There are a lot of changes going on within the enterprise, including
many shifts related to how applications are used and transported. While this
change is an advantage from a usability perspective, it can also quickly become
a nightmare to the information security staff.
To deal with these changes, vendors in the enterprise firewall market
have created a new generation of firewall devices dubbed the Next
Generation Firewall or NGFW. These devices differ from
traditional firewalls in a number of different areas. Let's take a look at
these differences and how they affect the security of an enterprise
network.
What is a
Traditional Firewall?
What exactly is a traditional firewall? For the purposes of this article
and the general consensus of the InfoSec community, a traditional firewall, as
it is currently defined, includes a device that is able to control the traffic
that is allowed to enter or exit a point within the network. It can typically
do this either using a stateless method or a stateful method depending on the
type of protocol being run on it.
Traffic that is monitored using no state simply checks over each packet
individually and is not able to discern a traffic "flow." Traffic
that is monitored using state is able to track (to a certain level) a traffic
flow using the monitored protocol and is able to keep track of where that flow
is within its lifetime (is it just starting? is it actively being used? is it
closing itself down?).
Obviously, a firewall that is able to track state is going to be more
effective than one that does not. Many traditional firewalls are however
limited to only using layers 2 through 4 and can only track traffic based on
this information.
Other common features of a traditional firewall include support for
Network Address Translation (NAT), Port Address Translation (PAT), and Virtual
Private Network (VPN) termination, as well as being able to provide a high
level of availability and performance.
What is a Next
Generation Firewall (NGFW)?
The term NGFW can be used by any vendor and the specifics of each
vendor's offering can be slightly different from one another. Generally, there
are a couple of features that are included within a NGFW offering:
·
Application Awareness,
·
Stateful Inspection,
·
Integrated Intrusion Protection
System (IPS),
·
Identity Awareness (User and Group
Control),
·
Bridged and Routed Modes,
·
And the ability to utilize external
intelligence sources.
Let's examine these NGFW features in more detail.
·
Application Awareness
The biggest difference between a traditional firewall and a NGFW is the
fact that these newer devices are application aware. Traditional firewalls rely
on common application ports to determine the applications that were running and
the types of attacks to monitor for. In an NGFW device, it is not assumed that
a specific application is running on a specific port. The firewall itself must
be able to monitor the traffic from layers 2 through 7 and make a determination
as to what type of traffic is being sent and received.
The most common example is the current use of HTTP, port 80.
Traditionally this port is used for only HTTP traffic, but this is no longer
the case and a large number of different applications use this port to
transport traffic between an end-device and a central server. There are a
number of different ways that common ports can be used for these different
types of traffic with one of the most common ones being tunneling. With
tunneling, traffic is tunneled within the traditional HTTP data field and is
de-encapsulated at the destination. From a traditional firewall's perspective,
this looks like simple HTTP web traffic, but to a NGFW its true purpose is
found at the firewall before it is able to reach the destination. If it is
something that is allowed by the NGFW's policy, then the firewall will be
allowed to pass traffic. If it isn't, then the firewall will block the
traffic.
·
Identity Awareness
Another big difference between a traditional firewall and a NGFW is that
the latter is expected to have the ability to track the identity of the local
traffic device and user, typically using existing enterprise authentication
systems (i.e. Active Directory, LDAP). This way the InfoSec staff will be able
to not only control the types of traffic that are allowed to enter and exit the
network, but also what a specific user is allowed to send and receive.
·
Stateful Inspection
While the general definition of stateful inspection does not differ from
traditional firewalls, a NGFW must be able to not only track the state of
traffic based on layers 2 through 4, but from layer 2 through 7 as well. This
difference allows a lot more control and provides the InfoSec
engineer/administrator the ability to have very granular policies.
·
Integrated IPS
An Intrusion Protection System (IPS) is responsible for detecting
attacks based on a number of different techniques including the use of threat signatures,
known exploit attacks, anomalous activity and traffic behavioral
analysis.
In an environment where a traditional firewall is deployed, it is common
to see an Intrusion Detection System (IDS) or IPS deployed as well. Commonly,
this was done with a separate appliance or an appliance that is logically
separate within a single appliance. With a NGFW, the IPS or IDS appliance
should be fully integrated. The IPS functionality itself is the same as it was
with a separate appliance; the main difference is in the performance and
accessibility of the information from all layers of the traffic.
·
Bridged and Routed Modes
While not a completely new feature, the ability of a NGFW to be used in
either a bridged mode or routed mode is an important one. Many traditional
firewalls are deployed in today's networks, and the majority of them are not
yet NGFWs. To ease this transition, a NGFW must be able to be placed in a
bridged mode (also referred to as transparent mode) where the device itself is
not shown as part of the routed path. When the time is right for each specific
enterprise, the NGFW can then be transitioned into completely replacing a
traditional firewall by being converted in order to use a routed mode.
No comments:
Post a Comment