Next Generation Firewalls: Have you made the leap?
Hello everyone I am back to talk about another rapidly changing technology. Last month I talked about SD-WAN kind of a 101 version, hope you found some useful information. This month we are going to talk about “Next Generation Firewalls” (NGF). There is also another term used called “Unified Threat Management” which have subtle differences but for all practical purposes perform most of the same function as an NGF.
We are going to go back in time for a bit and look at what a traditional firewall’s function was before we all finally realized “holy moly I have all kinds of data coming in and out of my network and I am not sure what is good or bad”. That statement is still applicable in many case but now you have some control and ability to see that unknown traffic. Let’s check it out.
The older firewalls, some of you may still have them in operation, are basically a device that allows traffic in your network and out your network. This can be accomplished with a stateless method which is typically IP or HTTP protocols or uses the stateful method which really depends on the protocol. So let me define this a bit more simply:
If using no state (stateless) it just checks over each packet individually and cannot discern a traffic flow.
If traffic was configured stateful it is able to track the traffic flow using a monitored protocol (TCP or BGP) and just keeps an eye on the flow during its lifetime on the network. (Is it active or is it closing?).
Yes the old firewall can perform Network Address Translation or NAT or Protocol Address Translation or PAT and can provide Virtual Private Network or VPN as well as high availability features and performance.
Definitely not adequate for the needs of the 21st century and if you are still using one of these “boat anchors”, more likely than none you are vulnerable to a host of issues.
Let’s take a 30,000 foot level look at what these new firewalls can do.
- Application Awareness – it can monitor traffic from Layers 2 – 7 OSI Model and make a determination of the type of traffic being sent or received. The most common is Port 80 or HTTP traffic, but now this is no longer the defacto case anymore as many applications use this port to transport between the device and the Server. So the underlying duty of the Next Gen firewall is to discern from just HTTP or web traffic at the firewall before it reaches its destination and would allow the application traffic to pass based on the firewall policy. They also look at the header and payload which it analyzes the data. An example of this would be, if a firewall sees an payload that is, lets say 200KB and then someone who may have gotten infected with a Trojan which then increased the size of the same payload to 201KB the firewall would block this application as it did not meet the criteria of the approved application. Pretty cool huh?
- Identity Aware – with NGF’s you now have the ability to track not only the identity of the traffic but by using authentication mechanisms (AD, LDAP) you can track the specific user that is allowed to use this traffic. At a minimum you can track the IP Address or the MAC Address if this feature is not used.
- Stateful inspection – still needed but need to go beyond Layer 4 inspection it has to go to Layer 7 or the application layer.
- Intrusion Prevention System – this is to me the game changer for next gen firewalls. This allows a firewall to detect attacks based on different techniques such as threat signatures, known exploit attacks and anomalous activity and behavioral traffic analysis. This could be done in conjunction with the older firewalls but you needed another appliance or application performing this function. In next gen this is integrated.
- External intelligence sources – the firewall can talk to external sources to gain additional information about new threats and our receive updates automatically without an administrator having to perform this function. Some of the sources would be the manufacturers threat signature database’s or SNORT which is a huge database with most of the known threats throughout the world and is basically maintained by a multitude of vendors and government entities.
And of course all the old firewall functions are built into the NGF’s as well, described in the beginning of the post.
I am sure some of you are wondering how you can integrate a next gen firewall into you current network? It is easier than you think. Since all new and most of the older firewalls can perform bridging or routed modes, the next gen firewall can be placed as a bridge (transparent mode) not affecting the older routed firewall in production. Once you have transitioned access control lists or ACL’s and any other configurations to the next gen firewall then you can convert it to routed mode.
Performance is no longer an issue as well. Remember turning on stateful inspection on that first firewall and everyone was complaining how slow the Internet was, not much of an issue any more with these newer firewalls you have multi-core architectures that can inspect packets in micro seconds. Now that is fast!
What is the future of firewalls?
From what I have read from security experts, the future firewall needs to discern between legitimate traffic and illegitimate traffic automatically to identify and stop never before seen threats in real time, but in order to do this performance increases are going to be needed. Network speeds are also needing to be considered and a minimum of 10 GB per second and beyond need to be addressed.
Please remember, next gen firewalls are not the solve all, be all when it comes to security and protecting your network. Firewalls offer poor protection when it comes to unknown attacks or threats such as a zero-day exploit or Trojans never seen before, but can complement other security solutions such as antivirus or end point protection and creating new rules or policies based on a behavior you have observed or identified, even a managed security service that can offer high end Intrusion Detection with vulnerability assessments that can keep you informed of hosts that have security gaps, maybe in the OS or management application that is built in.
Choosing a firewall can be daunting because there claim to fame is stopping threats, although from my experience and doing a proof of concept on 4 different firewalls that all do pretty much the same thing. Consider not only features but look at the speed at which in can inspect packets or encrypt or decrypt as well as management tools. If you have multiple firewalls it is nice to be able to monitor and push changes from a single pane of glass. Most firewalls today have a GUI built in but you may need Command line to perform debugging or logging functions. Also make sure the manufacturers firewall can do the same from the lowest model to the enterprise model with the difference of course mainly being speed, throughput and active connections, VPN connections.
Reporting is important. Make sure you can get what you need to report to C-level or Senior management. Canned reports are helpful but you need the ability to customize a report for say for a specific event that alerted you. Some offer reports based on PCI, PII and HIPPA security standards as well.
Most if not all NGF’s are subscription based for continuous updates of threats and even zero day events that can be auto uploaded from the manufacturer within a few hours of the event. These subscriptions are offered in a variety of packages whether you want email protection, malware protection, zero day protection, etc. can range in prices. If you ask me there is nothing too expensive when you are responsible for protecting the firm’s reputation and client’s assets.
If you do not have a next gen firewall in production at every site that has Internet connections, you better make that part of your FY 2017 project list ASAP!
See y’all next time.
Sources
IDG
Informationweek
Links
Next Gen firewalls vs Traditional firewalls
Choosing a Next Gen Firewall
#Security