Due to the ever-changing threat landscape, a few
security products such as firewalls, IDS/IPS, etc. are becoming obsolete
because of the older technologies being employed within them. In this article,
we will learn about why the traditional firewall failed to cope with new
threats and how the Next Generation Firewall will address the new needs of
perimeter security. In this article we will also focus on the checklist that
will come handy for organizations for implementing Next Gen Firewalls for
securing their perimeter.
1
Why are
Traditional Firewalls not sufficient anymore?
A decade back, traditional firewalls played the
most important role in securing the perimeter of an organization’s network.
Applications were simple, and to protect them an organization would just rely
on port + protocol logic. If they blocked the port and protocol for a
particular application, then it was considered secure at that time. But the
Internet has come a long way from where it was a decade back. With the
commencement of Web 2.0, applications now have gone to an altogether different
level. The Internet is not about just surfing anymore.
Port based firewalls inspect the network stream by
looking at the header of the first packet for a particular session and thus
will go by the applied rules. They do not have the capability to distinguish
between different applications using same port. Port based firewalls have no
idea what is going on inside the packet, thus they cannot check for possible
malware in packets destined for legitimate business applications’ traffic.
Traditional firewalls were not intelligent enough to allow traffic on an
authorized need basis. To revive firewalls, vendors came up with a concept of
Unified Threat Management (UTM) which consists of several blades of other
security products such as IDS/IPS. IDS/IPS works with protocol anomaly
detection, signature or heuristic based analysis, but the problem is the same
IDS/IPS does not understand the application and works blindly on anomaly
detection.
2
What is a
Next Gen Firewall?
Next Gen Firewalls have come to rescue the legacy
of traditional firewalls with providing all the benefits of a traditional
firewall like state full inspection, NAT/PAT support, VPN support, etc., along
with some advanced security features like identifying applications regardless
of ports, protocols etc., and high performance, policy-based control over
applications. Basically, Next Gen Firewalls are intelligent firewalls which
allow traffic on a need + security basis rather than traditional port +
protocol concept.
3
How is a
Next Gen Firewall different?
This section reveals some data points that make a
Next Gen Firewall different and more superior than traditional firewalls.
- Traditional firewalls collapsed, as they solely depend on port + protocol pair to allow or block traffic, whereas Next Gen Firewalls identify robust applications analyzing application signatures to identify applications regardless of ports and protocols. Next Gen Firewalls also perform decryption to see what is inside the traffic and decodes the protocols to see the in line hidden protocols. With this point, many would call it a twin of UTM, but UTM are never meant to provide high performance and are typically adequate in smaller environments.
- Next Gen Firewalls integrate with user stores such as Active Directory (AD). This mapping of user-to-IP address and integration with AD will help firewalls harvest more information about the users such as user groups and roles. This will enable firewalls to behave more intelligently. This feature was totally missing in the traditional firewalls.
- Next Gen Firewalls now can inspect the real time threats within the permitted traffic as well by decoding application streams by inspecting the traffic with a universal threat signature, which reduces the need to check for different threats under different engines and thus increases performance.
4
What Next
Gen Firewalls are not
When it comes to functions of a Next Gen firewall,
various security devices in the market can be thought of doing the same thing
that is done by Next Gen Firewalls. However, Next Gen Firewalls should not be
compared with:
- UTM devices, which are not built for high performance.
- A proxy that has firewalls and proxy capability, but not an application signature library like Next Gen, which means that all the applications there need to be applied.
- Next Gen Firewalls should not be compared with Web Application Firewalls (WAF), as WAFs are designed to inspect only Layer 7 instead of a whole OSI stock, which a Next Gen Firewall does.
5
Checklist
for Next Gen Firewalls
Before deploying a Next Gen Firewall, organizatins
must check for certain features that should be in the product to really act as
a Next Generation Firewall device. Some of the features are listed below.
- Next Gen Firewalls should identify applications and not ports: Organizations should always choose those vendors which have adopted a technology to store a library which consists of application signatures, as this will help the organizations to expose a business’s critical applications while blocking applications which can cause a threat.
- Next Gen Firewalls should identify users and not just IP addresses: Organizations should check whether the NGFW offers user-to-IP address mapping. An offered NGFW device must have integration with directory services such as Active directory. Since user to IP address mapping will help to control the activity of specific users, this feature is a must. Techniques include login monitoring, which can help to correlate an IP address to user info when he logs in to the domain, and workstation IP address polling, which can help to verify IP address information and thus maintain accurate mapping when users move around the network.
- Next Gen Firewalls should identify content and not just packets: Next Gen Firewalls must have the capability to inspect the packets to look out for threats. Next Gen firewalls should have the capability to inspect the files as soon as the first packet is received instead of waiting for a whole packet stream and then stream processing. Also the NGFW should have only one scanning engine to look out for all possible threats instead of multiple engines to look out for multiple attack vectors. This will greatly improve the performance. The NGFW should also have features like URL filtering, data filtering by type, size, etc.
- Next Gen Firewalls should give more granular control: Next Gen Firewalls should provide more control than the traditional firewalls. Traditional firewalls have controls like allow, deny. Next Gen firewalls, because of their new features, must give controls like “Allow but Scan”, “Decrypt and Inspect”, Allow for Certain User Group”, etc.
- High performance: Next Gen firewalls must provide real time protection with no latency. Features like a single scanning engine for all types of malwares can help greatly in scanning the packets in a time-efficient manner.
- Reliable, flexible and easy to maintain: Next Gen Firewalls should be flexible enough to get fixed in an existing IT landscape. Next Gen firewalls should have features like IPv6 support, dynamic routing protocols like BGP, etc. Next Gen Firewalls should support active-passive and active-active failover architectures. Next Gen Firewalls should be easy to maintain and must support remote, local or centralized management. Also, features like role-based administration must be in the checklist to look out for in Next Gen Firewalls.
No comments:
Post a Comment