NGFWs for security

Neeraj Dubey
In today’s enterprises, multiple vulnerability monitoring and detection, application monitoring and firewall tools are used to manage network threats. Unfortunately, attackers are still succeeding and maintaining beachheads in organizations that don’t even know they’ve been infiltrated until a third party tells them so. This indicates that today’s mixed bag of tools for detection, monitoring and firewalling are not enough. NGFWs grew out of necessity, combining features of multiple tools to give them better visibility and accuracy for detection and prevention of malware and attacks. A Next-Generation Firewall (NGFW) is a hardware – or software-based network security system that is able to detect and block sophisticated attacks by enforcing security policies at the application level, as well as at the port and protocol level. Next-generation firewalls integrate three key assets: enterprise firewall capabilities, an intrusion prevention system (IPS) and application control. Like the introduction of stateful inspection in First-generation firewalls, NGFWs bring additional context to the firewall’s decision-making process by providing it with the ability to understand the details of the Web application traffic passing through it and taking action to block traffic that might exploit vulnerabilities. Next-generation firewalls combine the capabilities of traditional firewalls — including packet filtering, network address translation (NAT), URL blocking and virtual private networks (VPNs) — with Quality of Service(QoS) functionality and features not traditionally found in firewall products. These include intrusion prevention, SSL and SSH inspection, deep-packet inspection and reputa-tion based malware detection as well as application awareness. IT managers in corporate and mid-size businesses have to balance both network performance and network security concerns. While security requirements are critical to the enterprise, organizations should not have to sacrifice throughput and productivity for security. Next-generation firewalls (NGFWs) have emerged as the solution to this thorny problem. Earlier-generation firewalls pose a serious security risk to organizations today. Their technology has effectively become obsolete as they fail to inspect the data payload of network packets circulated by today’s internet criminals. In basic terms, a next-generation firewall applies deep packet inspection (DPI) firewall technology by integrating intrusion prevention systems (IPS), and application intelligence and control to visualize the content of the data being accessed and processed.
Gartner defines an NGFW as “a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks.” At minimum, Gartner states an next generation firewall(NGFW) should provide:- a) Non-disruptive in-line bump-in-the-wire configuration. b) Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc. c) Integrated signature based IPS engine. d) Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
The SPI generation of firewalls addressed security in a world where malware was not a major issue and web pages were just documents to be read. Ports, IP addresses, and protocols were the key factors to be managed. But as the Internet evolved, the ability to deliver dynamic content from the server and client browsers introduced a wealth of applications we now call Web 2.0. Today, applications from Salesforce.com to SharePoint to Farmville all run over TCP port 80 as well as encrypted SSL (TCP port 443). A next-generation firewall(NGFW) inspects the payload of packets and matches signatures for nefarious activities such as known vulnerabilities, exploit attacks, viruses and malware all on the fly. Organizations are suffering from application chaos. Network communications no longer rely simply on store-and-forward applications like email, but have expanded to include real-time collaboration tools, Web 2.0 applications, instant messenger (IM), and peer-to-peer applications, Voice over IP (VoIP), streaming media and teleconferencing, each presenting conduits for potential attacks. Today, organizations need to deliver critical business solutions, while also contending with employee use of wasteful and often dangerous (from a security perspective) web-based applications. Critical applications need bandwidth prioritization while social media and gaming applications need to be throttled or completely blocked. Moreover, organizations can face fines, penalties and loss of business if they are in non-compliance with security mandates and regulations. In today’s enterprise organizations, protection and performance go hand-in-hand. Organizations can no longer tolerate the reduced security provided by legacy SPI firewalls, nor can they tolerate the network bottlenecks associated with some NGFWs. Any delays in firewall or network performance can degrade quality in latency-sensitive and collaborative applications, which in turn can negatively affect service levels and productivity. Organizations large and small, in both the public and private sector, face new threats from vulnerabilities in commonly-used applications. It’s the dirty little secret of the beautiful world of social networks and interconnectedness: they’re a breeding ground for malware and internet criminals prey on every corner for their unsuspecting victims. Meanwhile, workers use business and home office computers for online blogging, socializing, messaging, videos, music, games, shopping, and email. Applications such as streaming video, peer-to-peer (P2P), and hosted or cloud-based applications expose organizations to potential infiltration, data leakage and downtime. In addition to introducing security threats, these applications drain bandwidth and productivity, and compete with mission-critical applications for precious network bandwidth. Importantly, enterprises need tools to guarantee bandwidth for critical business relevant applications and need application intelligence and control to protect both inbound and outbound flows of traffic, while ensuring the velocity and security to provide a productive work environment. Although NGFWs can increase an organization’s network security and decrease the associated risks, all devices are not up to the task, and proper testing is required to ensure the appropriateness of a particular device.
This starts with knowing your systems, their usage and the risks associated with your environment. Armed with this information, organizations need to compare their baselines against the tools they already have in place to identify weaknesses and create a next-generation system that can meet today’s demands for more integrated and comprehensive network protections. The key for IT administrators is to ensure that the NGFW solution they choose is absolutely scalable to their projected network performance requirements, and which delivers the most robust performance, most useful network analytics and insight, and ease of implementation and administration.
(The author is -Sr. Asstt. Professor, GCET-Jammu)