NEXT GENERATION FIREWALLS

Why NGFWs are Next-Generation FWs?

Imre.Balazs@euroone.hu

Agenda

• The Changing Landscape • NGFWs• Juniper AppSec• How to Choose

Changing Landscapes…

…of applications and threats

Applications/Threats Changed; Firewalls Not

BUT…applications have changed• Ports ≠ Applications• IP Addresses ≠ Users• Packets ≠ Content

The gateway at the trust border is the right place to enforce policy control• Sees all traffic• Defines trust boundary

Need visibility and control !!!

Web 2.0, Enterprise 2.0Headaches for CISOs

1. Driven by new generation of addicted Internet users – smarter than you?

2. Full, unrestricted access to everything on the Internet is a right

3. They’re creating a giant social system - collaboration, group knowledge

4. Mobile device use exacerbates the problem – how to control them?

5. Large enterprises need new architectural solutions – suite for huge

6. Not waiting around for IT support or confirmation – IT is irrelevant

7. Result - a Social Enterprise full of potential risks … and rewards

Real-Life Reasons

Source: Academic Freedom or Application Chaos (2nd Edition, March 2011) Palo Alto Networks

• 67% of the apps use port 80, port 443, or hop ports

Consensus among Analysts

Move to next-generation firewalls at the next refresh opportunity –

whether for firewall, IPS, or the combination of the two. -Gartner

Forrester’s Forrsights Security Survey indicates that the standalone IPS market is a relatively mature space but that the next-generation firewall markets are expanding …we anticipate a consolidation of firewalls and IPS to create an even more advanced multifunction security gateway.

-Forrester

DigiNotar, Google, Playstation Network, RSA, Comodo, Epsilon, Lockheed Martin, Many more…

Make the FW Useful Again!

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Protect in real-time against threats embedded across applications

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no performance degradation

Why it has to be the firewall?

1. Path of least resistance - build it with legacy security boxes

2. Applications = threats3. Can only see what you expressly look for4. Can’t “allow, but…”

IPS

Applications

Firewall

1. Most difficult path - can’t be built with legacy security boxes

2. Applications = applications, threats = threats

3. Can see everything4. Can “allow, but…”

IPSFirewall

Applications

Traffic decision is made at the firewallNo application knowledge means bad decisions…

NGFWs

What is what?!

• Stateful Firewall• IPS• UTM• Application Firewall / Application Proxy• Next Generation Firewall (NGFW)

Stateful Firewall: blind, packet filters only

IPS: evasions, decryption issues

• Permissive rule base• Inspect encrypted traffic• Circumvention possible

Source: NSS Labs - Q4 2009 Network Intrusion Prevention System Test Executive Summary

UTM: adding more stuff doesn’t solve the problem

• “More stuff” doesn’t solve the problem• Firewall “helpers” have limited view of traffic• Complex and costly to buy and maintain• Putting all of this in the same box is just slow• Still no visibility or control of enterprise 2.0

Internet

Application Proxy: slow + focused on few apps only

• Proxy sits between the application source and destination

• Intercepting traffic (terminating and re-initiating)• Limited set of applications• Low performance• Deep knowledge of protocols

Next Generation Firewalls

• New Modules• New Architectures

• User identification• Application Identification• Content identification• Rulebase consolidation• Analyse encrypted traffic• Both CTS and STC directions

And the Nominees are…

• NFGW = FW + IPS in the same box• NGFW = FW + IPS integrated + Security Modul• NGFW = Brand new architectures

FW & IPS issues

• Positive control – firewall like– Define what is allowed, block everything else

• Negative control – IPS like– Find it and block it– Great for blocking attacks – Bad for controlling applications– Ergo > Adding a bunch of application signatures to an IPS does not make it a firewall

• Application become evasive

FW & IPS issues, cont’d

• Model– Keep the FW + add an IPS style

helper• Problem

– FW still allows traffic on unusual ports

– Not smart enough to recognize applications

– Must run all signatures on all ports– Performance issue– Management issue– Only blocking is possible

Real NGFWs Provide a Better Approach to IPS

• Integrating IPS into the firewall is NOT simply about convenience…it’s a necessity

• True integration of IPS with the NGFW solves problems that traditional IPS can’t1. Controls threats on non-standard ports 2. Proactively reduces the attack surface 3. Controls the methods attackers use to hide4. Integrates multiple threat prevention disciplines5. Provides visibility and control of unknown threats

How to choose

…Buyers Guide

Things to consider before buying NGFW

1. Identify and control applications on any port2. Identify and control circumventors3. Decrypt outbound SSL4. Identify and control applications sharing the same connection5. Provide application function control6. Deal with unknown traffic by policy7. Scan for viruses and malware in allowed collaborative applications8. Enable the same application visibility and control for remote users9. Make network security simpler, not more complex with the

addition of application control10. Deliver the same throughput and performance with application

control active

Juniper AppSec

Customer Priorities

Juniper Security Solutions

Addressing the Evolving Threat Landscape

Visibility into Web 2.0 Threats

Scalable Policy Enforcement & Management

Control of Application Usage

Rapid Response to New Threats

AppSecure Software Security Research TeamsSRX Security Service Gateways

AppSecure direction

Understand security risks

Address new user behaviors

Application Intelligence from User to Data Center

• Subscription service includes all modules and updates• Juniper Security Lab provides 800+ application signatures

AppTrack AppDoS IPS

Block access to risky apps

Allows user tailored policies

Prioritize important apps

Rate limit less important apps

Protect apps from bot attacks

Allow legitimate user traffic

Remediate security threats

Stay current with daily signatures

AppFW AppQoS

INTEGRATED APPLICATION INTELLIGENCE: AppSecure

APPLICATION VISIBILITY

Thank you!

Resources & Further readings

Enterprise Strategy Group: The Network Application Security Architecture RequirementNSS Labs: Q2 2009 IPS Group TestJuniper Networks: ESG - The Network Application Security Architecture RequirementPalo Alto Networks: Academic Freedom or Application Chaos?