Network security vendor Palo Alto Networks announced Tuesday that its firewalls can now control which groups of users have access to specific Facebook functionality -- reading, posting, chatting, sending messages, using apps, or other plug-ins -- as well as when.

Furthermore, any Facebook activity can also be scanned to ensure that data doesn't contain confidential information and to ensure it's not part of an unfolding security incident, such as a clickjacking worm.

The words "Facebook" and "firewall" might not seem like a natural fit, but according to Gartner Group, this is the direction in which next-generation firewalls are evolving.

Today, firewalls typically provide stateful packet inspection -- keeping track of network connections -- while a different appliance serves as a network-based intrusion prevention system (IPS). But according to Gartner, that approach has become outdated as applications move to the cloud, and users begin using the Internet not just occasionally, but constantly, both at home and at work.

"Before, it was one port, one application. Things were really straightforward, but now there's a whole bunch of gray, and digging into that grayness is a challenge that the stateful firewall and packet filtering hasn't been able to deal with," said Greg Young, the Gartner analyst responsible for network security, in a security webinar.

Next-generation firewalls, however, can help, he said, by blending the usual firewall stateful inspection -- at enterprise scale -- together with an IPS that's closely integrated with the firewall.

These next-generation firewalls -- as defined by Gartner -- also provide "full stack visibility" to see not just which applications are running, but who's using them, as well as "extra firewall intelligence" that puts all of the disparate pieces of information together to provide better security and policy enforcement, he said.

Increasingly, these devices will also be able to enforce policies based on user and application types. For example, companies could block Facebook outside of work hours for anyone who doesn't need access to the site for work, such as corporate communications. Or universities could shape traffic for peer-to-peer applications to minimize the bandwidth they consume during the day, but relax restrictions at night.