Information technology trends have changed drastically in the last 15 years, a lot of it is driven by advancements in consumer products. With the advent of mobile devices/workplace BYOD, Social Media and the explosion of IoT; security management has never been more critical and challenging. Today’s technology-enabled devices are also interacting with business networks, by both external users and those using personal devices for work purposes (BYOD). This produces a need to provide security, network visibility, control, and user visibility, without an exponential increase in required resources.
The evolution has led to the development of what’s being called Next Generation Firewalls. These new security devices provide incredible benefits such as control and visibility of traffic that is entering the firewall ports. In traditional firewalls, ports that are either opened or closed to allow or disallow traffic without considering basic characteristics. The Next Gen FW, administrator have the ability to limit access based on the specific application and content vs accepting or rejecting any traffic based on port numbers.
With a traditional firewall, traffic is accepted based on a designated port and IP address. With NGFW, traffic is accepted based on user ID (not port), IP address, and traffic content. Figure 3 shows an example of the port-based configuration of a traditional firewall.
When comparing how traditional and legacy firewalls assess data to how NGFWs
assess data, note that, in NGFW, the ports are identified by traffic flowing through
them, as well as specific information about the user sending the traffic, the traffic origin,
and the traffic type (content) received.
A next generation firewall provides to a range of advanced threats, protecting applications, data and the users. To address today’s concerns, we need the ability to identify and control applications running over a network and integrate an intrusion detection system with deep packet scanning capabilities. Plus, it will also have to verify a user or device’s identity and enforce access policies accordingly.
Here’s a Breakdown of the Features within a NGFW:
The Intrusion Prevention System blocks malicious network activity. Intrusion Detection System
(IDS) detects malicious activity but does not block it. IDS is integrated into IPS technology. IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more effective to tie it into network segregation, enabling protection against both internal and external attacks against critical servers.
Deep Packet Inspection is the act of examining the payload or data portion of a network packet as it passes through a firewall or other security device. DPI identifies and classifies network traffic based on signatures in the payload . It examines packets for protocol errors, viruses, spam, intrusions, or policy violations.
Network Application Identification and Control. Traditional firewall protection detects and restricts applications by port, and protocol and server IP address. It cannot detect malicious content or abnormal behavior in many web-based applications. NGFW technology with Application Control allows you to identify and control applications on networks and endpoints, regardless of port, protocol, and IP address. It gives you unmatched visibility and control over application traffic, even unknown applications from unknown sources and inspects encrypted application traffic. Protocol decoders normalize and discover traffic from applications attempting to evade detection via obfuscation techniques. Following identification and decryption, application traffic is either blocked, or allowed and scanned for malicious payloads.
Application control even decrypts and inspects traffic using encrypted communications protocols, such as HTTPS, POP3S, SMTPS and IMAPS.
Access Enforcement. When a user attempts to access network resources, it controls access to the network and the network applications based on the user, user groups and/or IP address. The connection request will be allowed only if the user belongs to one of the permitted user groups, and the assigned firewall policy will be applied to all traffic to and from that user.
Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks. The foundation of the enterprise campus offering is a high-performance NGFW that adds intrusion prevention, application control and antimalware to the traditional firewall and VPN combination.
VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections—including antivirus, intrusion prevention, application control, email filtering and web filtering—can be applied and enforced for all content traversing the VPN tunnel.
Interoperable with third-Party management. Enterprise-class appliances deliver the comprehensive security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full suite of ASIC-accelerated security modules for customizable value-added features for specific customers. NGFW appliances include the ability to create multi-tenant virtual security networks, supporting up to 5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated management
applications—including granular reporting features—offer unprecedented visibility into the security posture of customers while identifying their highest risks.
Application Awareness. While establishing port and protocol are important first steps in identifying traffic, positive identification of application traffic is an important capability added by NGFW. This requires a multi-factor approach independent of port, protocol, encryption, or evasive measures. Application awareness includes protocol detection and decryption, protocol decoding, signature identification, and heuristics (behavioral analyses).