Network security

Checklist for Next Gen Firewalls

Security Ninja
November 3, 2014 by
Security Ninja

Due to the ever-changing threat landscape, a few security products such as firewalls, IDS/IPS, etc. are becoming obsolete because of the older technologies being employed within them. In this article, we will learn about why the traditional firewall failed to cope with new threats and how the Next Generation Firewall will address the new needs of perimeter security. In this article we will also focus on the checklist that will come handy for organizations for implementing Next Gen Firewalls for securing their perimeter.

Why are Traditional Firewalls not sufficient anymore?

A decade back, traditional firewalls played the most important role in securing the perimeter of an organization's network. Applications were simple, and to protect them an organization would just rely on port + protocol logic. If they blocked the port and protocol for a particular application, then it was considered secure at that time. But the Internet has come a long way from where it was a decade back. With the commencement of Web 2.0, applications now have gone to an altogether different level. The Internet is not about just surfing anymore.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Port based firewalls inspect the network stream by looking at the header of the first packet for a particular session and thus will go by the applied rules. They do not have the capability to distinguish between different applications using same port. Port based firewalls have no idea what is going on inside the packet, thus they cannot check for possible malware in packets destined for legitimate business applications' traffic. Traditional firewalls were not intelligent enough to allow traffic on an authorized need basis. To revive firewalls, vendors came up with a concept of Unified Threat Management (UTM) which consists of several blades of other security products such as IDS/IPS. IDS/IPS works with protocol anomaly detection, signature or heuristic based analysis, but the problem is the same IDS/IPS does not understand the application and works blindly on anomaly detection.

What is a Next Gen Firewall?

Next Gen Firewalls have come to rescue the legacy of traditional firewalls with providing all the benefits of a traditional firewall like state full inspection, NAT/PAT support, VPN support, etc., along with some advanced security features like identifying applications regardless of ports, protocols etc., and high performance, policy-based control over applications. Basically, Next Gen Firewalls are intelligent firewalls which allow traffic on a need + security basis rather than traditional port + protocol concept.

How is a Next Gen Firewall different?

This section reveals some data points that make a Next Gen Firewall different and more superior than traditional firewalls.

  • Traditional firewalls collapsed, as they solely depend on port + protocol pair to allow or block traffic, whereas Next Gen Firewalls identify robust applications analyzing application signatures to identify applications regardless of ports and protocols. Next Gen Firewalls also perform decryption to see what is inside the traffic and decodes the protocols to see the in line hidden protocols. With this point, many would call it a twin of UTM, but UTM are never meant to provide high performance and are typically adequate in smaller environments.
  • Next Gen Firewalls integrate with user stores such as Active Directory (AD). This mapping of user-to-IP address and integration with AD will help firewalls harvest more information about the users such as user groups and roles. This will enable firewalls to behave more intelligently. This feature was totally missing in the traditional firewalls.
  • Next Gen Firewalls now can inspect the real time threats within the permitted traffic as well by decoding application streams by inspecting the traffic with a universal threat signature, which reduces the need to check for different threats under different engines and thus increases performance.

What Next Gen Firewalls are not

When it comes to functions of a Next Gen firewall, various security devices in the market can be thought of doing the same thing that is done by Next Gen Firewalls. However, Next Gen Firewalls should not be compared with:

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.
  • UTM devices, which are not built for high performance.
  • A proxy that has firewalls and proxy capability, but not an application signature library like Next Gen, which means that all the applications there need to be applied.
  • Next Gen Firewalls should not be compared with Web Application Firewalls (WAF), as WAFs are designed to inspect only Layer 7 instead of a whole OSI stock, which a Next Gen Firewall does.

Checklist for Next Gen Firewalls

Before deploying a Next Gen Firewall, organizatins must check for certain features that should be in the product to really act as a Next Generation Firewall device. Some of the features are listed below.

  • Next Gen Firewalls should identify applications and not ports: Organizations should always choose those vendors which have adopted a technology to store a library which consists of application signatures, as this will help the organizations to expose a business's critical applications while blocking applications which can cause a threat.
  • Next Gen Firewalls should identify users and not just IP addresses: Organizations should check whether the NGFW offers user-to-IP address mapping. An offered NGFW device must have integration with directory services such as Active directory. Since user to IP address mapping will help to control the activity of specific users, this feature is a must. Techniques include login monitoring, which can help to correlate an IP address to user info when he logs in to the domain, and workstation IP address polling, which can help to verify IP address information and thus maintain accurate mapping when users move around the network.
  • Next Gen Firewalls should identify content and not just packets: Next Gen Firewalls must have the capability to inspect the packets to look out for threats. Next Gen firewalls should have the capability to inspect the files as soon as the first packet is received instead of waiting for a whole packet stream and then stream processing. Also the NGFW should have only one scanning engine to look out for all possible threats instead of multiple engines to look out for multiple attack vectors. This will greatly improve the performance. The NGFW should also have features like URL filtering, data filtering by type, size, etc.
  • Next Gen Firewalls should give more granular control: Next Gen Firewalls should provide more control than the traditional firewalls. Traditional firewalls have controls like allow, deny. Next Gen firewalls, because of their new features, must give controls like "Allow but Scan", "Decrypt and Inspect", Allow for Certain User Group", etc.
  • High performance: Next Gen firewalls must provide real time protection with no latency. Features like a single scanning engine for all types of malwares can help greatly in scanning the packets in a time-efficient manner.
  • Reliable, flexible and easy to maintain: Next Gen Firewalls should be flexible enough to get fixed in an existing IT landscape. Next Gen firewalls should have features like IPv6 support, dynamic routing protocols like BGP, etc. Next Gen Firewalls should support active-passive and active-active failover architectures. Next Gen Firewalls should be easy to maintain and must support remote, local or centralized management. Also, features like role-based administration must be in the checklist to look out for in Next Gen Firewalls.
Security Ninja
Security Ninja