As cybersecurity threats increase in sophistication, the security solutions used to defend against these threats must also evolve. Developers no longer adhere to standard port/protocol/application mapping; applications are capable of operating on non-standard ports, as well as port hopping; and users are able to force applications to run over non-standard ports, rendering first-generation firewalls ineffective in today’s threat environment. Enter the “next-generation firewall” (NGFW), the next stage of firewall and intrusion prevention systems (IPS) technology.
A common understanding of an NGFW is a network platform that combines the traditional firewall functionalities with IPS and application control. However, merely bundling traditional firewalls with IPS and application control does not result in an NGFW. A true NGFW emphasizes native integration, classifies traffic based on applications rather than ports, performs a deep inspection of traffic and blocks attacks before a network can be infiltrated. Here is a list of key features of a true NGFW to better inform your next purchase decision.
Identify and control applications and functions on all ports, all the time
An NGFW should identify traffic on all ports at all times, and classify each application, while monitoring for changes that may indicate when an unpermitted function is being used. For example, using Citrix GoToMeeting for desktop sharing is permitted but allowing an external user to take control is not.
Identify users regardless of device or IP address
Knowing who is using which applications on the network, and who is transferring files that may contain threats, strengthens an organization’s security policies and reduces incident response times. An NGFW must get user identity from multiple sources – such as VPN solutions, WLAN controllers and directory servers – and allow policies that safely enable applications based on users, or groups of users, in outbound or inbound directions.
Identify and control security evasion tactics
There are two different classes of applications that evade security policies: applications that are designed to evade security, like external proxies and non-VPN-related encrypted tunnels (e.g., CGIProxy), and those that can be adapted to achieve the same goal such as remote server/desktop management tools (e.g., TeamViewer). An NGFW must have specific techniques that identify and control all applications, regardless of port, protocol, encryption or other evasive tactics and know how often that firewall’s application intelligence is updated and maintained.
Decrypt and inspect SSL and control SSH
An NGFW should be able to recognize and decrypt SSL and SSH on any port, inbound or outbound; have policy control over decryption; and offer the necessary hardware and software elements to perform SSL decryption simultaneously across tens of thousands of SSL connections with predictable performance.
Systematically manage unknown traffic
Unknown traffic represents significant risks and is highly correlated to threats that move along the network. An NGFW must classify and manage all traffic on all ports in one location and quickly analyze the traffic, known and unknown, to determine if it’s an internal/custom application, a commercial application without a signature, or a threat.
Protect the network against known and unknown threats in all applications and on all ports
Applications enable businesses, but they also act as a cyberthreat vector, supporting technologies that are frequent targets for exploits. An NGFW must first identify the application, determine the functions that should be permitted or blocked, and protect the organization from known and unknown threats, exploits, viruses/malware or spyware. This must be done automatically with near-real time updates to protect from newly discovered threats globally.
Deliver consistent policy control over all traffic, regardless of user location or device type
An NGFW should provide consistent visibility and control over traffic, regardless of where the user is and what device is being used, without introducing performance latency for the user, additional work for the administrator, or significant cost for the organization.
Simplify network security
To simplify and effectively manage already overloaded security processes and people, an NGFW must enable easy translation of your business policy to your security rules. This will allow policies that directly support business initiatives.
Perform computationally intensive tasks without impacting performance
An increase in security features often means significantly lower throughput and performance. An NGFW should deliver visibility and control including content scanning, which is computationally intensive, in high-throughput networks with little tolerance for latency.
Deliver the same firewall functions in both a hardware and virtualized form factor
Virtualization and cloud computing environments introduce new security challenges, including inconsistent functionality, disparate management and a lack of integration points. An NGFW must provide flexibility and in-depth integration with virtual data centers in private and public cloud environments to streamline the creation of application-centric policies.
To learn more about what features a NGFW must have to safely enable applications and organizations, read the 10 Things Your Next Firewall Must Do white paper.
[Palo Alto Networks Research Center]