Download pdf - Defining the Next-Generation Firewall - CustomPublishimg1.custompublish.com/.../Defining+the+Next-Generation+Firewall.pdf• Next-generation firewalls ... Gartner has long used the

Transcript
Page 1: Defining the Next-Generation Firewall - CustomPublishimg1.custompublish.com/.../Defining+the+Next-Generation+Firewall.pdf• Next-generation firewalls ... Gartner has long used the

Defining the Next-Generation Firewall

Gartner RAS Core Research Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210 04102010

Firewalls need to evolve to be more proactive in blocking new threats, such as botnets and targeted attacks. Enterprises need to update their network firewall and intrusion prevention capabilities to protect business systems as attacks get more sophisticated.

Key Findings

• Thestatefulprotocolfilteringandlimitedapplicationawarenessofferedbyfirst-generationfirewallsarenoteffectiveindealingwithcurrentandemergingthreats.

• Usingseparatefirewallsandintrusionpreventionappliancesresultsinhigheroperationalcostsandnoincreaseinsecurityoveranoptimizedcombinedplatform.

• Next-generationfirewalls(NGFWs)areemergingthatcandetectapplication-specificattacksandenforceapplication-specificgranularsecuritypolicy,bothinboundandoutbound.

• NGFWswillbemosteffectivewhenworkinginconjunctionwithotherlayersofsecuritycontrols.

Recommendations

• Ifyouhavenotyetdeployednetworkintrusionprevention,requireNGFWcapabilitiesofallvendorsatyournextfirewallrefreshpoint.

• Ifyouhavedeployedbothnetworkfirewallsandnetworkintrusionprevention,synchronizetherefreshcycleforbothtechnologiesandmigratetoNGFWcapabilities.

• Ifyouusemanagedperimetersecurityservices,looktomoveuptomanagedNGFWservicesatthenextcontractrenewal.

WHAT YOU NEED TO KNOWAnNGFWisawire-speedintegratednetworkplatformthatperformsdeepinspectionoftrafficandblockingofattacks.ThereareproductstodaywithNGFWcharacteristics,butthesemustnotbeconfusedwithwell-marketedfirst-generationfirewallsorproductsmoreappropriateforsmallbusinesses(seeNote1).

Page 2: Defining the Next-Generation Firewall - CustomPublishimg1.custompublish.com/.../Defining+the+Next-Generation+Firewall.pdf• Next-generation firewalls ... Gartner has long used the

2ANALYSISChangingbusinessprocesses,thetechnologythatenterprisesdeploy,andthreatsaredrivingnewrequirementsfornetworksecurity.Increasingbandwidthdemandsandnewapplicationarchitectures(suchasWeb2.0)arechanginghowprotocolsareusedandhowdataistransferred.Threatsarefocusingongettingvulnerableuserstoinstalltargetedmaliciousexecutablesthatattempttoavoiddetection.Simplyenforcingproperprotocoluseonstandardportsandstoppingattackslookingforunpatchedserversarenolongerofsufficientvalueinthisenvironment.Tomeetthesechallenges,firewallsneedtoevolveintowhatGartnerhasbeencalling“next-generationfirewalls.”Iffirewallvendorsdonotmakethesechanges,enterpriseswilldemandpriceconcessionstoreducefirst-generationfirewallcostssubstantiallyandlookatothersecuritysolutionstodealwiththenewthreatenvironment.

What Is a Next-Generation Firewall?Tomeetthecurrentandcominggenerationofnetworksecuritythreats,Gartnerbelievesfirewallsneedtoevolveyetagaintowhatwehavebeencalling“next-generationfirewalls”.Forexample,threatsusingbotnetdeliverymethodshavelargelybeeninvisibletofirst-generationfirewalls.Asservice-orientedarchitecturesandWeb2.0growinuse,morecommunicationisgoingthroughfewerports(suchasHTTPandHTTPS)andviafewerprotocols,meaningport/protocol-basedpolicyhasbecomelessrelevantandlesseffective.Deeppacketinspectionintrusionpreventionsystems(IPSs)doinspectforknownattackmethodsagainstoperatingsystemsandsoftwarethataremissingpatches,butcannoteffectivelyidentifyandblockthemisuseofapplications,letalonespecificfeatureswithinapplications.Gartnerhaslongusedtheterm“next-generationfirewall”todescribethenextstageofevolutiontodealwiththeseissues.

Gartnerdefinesanetworkfirewallasanin-linesecuritycontrolthatimplementsnetworksecuritypolicybetweennetworksofdifferenttrustlevelsinrealtime.Gartnerusestheterm“next-generationfirewall”toindicatethenecessaryevolutionofafirewalltodealwithchangesinboththewaybusinessprocessesuseITandthewaysattackstrytocompromisebusinesssystems.Asaminimum,anNGFWwillhavethefollowingattributes:

• Supportin-linebump-in-the-wireconfigurationwithoutdisruptingnetworkoperations.

• Actasaplatformfornetworktrafficinspectionandnetworksecuritypolicyenforcement,withthefollowingminimumfeatures:

• Standardfirst-generationfirewallcapabilities:Usepacketfiltering,network-addresstranslation(NAT),statefulprotocolinspection,VPNcapabilitiesandsoon.

• Integratedratherthanmerelycolocatednetworkintrusionprevention:Supportvulnerability-facingsignaturesandthreat-facingsignatures.TheIPSinteractionwiththefirewallshouldbegreaterthanthesumoftheparts,suchasprovidingasuggestedfirewallruletoblockanaddressthatiscontinuallyloadingtheIPSwithbadtraffic.Thisexemplifiesthat,intheNGFW,itisthefirewallcorrelatesratherthantheoperatorhavingtoderiveandimplementsolutionsacrossconsoles.HavinghighqualityintheintegratedIPSengineandsignaturesisaprimarycharacteristic.IntegrationcanincludefeaturessuchasprovidingsuggestedblockingatthefirewallbasedonIPSinspectionofsitesonlyprovidingmalware.

• Applicationawarenessandfullstackvisibility:Identifyapplicationsandenforcenetworksecuritypolicyattheapplicationlayerindependentofportandprotocolversusonlyports,protocolsandservices.ExamplesincludetheabilitytoallowSkypeusebutdisablefilesharingwithinSkypeortoalwaysblockGoToMyPC.

• Extrafirewallintelligence:Bringinformationfromsourcesoutsidethefirewalltomakeimprovedblockingdecisions,orhaveanoptimizedblockingrulebase.Examplesincludeusingdirectoryintegrationtotieblockingtouseridentity,orhavingblacklistsandwhitelistsofaddresses.

• Supportupgradepathsforintegrationofnewinformationfeedsandnewtechniquestoaddressfuturethreats.

ExamplesofenforcementbyanNGFWincludeblockingoralertingonfine-grainednetworksecuritypolicyviolations,suchastheuseofWebmail,anonymizers,peer-to-peerorPCremotecontrol.SimplyblockingaccesstoknownsourcesoftheseservicesbydestinationIPaddressesisnotenough.Policygranularityrequirestheblockingofonlysometypesofapplicationcommunicationtoanotherwisepermissibledestination,andredirectorsmakeadefinitiveblacklistimpossibletoachieve.ThismeansthattherearemanyundesirableapplicationsthatanNGFWcanidentifyandblockevenwhentheyaredesignedtobeevasiveorareencryptedwithSSL.Anadditionalbenefitofapplicationidentificationcanbebandwidthcontrol,sinceremoving,forexample,undesiredpeer-to-peertrafficcangreatlyreducethebandwidthusage.

What Is an NGFW Not?Therearenetwork-basedsecurityproductspacesthatareadjacenttoNGFWbutnotequivalent:

• Small or midsize business (SMB) multifunction firewalls or unified threat management (UTM) devices:Thesearesingleappliancesthathostmultiplesecurityfunctions.Whiletheyinvariablyincludefirst-generationfirewallandIPSfunctions,theydonotprovidetheapplicationawarenessfunctionsandarenotgenerallyintegrated,single-engineproducts.Theyareappropriateforcostsavinginbranchofficesandforuseby

©2009Gartner,Inc.and/oritsAffiliates.AllRightsReserved.Reproductionanddistributionofthispublicationinanyformwithoutpriorwrittenpermissionisforbidden.Theinformationcontainedhereinhasbeenobtainedfromsourcesbelievedtobereliable.Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformation.AlthoughGartner’sresearchmaydiscusslegalissuesrelatedtotheinformationtechnologybusiness,Gartnerdoesnotprovidelegaladviceorservicesanditsresearchshouldnotbeconstruedorusedassuch.Gartnershallhavenoliabilityforerrors,omissionsorinadequaciesintheinformationcontainedhereinorforinterpretationsthereof.Theopinionsexpressedhereinaresubjecttochangewithoutnotice.

Page 3: Defining the Next-Generation Firewall - CustomPublishimg1.custompublish.com/.../Defining+the+Next-Generation+Firewall.pdf• Next-generation firewalls ... Gartner has long used the

3smallercompanies,buttheydonotmeettheneedsoflargerenterprises.Thiscategoryofexclusionincludesfirst-generationfirewallspairedwithlow-qualityIPS,and/orhavingdeepinspectionandapplicationcontrolfeaturesmerelycolocatedintheapplianceratherthanatightintegration,whichisgreaterthanthesumoftheparts.

• Network-based data loss prevention (DLP) appliances: Theseperformdeeppacketinspectionofnetworktraffic,butfocusondetectingifpreviouslyidentifiedtypesofdataaretransitingtheinspectionpoint.Theyimplementdatasecuritypolicywithnoreal-timerequirement,notwire-speednetworksecuritypolicy.

• Secure Web gateways (SWGs): ThesefocusonenforcingoutbounduseraccesscontrolandinboundmalwarepreventionduringHTTPbrowsingovertheInternet,throughintegratedURLfilteringandthroughWebantivirus.Theyimplementmoreuser-centricWebsecuritypolicy,notnetworksecuritypolicy,onan“anysourcetoanydestinationusinganyprotocol”basis.

• Messaging security gateways:Thesefocusonlatency-tolerantoutboundcontentpolicyenforcementandinboundmailanti-spamandanti-malwareenforcement.Theydonotimplementwire-speednetworksecuritypolicy.

Whiletheseproductsmaybenetwork-basedandusesimilartechnology,theyimplementsecuritypoliciesthataretheresponsibilityandauthorityofdifferentoperationalgroupswithinmostbusinesses.GartnerbelievestheseareaswillnotconvergebeforeITandsecurityorganizationalresponsibilitieshaveradicallychanged.

AnNGFWisalsonotan“identityfirewall”oranidentity-basedaccesscontrolmechanism.Inmostenvironments,thenetworksecurityorganizationhasneithertheresponsibilitynortheauthorityforenforcinguser-basedaccesscontrolpoliciesattheapplicationlevel.GartnerbelievesthatNGFWswillbeabletoincorporateuseridentityinformationatthegrouplevel(thatis,shadowingActiveDirectory)tomakebetternetworksecuritydecisions,buttheywillnotberoutinelyusedforenforcinggranularuser-levelenforcementdecisions.

NGFW AdoptionLargeenterpriseswillreplaceexistingfirewallswithNGFWsasnaturalfirewallandIPSrefreshcyclesoccurorasincreasedbandwidthdemandsorsuccessfulattacksdriveupgradestofirewalls.Today,thereareafewfirewallandIPSvendorsthathaveadvancedtheirproductstoprovideapplicationawarenessandsomeNGFWfeatures,andtherearesomestartupcompaniesthatarefocusedonNGFWcapabilities.GartnerbelievesthatchangingthreatconditionsandchangingbusinessandITprocesseswilldrivenetworksecuritymanagerstolookforNGFWcapabilitiesattheirnextfirewall/IPSrefreshcycle.ThekeytosuccessfulmarketpenetrationbyNGFWvendorswillbetodemonstratefirst-generationfirewallandIPSfeaturesthatmatchcurrentfirst-generationcapabilitieswhileincludingNGFWcapabilitiesatthesameoronlyslightlyhigherpricepoints.

Gartnerbelievesthatlessthan1%ofInternetconnectionstodayaresecuredusingNGFWs.Webelievethatbyyear-end2014thiswillriseto35%oftheinstalledbase,with60%ofnewpurchasesbeingNGFWs.

Note 1

First-Generation Firewalls

First-generationfirewallscameaboutwhenconnectingtrustedinternalsystemstotheInternetresultedintherapidanddisastrouscompromiseofvulnerableinternalsystems,asevidencedbytheimpactoftheMorriswormin1988.Theiruseevolvedtoincludeimplementingsecurityseparationofinternalnetworksegmentsatdifferenttrustlevelsaswell,suchasDMZlayersinanextranetorindatacenterzones.Anetworkfirewallcanbeimplementedinawiderangeofformfactors,butitmustalwaysoperateatnetworkspeedsand,ataminimum,causenodisruptiontonormaloperationofthenetwork.

Standardnetworksecuritypolicyconsistsoftwoparts:

• Block all that is not explicitly allowed: Earlyfirewallsblockedconnectionsatthesource/destinationIPaddresslevelandthenevolvedtodosoattheportandprotocollevel.Asfirewallsmatured,thisenforcementofproperprotocolstatebecamemainstream.Morerecently,advancedfirewallshavedevelopedthecapabilitytorecognizeandblockconnections:

• Attheapplicationlevel

• Basedoncharacteristicsofthesourceaddressassociatedthroughexternalinformationsources(suchasgeolocation,knownsourcesformalware,orwhichuserisconnecting)

• Inspect what is allowed to detect and block attacks and misuse: Intheearlyyearsoffirewalls,proxy-basedfirewallsperformedmoredetailedinspectionofthetrafficallowedtopassthroughthefirewallandattemptedtodetectandblockmaliciousactions.However,earlyproxyfirewallsweresoftware-basedanddidnothavethehorsepowertokeepupwiththeincreasingspeedofnetworksortheincreasingcomplexityofapplicationsandattacks,andtheincreaseinnewapplicationsoutstrippedtheabilitytocreatenewapplication-specificproxies.IPSsbasedonpurpose-builtappliances,toperformdeeppacketinspection,haveevolvedastheprimarynetworksecuritycontrolimplementingthisfunction.


Recommended

Overview of Next Generation Sequencing platform … 2012/0305 - Timmermann.pdf · Next Generation Sequencing Core Facility ... Overview of Next Generation Sequencing ... Next-Gen
Overview of Next Generation Sequencing platform … 2012/0305 - Timmermann.pdf · Next Generation Sequencing Core Facility ... Overview of Next Generation Sequencing ... Next-Gen Documents
“Next Generation” Technologies for the “Next Generation” Library User
“Next Generation” Technologies for the “Next Generation” Library User Documents
Next Generation Intel MPI product for next generation
Next Generation Intel MPI product for next generation Documents
Next Generation Airmen, Next Generation Fighter! 138th
Next Generation Airmen, Next Generation Fighter! 138th Documents
Defining Requirements and Execution of International Field ... · Defining Requirements and Execution of International Field Trials for Next Generation FMD Vaccines and Diagnostics
Defining Requirements and Execution of International Field ... · Defining Requirements and Execution of International Field Trials for Next Generation FMD Vaccines and Diagnostics Documents
Next Generation Workflows for Next Generation Libraries
Next Generation Workflows for Next Generation Libraries Education
next generation Application Development and Maintenance ... · next generation ADM | the way we do it next generation Application Development and Maintenance next generation Application
next generation Application Development and Maintenance ... · next generation ADM | the way we do it next generation Application Development and Maintenance next generation Application Documents
Next generation genetics for the next generation: Dr David
Next generation genetics for the next generation: Dr David Documents
Defining Next Generation Supply Chain Sustainability
Defining Next Generation Supply Chain Sustainability Documents
Wi-Fi�: Next Generation WLANs for Next-Generation Applications
Wi-Fi�: Next Generation WLANs for Next-Generation Applications Economy & Finance
The Next Generation Air The Next Generation Air Transportation
The Next Generation Air The Next Generation Air Transportation Documents
DEFINING MANHOOD FOR THE NEXT GENERATION
DEFINING MANHOOD FOR THE NEXT GENERATION Documents
Meet the Next Generation Firewall (NGFW). Defining a Next Generation Firewall (NGFW): Firewalling Intrusion Prevention Application Control #1 An NGFW
Meet the Next Generation Firewall (NGFW). Defining a Next Generation Firewall (NGFW): Firewalling Intrusion Prevention Application Control #1 An NGFW Documents
Next Generation English Language Arts and Mathematics ... - Next Generation... · Next Generation English Language Arts and ... The Power of Collaboration ... added to the Next Generation
Next Generation English Language Arts and Mathematics ... - Next Generation... · Next Generation English Language Arts and ... The Power of Collaboration ... added to the Next Generation Documents
The Next Generation of Next Generation Learning
The Next Generation of Next Generation Learning Documents
RC the Next Generation 20111RC - The Next Generation
RC the Next Generation 20111RC - The Next Generation Documents
Enterprise Situational Awareness at MITRE: Defining the ... · Enterprise Situational Awareness at MITRE: Defining the Next Generation Internet Suzette Stoutenburg, Amy Kazura, Richard
Enterprise Situational Awareness at MITRE: Defining the ... · Enterprise Situational Awareness at MITRE: Defining the Next Generation Internet Suzette Stoutenburg, Amy Kazura, Richard Documents
Next Generation Devices for Next Generation Users
Next Generation Devices for Next Generation Users Technology