.
6. Your next firewall must deal with unknown traffic by policy, not by just letting it through.
By default, your firewall should attempt to classify all traffic. This is one area where architecture and security discussion become very important. Positive (default deny) models classify everything, while negative (default allow) models classify only what they are told to classify. For custom developed applications, there should be a way to develop a custom identifier so that traffic is counted among the known. The security model plays into these requirements againa positive (default delay) model can deny all unknown traffic so what you dont know cant hurt you. A Negative (default allow) model allows all unknown traffic so what you dont know will hurt you. For example, many botnets will use port 53 (DNS) for communication back to their control servers. If your next firewall lacks the ability to see and control unknown traffic, bots will be able to drive right through, unimpeded.
7. Your next firewall must identify and control applications sharing the same connection.
Applications share sessions. To ensure users are continuously using an application platform, whether its Google, Facebook, Microsoft, Salesforce, LinkedIn or Yahoo, application developers integrate many different applications which often have very different risk profiles and business value. Lets look at Gmail, which has the ability to spawn a Google Talk session from within the Gmail UI. These are fundamentally different applications and your firewall should recognize that and enable the appropriate policy response for each.