Upload
duongnhi
View
232
Download
3
Embed Size (px)
Citation preview
Defining the Next-Generation Firewall
Gartner RAS Core Research Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210 04102010
Firewalls need to evolve to be more proactive in blocking new threats, such as botnets and targeted attacks. Enterprises need to update their network firewall and intrusion prevention capabilities to protect business systems as attacks get more sophisticated.
Key Findings
• Thestatefulprotocolfilteringandlimitedapplicationawarenessofferedbyfirst-generationfirewallsarenoteffectiveindealingwithcurrentandemergingthreats.
• Usingseparatefirewallsandintrusionpreventionappliancesresultsinhigheroperationalcostsandnoincreaseinsecurityoveranoptimizedcombinedplatform.
• Next-generationfirewalls(NGFWs)areemergingthatcandetectapplication-specificattacksandenforceapplication-specificgranularsecuritypolicy,bothinboundandoutbound.
• NGFWswillbemosteffectivewhenworkinginconjunctionwithotherlayersofsecuritycontrols.
Recommendations
• Ifyouhavenotyetdeployednetworkintrusionprevention,requireNGFWcapabilitiesofallvendorsatyournextfirewallrefreshpoint.
• Ifyouhavedeployedbothnetworkfirewallsandnetworkintrusionprevention,synchronizetherefreshcycleforbothtechnologiesandmigratetoNGFWcapabilities.
• Ifyouusemanagedperimetersecurityservices,looktomoveuptomanagedNGFWservicesatthenextcontractrenewal.
WHAT YOU NEED TO KNOWAnNGFWisawire-speedintegratednetworkplatformthatperformsdeepinspectionoftrafficandblockingofattacks.ThereareproductstodaywithNGFWcharacteristics,butthesemustnotbeconfusedwithwell-marketedfirst-generationfirewallsorproductsmoreappropriateforsmallbusinesses(seeNote1).
2ANALYSISChangingbusinessprocesses,thetechnologythatenterprisesdeploy,andthreatsaredrivingnewrequirementsfornetworksecurity.Increasingbandwidthdemandsandnewapplicationarchitectures(suchasWeb2.0)arechanginghowprotocolsareusedandhowdataistransferred.Threatsarefocusingongettingvulnerableuserstoinstalltargetedmaliciousexecutablesthatattempttoavoiddetection.Simplyenforcingproperprotocoluseonstandardportsandstoppingattackslookingforunpatchedserversarenolongerofsufficientvalueinthisenvironment.Tomeetthesechallenges,firewallsneedtoevolveintowhatGartnerhasbeencalling“next-generationfirewalls.”Iffirewallvendorsdonotmakethesechanges,enterpriseswilldemandpriceconcessionstoreducefirst-generationfirewallcostssubstantiallyandlookatothersecuritysolutionstodealwiththenewthreatenvironment.
What Is a Next-Generation Firewall?Tomeetthecurrentandcominggenerationofnetworksecuritythreats,Gartnerbelievesfirewallsneedtoevolveyetagaintowhatwehavebeencalling“next-generationfirewalls”.Forexample,threatsusingbotnetdeliverymethodshavelargelybeeninvisibletofirst-generationfirewalls.Asservice-orientedarchitecturesandWeb2.0growinuse,morecommunicationisgoingthroughfewerports(suchasHTTPandHTTPS)andviafewerprotocols,meaningport/protocol-basedpolicyhasbecomelessrelevantandlesseffective.Deeppacketinspectionintrusionpreventionsystems(IPSs)doinspectforknownattackmethodsagainstoperatingsystemsandsoftwarethataremissingpatches,butcannoteffectivelyidentifyandblockthemisuseofapplications,letalonespecificfeatureswithinapplications.Gartnerhaslongusedtheterm“next-generationfirewall”todescribethenextstageofevolutiontodealwiththeseissues.
Gartnerdefinesanetworkfirewallasanin-linesecuritycontrolthatimplementsnetworksecuritypolicybetweennetworksofdifferenttrustlevelsinrealtime.Gartnerusestheterm“next-generationfirewall”toindicatethenecessaryevolutionofafirewalltodealwithchangesinboththewaybusinessprocessesuseITandthewaysattackstrytocompromisebusinesssystems.Asaminimum,anNGFWwillhavethefollowingattributes:
• Supportin-linebump-in-the-wireconfigurationwithoutdisruptingnetworkoperations.
• Actasaplatformfornetworktrafficinspectionandnetworksecuritypolicyenforcement,withthefollowingminimumfeatures:
• Standardfirst-generationfirewallcapabilities:Usepacketfiltering,network-addresstranslation(NAT),statefulprotocolinspection,VPNcapabilitiesandsoon.
• Integratedratherthanmerelycolocatednetworkintrusionprevention:Supportvulnerability-facingsignaturesandthreat-facingsignatures.TheIPSinteractionwiththefirewallshouldbegreaterthanthesumoftheparts,suchasprovidingasuggestedfirewallruletoblockanaddressthatiscontinuallyloadingtheIPSwithbadtraffic.Thisexemplifiesthat,intheNGFW,itisthefirewallcorrelatesratherthantheoperatorhavingtoderiveandimplementsolutionsacrossconsoles.HavinghighqualityintheintegratedIPSengineandsignaturesisaprimarycharacteristic.IntegrationcanincludefeaturessuchasprovidingsuggestedblockingatthefirewallbasedonIPSinspectionofsitesonlyprovidingmalware.
• Applicationawarenessandfullstackvisibility:Identifyapplicationsandenforcenetworksecuritypolicyattheapplicationlayerindependentofportandprotocolversusonlyports,protocolsandservices.ExamplesincludetheabilitytoallowSkypeusebutdisablefilesharingwithinSkypeortoalwaysblockGoToMyPC.
• Extrafirewallintelligence:Bringinformationfromsourcesoutsidethefirewalltomakeimprovedblockingdecisions,orhaveanoptimizedblockingrulebase.Examplesincludeusingdirectoryintegrationtotieblockingtouseridentity,orhavingblacklistsandwhitelistsofaddresses.
• Supportupgradepathsforintegrationofnewinformationfeedsandnewtechniquestoaddressfuturethreats.
ExamplesofenforcementbyanNGFWincludeblockingoralertingonfine-grainednetworksecuritypolicyviolations,suchastheuseofWebmail,anonymizers,peer-to-peerorPCremotecontrol.SimplyblockingaccesstoknownsourcesoftheseservicesbydestinationIPaddressesisnotenough.Policygranularityrequirestheblockingofonlysometypesofapplicationcommunicationtoanotherwisepermissibledestination,andredirectorsmakeadefinitiveblacklistimpossibletoachieve.ThismeansthattherearemanyundesirableapplicationsthatanNGFWcanidentifyandblockevenwhentheyaredesignedtobeevasiveorareencryptedwithSSL.Anadditionalbenefitofapplicationidentificationcanbebandwidthcontrol,sinceremoving,forexample,undesiredpeer-to-peertrafficcangreatlyreducethebandwidthusage.
What Is an NGFW Not?Therearenetwork-basedsecurityproductspacesthatareadjacenttoNGFWbutnotequivalent:
• Small or midsize business (SMB) multifunction firewalls or unified threat management (UTM) devices:Thesearesingleappliancesthathostmultiplesecurityfunctions.Whiletheyinvariablyincludefirst-generationfirewallandIPSfunctions,theydonotprovidetheapplicationawarenessfunctionsandarenotgenerallyintegrated,single-engineproducts.Theyareappropriateforcostsavinginbranchofficesandforuseby
©2009Gartner,Inc.and/oritsAffiliates.AllRightsReserved.Reproductionanddistributionofthispublicationinanyformwithoutpriorwrittenpermissionisforbidden.Theinformationcontainedhereinhasbeenobtainedfromsourcesbelievedtobereliable.Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformation.AlthoughGartner’sresearchmaydiscusslegalissuesrelatedtotheinformationtechnologybusiness,Gartnerdoesnotprovidelegaladviceorservicesanditsresearchshouldnotbeconstruedorusedassuch.Gartnershallhavenoliabilityforerrors,omissionsorinadequaciesintheinformationcontainedhereinorforinterpretationsthereof.Theopinionsexpressedhereinaresubjecttochangewithoutnotice.
3smallercompanies,buttheydonotmeettheneedsoflargerenterprises.Thiscategoryofexclusionincludesfirst-generationfirewallspairedwithlow-qualityIPS,and/orhavingdeepinspectionandapplicationcontrolfeaturesmerelycolocatedintheapplianceratherthanatightintegration,whichisgreaterthanthesumoftheparts.
• Network-based data loss prevention (DLP) appliances: Theseperformdeeppacketinspectionofnetworktraffic,butfocusondetectingifpreviouslyidentifiedtypesofdataaretransitingtheinspectionpoint.Theyimplementdatasecuritypolicywithnoreal-timerequirement,notwire-speednetworksecuritypolicy.
• Secure Web gateways (SWGs): ThesefocusonenforcingoutbounduseraccesscontrolandinboundmalwarepreventionduringHTTPbrowsingovertheInternet,throughintegratedURLfilteringandthroughWebantivirus.Theyimplementmoreuser-centricWebsecuritypolicy,notnetworksecuritypolicy,onan“anysourcetoanydestinationusinganyprotocol”basis.
• Messaging security gateways:Thesefocusonlatency-tolerantoutboundcontentpolicyenforcementandinboundmailanti-spamandanti-malwareenforcement.Theydonotimplementwire-speednetworksecuritypolicy.
Whiletheseproductsmaybenetwork-basedandusesimilartechnology,theyimplementsecuritypoliciesthataretheresponsibilityandauthorityofdifferentoperationalgroupswithinmostbusinesses.GartnerbelievestheseareaswillnotconvergebeforeITandsecurityorganizationalresponsibilitieshaveradicallychanged.
AnNGFWisalsonotan“identityfirewall”oranidentity-basedaccesscontrolmechanism.Inmostenvironments,thenetworksecurityorganizationhasneithertheresponsibilitynortheauthorityforenforcinguser-basedaccesscontrolpoliciesattheapplicationlevel.GartnerbelievesthatNGFWswillbeabletoincorporateuseridentityinformationatthegrouplevel(thatis,shadowingActiveDirectory)tomakebetternetworksecuritydecisions,buttheywillnotberoutinelyusedforenforcinggranularuser-levelenforcementdecisions.
NGFW AdoptionLargeenterpriseswillreplaceexistingfirewallswithNGFWsasnaturalfirewallandIPSrefreshcyclesoccurorasincreasedbandwidthdemandsorsuccessfulattacksdriveupgradestofirewalls.Today,thereareafewfirewallandIPSvendorsthathaveadvancedtheirproductstoprovideapplicationawarenessandsomeNGFWfeatures,andtherearesomestartupcompaniesthatarefocusedonNGFWcapabilities.GartnerbelievesthatchangingthreatconditionsandchangingbusinessandITprocesseswilldrivenetworksecuritymanagerstolookforNGFWcapabilitiesattheirnextfirewall/IPSrefreshcycle.ThekeytosuccessfulmarketpenetrationbyNGFWvendorswillbetodemonstratefirst-generationfirewallandIPSfeaturesthatmatchcurrentfirst-generationcapabilitieswhileincludingNGFWcapabilitiesatthesameoronlyslightlyhigherpricepoints.
Gartnerbelievesthatlessthan1%ofInternetconnectionstodayaresecuredusingNGFWs.Webelievethatbyyear-end2014thiswillriseto35%oftheinstalledbase,with60%ofnewpurchasesbeingNGFWs.
Note 1
First-Generation Firewalls
First-generationfirewallscameaboutwhenconnectingtrustedinternalsystemstotheInternetresultedintherapidanddisastrouscompromiseofvulnerableinternalsystems,asevidencedbytheimpactoftheMorriswormin1988.Theiruseevolvedtoincludeimplementingsecurityseparationofinternalnetworksegmentsatdifferenttrustlevelsaswell,suchasDMZlayersinanextranetorindatacenterzones.Anetworkfirewallcanbeimplementedinawiderangeofformfactors,butitmustalwaysoperateatnetworkspeedsand,ataminimum,causenodisruptiontonormaloperationofthenetwork.
Standardnetworksecuritypolicyconsistsoftwoparts:
• Block all that is not explicitly allowed: Earlyfirewallsblockedconnectionsatthesource/destinationIPaddresslevelandthenevolvedtodosoattheportandprotocollevel.Asfirewallsmatured,thisenforcementofproperprotocolstatebecamemainstream.Morerecently,advancedfirewallshavedevelopedthecapabilitytorecognizeandblockconnections:
• Attheapplicationlevel
• Basedoncharacteristicsofthesourceaddressassociatedthroughexternalinformationsources(suchasgeolocation,knownsourcesformalware,orwhichuserisconnecting)
• Inspect what is allowed to detect and block attacks and misuse: Intheearlyyearsoffirewalls,proxy-basedfirewallsperformedmoredetailedinspectionofthetrafficallowedtopassthroughthefirewallandattemptedtodetectandblockmaliciousactions.However,earlyproxyfirewallsweresoftware-basedanddidnothavethehorsepowertokeepupwiththeincreasingspeedofnetworksortheincreasingcomplexityofapplicationsandattacks,andtheincreaseinnewapplicationsoutstrippedtheabilitytocreatenewapplication-specificproxies.IPSsbasedonpurpose-builtappliances,toperformdeeppacketinspection,haveevolvedastheprimarynetworksecuritycontrolimplementingthisfunction.