Defining the Next-Generation Firewall - the+Next-Generation+ Next-generation firewalls ... Gartner has long used the term next-generation firewall to describe the next stage of evolution to deal ... NGFW , it is the ...

  • Published on
    13-Mar-2018

  • View
    215

  • Download
    3

Transcript

  • Defining the Next-Generation Firewall

    Gartner RAS Core Research Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210 04102010

    Firewalls need to evolve to be more proactive in blocking new threats, such as botnets and targeted attacks. Enterprises need to update their network firewall and intrusion prevention capabilities to protect business systems as attacks get more sophisticated.

    Key Findings

    Thestatefulprotocolfilteringandlimitedapplicationawarenessofferedbyfirst-generationfirewallsarenoteffectiveindealingwithcurrentandemergingthreats.

    Usingseparatefirewallsandintrusionpreventionappliancesresultsinhigheroperationalcostsandnoincreaseinsecurityoveranoptimizedcombinedplatform.

    Next-generationfirewalls(NGFWs)areemergingthatcandetectapplication-specificattacksandenforceapplication-specificgranularsecuritypolicy,bothinboundandoutbound.

    NGFWswillbemosteffectivewhenworkinginconjunctionwithotherlayersofsecuritycontrols.

    Recommendations

    Ifyouhavenotyetdeployednetworkintrusionprevention,requireNGFWcapabilitiesofallvendorsatyournextfirewallrefreshpoint.

    Ifyouhavedeployedbothnetworkfirewallsandnetworkintrusionprevention,synchronizetherefreshcycleforbothtechnologiesandmigratetoNGFWcapabilities.

    Ifyouusemanagedperimetersecurityservices,looktomoveuptomanagedNGFWservicesatthenextcontractrenewal.

    WHAT YOU NEED TO KNOWAnNGFWisawire-speedintegratednetworkplatformthatperformsdeepinspectionoftrafficandblockingofattacks.ThereareproductstodaywithNGFWcharacteristics,butthesemustnotbeconfusedwithwell-marketedfirst-generationfirewallsorproductsmoreappropriateforsmallbusinesses(seeNote1).

  • 2ANALYSISChangingbusinessprocesses,thetechnologythatenterprisesdeploy,andthreatsaredrivingnewrequirementsfornetworksecurity.Increasingbandwidthdemandsandnewapplicationarchitectures(suchasWeb2.0)arechanginghowprotocolsareusedandhowdataistransferred.Threatsarefocusingongettingvulnerableuserstoinstalltargetedmaliciousexecutablesthatattempttoavoiddetection.Simplyenforcingproperprotocoluseonstandardportsandstoppingattackslookingforunpatchedserversarenolongerofsufficientvalueinthisenvironment.Tomeetthesechallenges,firewallsneedtoevolveintowhatGartnerhasbeencallingnext-generationfirewalls.Iffirewallvendorsdonotmakethesechanges,enterpriseswilldemandpriceconcessionstoreducefirst-generationfirewallcostssubstantiallyandlookatothersecuritysolutionstodealwiththenewthreatenvironment.

    What Is a Next-Generation Firewall?Tomeetthecurrentandcominggenerationofnetworksecuritythreats,Gartnerbelievesfirewallsneedtoevolveyetagaintowhatwehavebeencallingnext-generationfirewalls.Forexample,threatsusingbotnetdeliverymethodshavelargelybeeninvisibletofirst-generationfirewalls.Asservice-orientedarchitecturesandWeb2.0growinuse,morecommunicationisgoingthroughfewerports(suchasHTTPandHTTPS)andviafewerprotocols,meaningport/protocol-basedpolicyhasbecomelessrelevantandlesseffective.Deeppacketinspectionintrusionpreventionsystems(IPSs)doinspectforknownattackmethodsagainstoperatingsystemsandsoftwarethataremissingpatches,butcannoteffectivelyidentifyandblockthemisuseofapplications,letalonespecificfeatureswithinapplications.Gartnerhaslongusedthetermnext-generationfirewalltodescribethenextstageofevolutiontodealwiththeseissues.

    Gartnerdefinesanetworkfirewallasanin-linesecuritycontrolthatimplementsnetworksecuritypolicybetweennetworksofdifferenttrustlevelsinrealtime.Gartnerusesthetermnext-generationfirewalltoindicatethenecessaryevolutionofafirewalltodealwithchangesinboththewaybusinessprocessesuseITandthewaysattackstrytocompromisebusinesssystems.Asaminimum,anNGFWwillhavethefollowingattributes:

    Supportin-linebump-in-the-wireconfigurationwithoutdisruptingnetworkoperations.

    Actasaplatformfornetworktrafficinspectionandnetworksecuritypolicyenforcement,withthefollowingminimumfeatures:

    Standardfirst-generationfirewallcapabilities:Usepacketfiltering,network-addresstranslation(NAT),statefulprotocolinspection,VPNcapabilitiesandsoon.

    Integratedratherthanmerelycolocatednetworkintrusionprevention:Supportvulnerability-facingsignaturesandthreat-facingsignatures.TheIPSinteractionwiththefirewallshouldbegreaterthanthesumoftheparts,suchasprovidingasuggestedfirewallruletoblockanaddressthatiscontinuallyloadingtheIPSwithbadtraffic.Thisexemplifiesthat,intheNGFW,itisthefirewallcorrelatesratherthantheoperatorhavingtoderiveandimplementsolutionsacrossconsoles.HavinghighqualityintheintegratedIPSengineandsignaturesisaprimarycharacteristic.IntegrationcanincludefeaturessuchasprovidingsuggestedblockingatthefirewallbasedonIPSinspectionofsitesonlyprovidingmalware.

    Applicationawarenessandfullstackvisibility:Identifyapplicationsandenforcenetworksecuritypolicyattheapplicationlayerindependentofportandprotocolversusonlyports,protocolsandservices.ExamplesincludetheabilitytoallowSkypeusebutdisablefilesharingwithinSkypeortoalwaysblockGoToMyPC.

    Extrafirewallintelligence:Bringinformationfromsourcesoutsidethefirewalltomakeimprovedblockingdecisions,orhaveanoptimizedblockingrulebase.Examplesincludeusingdirectoryintegrationtotieblockingtouseridentity,orhavingblacklistsandwhitelistsofaddresses.

    Supportupgradepathsforintegrationofnewinformationfeedsandnewtechniquestoaddressfuturethreats.

    ExamplesofenforcementbyanNGFWincludeblockingoralertingonfine-grainednetworksecuritypolicyviolations,suchastheuseofWebmail,anonymizers,peer-to-peerorPCremotecontrol.SimplyblockingaccesstoknownsourcesoftheseservicesbydestinationIPaddressesisnotenough.Policygranularityrequirestheblockingofonlysometypesofapplicationcommunicationtoanotherwisepermissibledestination,andredirectorsmakeadefinitiveblacklistimpossibletoachieve.ThismeansthattherearemanyundesirableapplicationsthatanNGFWcanidentifyandblockevenwhentheyaredesignedtobeevasiveorareencryptedwithSSL.Anadditionalbenefitofapplicationidentificationcanbebandwidthcontrol,sinceremoving,forexample,undesiredpeer-to-peertrafficcangreatlyreducethebandwidthusage.

    What Is an NGFW Not?Therearenetwork-basedsecurityproductspacesthatareadjacenttoNGFWbutnotequivalent:

    Small or midsize business (SMB) multifunction firewalls or unified threat management (UTM) devices:Thesearesingleappliancesthathostmultiplesecurityfunctions.Whiletheyinvariablyincludefirst-generationfirewallandIPSfunctions,theydonotprovidetheapplicationawarenessfunctionsandarenotgenerallyintegrated,single-engineproducts.Theyareappropriateforcostsavinginbranchofficesandforuseby

    2009Gartner,Inc.and/oritsAffiliates.AllRightsReserved.Reproductionanddistributionofthispublicationinanyformwithoutpriorwrittenpermissionisforbidden.Theinformationcontainedhereinhasbeenobtainedfromsourcesbelievedtobereliable.Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformation.AlthoughGartnersresearchmaydiscusslegalissuesrelatedtotheinformationtechnologybusiness,Gartnerdoesnotprovidelegaladviceorservicesanditsresearchshouldnotbeconstruedorusedassuch.Gartnershallhavenoliabilityforerrors,omissionsorinadequaciesintheinformationcontainedhereinorforinterpretationsthereof.Theopinionsexpressedhereinaresubjecttochangewithoutnotice.

  • 3smallercompanies,buttheydonotmeettheneedsoflargerenterprises.Thiscategoryofexclusionincludesfirst-generationfirewallspairedwithlow-qualityIPS,and/orhavingdeepinspectionandapplicationcontrolfeaturesmerelycolocatedintheapplianceratherthanatightintegration,whichisgreaterthanthesumoftheparts.

    Network-based data loss prevention (DLP) appliances: Theseperformdeeppacketinspectionofnetworktraffic,butfocusondetectingifpreviouslyidentifiedtypesofdataaretransitingtheinspectionpoint.Theyimplementdatasecuritypolicywithnoreal-timerequirement,notwire-speednetworksecuritypolicy.

    Secure Web gateways (SWGs): ThesefocusonenforcingoutbounduseraccesscontrolandinboundmalwarepreventionduringHTTPbrowsingovertheInternet,throughintegratedURLfilteringandthroughWebantivirus.Theyimplementmoreuser-centricWebsecuritypolicy,notnetworksecuritypolicy,onananysourcetoanydestinationusinganyprotocolbasis.

    Messaging security gateways:Thesefocusonlatency-tolerantoutboundcontentpolicyenforcementandinboundmailanti-spamandanti-malwareenforcement.Theydonotimplementwire-speednetworksecuritypolicy.

    Whiletheseproductsmaybenetwork-basedandusesimilartechnology,theyimplementsecuritypoliciesthataretheresponsibilityandauthorityofdifferentoperationalgroupswithinmostbusinesses.GartnerbelievestheseareaswillnotconvergebeforeITandsecurityorganizationalresponsibilitieshaveradicallychanged.

    AnNGFWisalsonotanidentityfirewalloranidentity-basedaccesscontrolmechanism.Inmostenvironments,thenetworksecurityorganizationhasneithertheresponsibilitynortheauthorityforenforcinguser-basedaccesscontrolpoliciesattheapplicationlevel.GartnerbelievesthatNGFWswillbeabletoincorporateuseridentityinformationatthegrouplevel(thatis,shadowingActiveDirectory)tomakebetternetworksecuritydecisions,buttheywillnotberoutinelyusedforenforcinggranularuser-levelenforcementdecisions.

    NGFW AdoptionLargeenterpriseswillreplaceexistingfirewallswithNGFWsasnaturalfirewallandIPSrefreshcyclesoccurorasincreasedbandwidthdemandsorsuccessfulattacksdriveupgradestofirewalls.Today,thereareafewfirewallandIPSvendorsthathaveadvancedtheirproductstoprovideapplicationawarenessandsomeNGFWfeatures,andtherearesomestartupcompaniesthatarefocusedonNGFWcapabilities.GartnerbelievesthatchangingthreatconditionsandchangingbusinessandITprocesseswilldrivenetworksecuritymanagerstolookforNGFWcapabilitiesattheirnextfirewall/IPSrefreshcycle.ThekeytosuccessfulmarketpenetrationbyNGFWvendorswillbetodemonstratefirst-generationfirewallandIPSfeaturesthatmatchcurrentfirst-generationcapabilitieswhileincludingNGFWcapabilitiesatthesameoronlyslightlyhigherpricepoints.

    Gartnerbelievesthatlessthan1%ofInternetconnectionstodayaresecuredusingNGFWs.Webelievethatbyyear-end2014thiswillriseto35%oftheinstalledbase,with60%ofnewpurchasesbeingNGFWs.

    Note 1

    First-Generation Firewalls

    First-generationfirewallscameaboutwhenconnectingtrustedinternalsystemstotheInternetresultedintherapidanddisastrouscompromiseofvulnerableinternalsystems,asevidencedbytheimpactoftheMorriswormin1988.Theiruseevolvedtoincludeimplementingsecurityseparationofinternalnetworksegmentsatdifferenttrustlevelsaswell,suchasDMZlayersinanextranetorindatacenterzones.Anetworkfirewallcanbeimplementedinawiderangeofformfactors,butitmustalwaysoperateatnetworkspeedsand,ataminimum,causenodisruptiontonormaloperationofthenetwork.

    Standardnetworksecuritypolicyconsistsoftwoparts:

    Block all that is not explicitly allowed: Earlyfirewallsblockedconnectionsatthesource/destinationIPaddresslevelandthenevolvedtodosoattheportandprotocollevel.Asfirewallsmatured,thisenforcementofproperprotocolstatebecamemainstream.Morerecently,advancedfirewallshavedevelopedthecapabilitytorecognizeandblockconnections:

    Attheapplicationlevel

    Basedoncharacteristicsofthesourceaddressassociatedthroughexternalinformationsources(suchasgeolocation,knownsourcesformalware,orwhichuserisconnecting)

    Inspect what is allowed to detect and block attacks and misuse: Intheearlyyearsoffirewalls,proxy-basedfirewallsperformedmoredetailedinspectionofthetrafficallowedtopassthroughthefirewallandattemptedtodetectandblockmaliciousactions.However,earlyproxyfirewallsweresoftware-basedanddidnothavethehorsepowertokeepupwiththeincreasingspeedofnetworksortheincreasingcomplexityofapplicationsandattacks,andtheincreaseinnewapplicationsoutstrippedtheabilitytocreatenewapplication-specificproxies.IPSsbasedonpurpose-builtappliances,toperformdeeppacketinspection,haveevolvedastheprimarynetworksecuritycontrolimplementingthisfunction.

Recommended

View more >