next generation firewalls why ngfws are next-generation fws? [email protected]
TRANSCRIPT
Agenda
• The Changing Landscape • NGFWs• Juniper AppSec• How to Choose
Changing Landscapes…
…of applications and threats
Applications/Threats Changed; Firewalls Not
BUT…applications have changed• Ports ≠ Applications• IP Addresses ≠ Users• Packets ≠ Content
The gateway at the trust border is the right place to enforce policy control• Sees all traffic• Defines trust boundary
Need visibility and control !!!
Web 2.0, Enterprise 2.0Headaches for CISOs
1. Driven by new generation of addicted Internet users – smarter than you?
2. Full, unrestricted access to everything on the Internet is a right
3. They’re creating a giant social system - collaboration, group knowledge
4. Mobile device use exacerbates the problem – how to control them?
5. Large enterprises need new architectural solutions – suite for huge
6. Not waiting around for IT support or confirmation – IT is irrelevant
7. Result - a Social Enterprise full of potential risks … and rewards
Real-Life Reasons
Source: Academic Freedom or Application Chaos (2nd Edition, March 2011) Palo Alto Networks
• 67% of the apps use port 80, port 443, or hop ports
Consensus among Analysts
Move to next-generation firewalls at the next refresh opportunity –
whether for firewall, IPS, or the combination of the two. -Gartner
Forrester’s Forrsights Security Survey indicates that the standalone IPS market is a relatively mature space but that the next-generation firewall markets are expanding …we anticipate a consolidation of firewalls and IPS to create an even more advanced multifunction security gateway.
-Forrester
DigiNotar, Google, Playstation Network, RSA, Comodo, Epsilon, Lockheed Martin, Many more…
Make the FW Useful Again!
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats embedded across applications
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no performance degradation
Why it has to be the firewall?
1. Path of least resistance - build it with legacy security boxes
2. Applications = threats3. Can only see what you expressly look for4. Can’t “allow, but…”
IPS
Applications
Firewall
1. Most difficult path - can’t be built with legacy security boxes
2. Applications = applications, threats = threats
3. Can see everything4. Can “allow, but…”
IPSFirewall
Applications
Traffic decision is made at the firewallNo application knowledge means bad decisions…
NGFWs
What is what?!
• Stateful Firewall• IPS• UTM• Application Firewall / Application Proxy• Next Generation Firewall (NGFW)
Stateful Firewall: blind, packet filters only
IPS: evasions, decryption issues
• Permissive rule base• Inspect encrypted traffic• Circumvention possible
Source: NSS Labs - Q4 2009 Network Intrusion Prevention System Test Executive Summary
UTM: adding more stuff doesn’t solve the problem
• “More stuff” doesn’t solve the problem• Firewall “helpers” have limited view of traffic• Complex and costly to buy and maintain• Putting all of this in the same box is just slow• Still no visibility or control of enterprise 2.0
Internet
Application Proxy: slow + focused on few apps only
• Proxy sits between the application source and destination
• Intercepting traffic (terminating and re-initiating)• Limited set of applications• Low performance• Deep knowledge of protocols
Next Generation Firewalls
• New Modules• New Architectures
• User identification• Application Identification• Content identification• Rulebase consolidation• Analyse encrypted traffic• Both CTS and STC directions
And the Nominees are…
• NFGW = FW + IPS in the same box• NGFW = FW + IPS integrated + Security Modul• NGFW = Brand new architectures
FW & IPS issues
• Positive control – firewall like– Define what is allowed, block everything else
• Negative control – IPS like– Find it and block it– Great for blocking attacks – Bad for controlling applications– Ergo > Adding a bunch of application signatures to an IPS does not make it a firewall
• Application become evasive
FW & IPS issues, cont’d
• Model– Keep the FW + add an IPS style
helper• Problem
– FW still allows traffic on unusual ports
– Not smart enough to recognize applications
– Must run all signatures on all ports– Performance issue– Management issue– Only blocking is possible
Real NGFWs Provide a Better Approach to IPS
• Integrating IPS into the firewall is NOT simply about convenience…it’s a necessity
• True integration of IPS with the NGFW solves problems that traditional IPS can’t1. Controls threats on non-standard ports 2. Proactively reduces the attack surface 3. Controls the methods attackers use to hide4. Integrates multiple threat prevention disciplines5. Provides visibility and control of unknown threats
How to choose
…Buyers Guide
Things to consider before buying NGFW
1. Identify and control applications on any port2. Identify and control circumventors3. Decrypt outbound SSL4. Identify and control applications sharing the same connection5. Provide application function control6. Deal with unknown traffic by policy7. Scan for viruses and malware in allowed collaborative applications8. Enable the same application visibility and control for remote users9. Make network security simpler, not more complex with the
addition of application control10. Deliver the same throughput and performance with application
control active
Juniper AppSec
Customer Priorities
Juniper Security Solutions
Addressing the Evolving Threat Landscape
Visibility into Web 2.0 Threats
Scalable Policy Enforcement & Management
Control of Application Usage
Rapid Response to New Threats
AppSecure Software Security Research TeamsSRX Security Service Gateways
AppSecure direction
Understand security risks
Address new user behaviors
Application Intelligence from User to Data Center
• Subscription service includes all modules and updates• Juniper Security Lab provides 800+ application signatures
AppTrack AppDoS IPS
Block access to risky apps
Allows user tailored policies
Prioritize important apps
Rate limit less important apps
Protect apps from bot attacks
Allow legitimate user traffic
Remediate security threats
Stay current with daily signatures
AppFW AppQoS
INTEGRATED APPLICATION INTELLIGENCE: AppSecure
APPLICATION VISIBILITY
Thank you!
Resources & Further readings
Enterprise Strategy Group: The Network Application Security Architecture RequirementNSS Labs: Q2 2009 IPS Group TestJuniper Networks: ESG - The Network Application Security Architecture RequirementPalo Alto Networks: Academic Freedom or Application Chaos?