There are a lot of changes going on within the enterprise, including many shifts related to how applications are used and transported. While this change is an advantage from a usability perspective, it can also quickly become a nightmare to the information security staff.
To deal with these changes, vendors in the enterprise firewall market have created a new generation of firewall devices dubbed the Next Generation Firewall or NGFW. These devices differ from traditional firewalls in a number of different areas. Let's take a look at these differences and how they affect the security of an enterprise network.
What is a Traditional Firewall?
What exactly is a traditional firewall? For the purposes of this article and the general consensus of the InfoSec community, a traditional firewall, as it is currently defined, includes a device that is able to control the traffic that is allowed to enter or exit a point within the network. It can typically do this either using a stateless method or a stateful method depending on the type of protocol being run on it.
Traffic that is monitored using no state simply checks over each packet individually and is not able to discern a traffic "flow." Traffic that is monitored using state is able to track (to a certain level) a traffic flow using the monitored protocol and is able to keep track of where that flow is within its lifetime (is it just starting? is it actively being used? is it closing itself down?).
Obviously, a firewall that is able to track state is going to be more effective than one that does not. Many traditional firewalls are however limited to only using layers 2 through 4 and can only track traffic based on this information.
Other common features of a traditional firewall include support for Network Address Translation (NAT), Port Address Translation (PAT), and Virtual Private Network (VPN) termination, as well as being able to provide a high level of availability and performance.
What is a Next Generation Firewall (NGFW)?
The term NGFW can be used by any vendor and the specifics of each vendor's offering can be slightly different from one another. Generally, there are a couple of features that are included within a NGFW offering:
· Application Awareness,
· Stateful Inspection,
· Integrated Intrusion Protection System (IPS),
· Identity Awareness (User and Group Control),
· Bridged and Routed Modes,
· And the ability to utilize external intelligence sources.
Let's examine these NGFW features in more detail.
· Application Awareness
The biggest difference between a traditional firewall and a NGFW is the fact that these newer devices are application aware. Traditional firewalls rely on common application ports to determine the applications that were running and the types of attacks to monitor for. In an NGFW device, it is not assumed that a specific application is running on a specific port. The firewall itself must be able to monitor the traffic from layers 2 through 7 and make a determination as to what type of traffic is being sent and received.
The most common example is the current use of HTTP, port 80. Traditionally this port is used for only HTTP traffic, but this is no longer the case and a large number of different applications use this port to transport traffic between an end-device and a central server. There are a number of different ways that common ports can be used for these different types of traffic with one of the most common ones being tunneling. With tunneling, traffic is tunneled within the traditional HTTP data field and is de-encapsulated at the destination. From a traditional firewall's perspective, this looks like simple HTTP web traffic, but to a NGFW its true purpose is found at the firewall before it is able to reach the destination. If it is something that is allowed by the NGFW's policy, then the firewall will be allowed to pass traffic. If it isn't, then the firewall will block the traffic.
· Identity Awareness
Another big difference between a traditional firewall and a NGFW is that the latter is expected to have the ability to track the identity of the local traffic device and user, typically using existing enterprise authentication systems (i.e. Active Directory, LDAP). This way the InfoSec staff will be able to not only control the types of traffic that are allowed to enter and exit the network, but also what a specific user is allowed to send and receive.
· Stateful Inspection
While the general definition of stateful inspection does not differ from traditional firewalls, a NGFW must be able to not only track the state of traffic based on layers 2 through 4, but from layer 2 through 7 as well. This difference allows a lot more control and provides the InfoSec engineer/administrator the ability to have very granular policies.
· Integrated IPS
An Intrusion Protection System (IPS) is responsible for detecting attacks based on a number of different techniques including the use of threat signatures, known exploit attacks, anomalous activity and traffic behavioral analysis.
In an environment where a traditional firewall is deployed, it is common to see an Intrusion Detection System (IDS) or IPS deployed as well. Commonly, this was done with a separate appliance or an appliance that is logically separate within a single appliance. With a NGFW, the IPS or IDS appliance should be fully integrated. The IPS functionality itself is the same as it was with a separate appliance; the main difference is in the performance and accessibility of the information from all layers of the traffic.
· Bridged and Routed Modes
While not a completely new feature, the ability of a NGFW to be used in either a bridged mode or routed mode is an important one. Many traditional firewalls are deployed in today's networks, and the majority of them are not yet NGFWs. To ease this transition, a NGFW must be able to be placed in a bridged mode (also referred to as transparent mode) where the device itself is not shown as part of the routed path. When the time is right for each specific enterprise, the NGFW can then be transitioned into completely replacing a traditional firewall by being converted in order to use a routed mode.