1

Beyond the capabili0es of ad hoc supplements to legacy systems, a next genera0on of

network security was needed to be ready to address advanced and emerging threats.

In this module, we will discuss how development and deployment of the Next
Genera*on Firewall (NGFW) provides network administrators added and deeper
visibility and security control compared to tradi0onal rewalls.

This module will include discussion on the following topics:

Next Genera0on Firewall (NGFW) characteris0cs, including a brief background on
development from legacy rewalls.
Extended capabili0es added to NGFW that provide advanced features to counter newly
developed advanced threats, including the impact of an ever increasing mobile workforce
and popula0on as a whole.
NGFW deployment, including the benets and tradeos of dierent tac0cs.
NGFW func0ons, including how poten0al network intruders may be treated.

The module will end with a summary and an opportunity for ques0ons and answers.

At the conclusion of this module, you will understand:

How and why NGFW characteris0cs improve on legacy systems to provide beNer network
security through enhanced op0ons.
How and why the use of new technologies extend NGFW capabili0es to prepare for
emerging threats.
The ways that NGFW may be deployed to provide balance between security func0ons and
the needs and resources of the organiza0on.
How NGFW iden0es threats and protects the network, including the use of sandbox
technology and new capabili0es with Advanced Threat Protec0on (ATP).

Just because youre paranoid that hackers are trying to steal your data
doesnt mean theyre not really out to get you!

Trends in informa-on technology development and employment over the last 15 years
have led to the need to rethink the methodology behind modern network security. To
enhance the challenge, these trends occurred simultaneously in major industry, all levels
of business, and personal consumer environments.

The consumeriza-on of IT has resulted in IT-enabled devicessuch as smartphones,
digital music and video players, recorders, cameras, and othersbecoming so
commonplace in the market that their lower pricing resulted in an explosion of
individual consumers acquiring technology-enabled devices for personal use. This
extends beyond the obvious devices listed above. IT-enabled devices now include such
appliances as refrigerator/freezers, home security systems, personal home networks
that include WiFi-enabled televisions, stereos, and even the automated smart house.
In other words, what we have to be mindful of today is the Internet of Things (IoT) when
we acquire devices and appliances.

Because consumers have embraced technology devices for both communica0on and
informa0on sharing, Social Media enterprise has been embraced at the business level as
a way to reach consumer markets and supplement Web and tradi0onal marke0ng and
communica0on pathways. With so many applica0onsespecially social mediabeing
cloud based, the challenge of network security expands beneath the surface of trac
and into substance.

With the prolifera0on of inexpensive, technology-enabled devices interac-ng with
business networksincluding both external users and those using personal devices for
work purposes (Bring Your Own Device BYOD), the ques0on becomes one of how to
provide security, network visibility, control, and user visibility simultaneously without an
exponen0al increase in required resources

The primary benets of NGFW is visibility and control of trac entering the rewall
ports. In legacy rewalls, ports were opened and closed, or protocols allowed or
disallowed without considera0on beyond basic characteris0cs.
With NGFW, administrators are provided ner granularity that provides deeper insight
into the trac aNemp0ng to access the network. This includes visibility of users and
devices, as well as the ability to allow or limit access based on specic applica0ons and
content rather than accep0ng or rejec0ng any trac using a par0cular transmission
protocol. This is the primary dierence that separates tradi0onal and next genera0on
rewalls (NGFW).


NGFW provides enhancements in both complex security protec0on and administrator
control simplicity over tradi0onal rewalls.

Edge Firewall

NGFW

Gatekeeper

Gatekeeper

ISO/OSI L4 Port Protocol

Applica0on-Centric (Content Flow) Protocol

Basic Security + Add-ons

Integrated Security Solu0ons

Complex Architecture

Integrated Architecture

Complex Control

Simplied Control

Simple Moderate Security

Integrated Complex Security

These diagrams illustrate beNer the visibility and control capability provided when
NGFW is integrated into the network security architecture.
Note that the ports are iden0ed with trac owing through them as well as specic
informa0on about the user sending the trac, trac origin, and the type (content) of
trac being received. This informa0on goes beyond the basic link level and brings
security into OSI levels 3 & 4 (applica0on security capability)

The concept of Next Genera0on Firewall (NGFW) was rst men0oned in Gartners 2004
paper 0tled Next-Genera3on Firewalls will Include Intrusion Protec3on. The focus of that
eort was including technologies such as Deep Packet Inspec0on (DPI), Intrusion
Preven0on System (IPS), and general applica0on inspec0on capabili0es in order to:
Stop threats like worms and viruses
Extend protec0on to the applica0on layer to stop packets with malicious payloads

The NGFW concept emerged over a ve-year period from its original deni0on by
Gartner in 2004.
(2004): Firewall with integrated IPS coupled with Deep-Packet Inspec0on (DPI) and
general Applica0on-Inspec0on capabili0es.
(2008): Redened as security devices including an enterprise-level rewall with
integrated IPS or DPI, Applica0on Iden0ca0on, and extra-rewall intelligence
(such as Web Content Filtering).
(2009): New deni0on published, dening NGFW as including VPN, integrated IPS
operability with rewall components, applica0on awareness, and Extra-rewall+
intelligence.

10

The NGFW Concept

Tradi0onal NGFW provides solu0ons against a wide range of advanced threats against
applica0ons, data, and users.
Tradi0onal NGFW integrates mul0ple capabili0es to combat emerging threats, including:
Intrusion Preven-on System (IPS). Some0mes called integrated IDS/IPS. Monitors
network and directs rewall to allow or block trac. Intrusion Detec3on System (IDS)
detects threats but does not alert the rewall to take ac0on against iden0ed threats
or unknown trac. IDS is integrated into IPS technology.
Deep Packet Inspec-on (DPI). Examines packets for protocol errors, viruses, spam,
intrusions, or policy viola0ons.

11

Tradi0onal NGFW integrates mul0ple capabili0es to combat emerging threats, including:

Network Applica-on Iden-ca-on & Control. Allows applica0on ID & control on
networks & endpoints regardless of port, protocol, or IP address used.
Access Enforcement (User Iden-ty). Allows access based on list of names, IP
addresses, or Ac0ve Directory (AD) groups.

12

Tradi0onal NGFW integrates mul0ple capabili0es to combat emerging threats, including:

Distributed Enterprise-level Capability. Capable of opera0ng in large, distributed
enterprise networks.
Extra-rewall Intelligence. This provides the ability to create lists for access or
denial of external trac to the network. These lists may be designates by IP address.
List types include:
White List. Designated sources considered trusted and will be allowed access
to the network.
Black List. Designated sources considered not trusted and will be denied
access to the network.
A key point to this func0on is that the source is based on an address,
therefore, access does not relate to any specic type of informa0on that may
be carried on trac from that source. This is a surface screening rather than
a content screening func0on.

13

Tradi0onal NGFW integrates mul0ple capabili0es to combat emerging threats, including:

Interoperable with Third-Party Management. Works with Managed Security Service
Provider (MSSP) administra0on.
VPN. Includes Virtual Private Network capability.

14

Tradi0onal NGFW integrates mul0ple capabili0es to combat emerging threats, including:

Applica-on Awareness. Maintains prole library for applica0ons run or controlled by
the network or subsystems.

15

As their names would suggest, Intrusion Detec*on Systems (IDS) and Intrusion
Preven*on Systems (IPS) accomplish dierent tasks.
Stand-alone IDS only detects and iden0es poten0al threats, but does not take ac0on
against the iden0ed threats.
IPS, on the other hand, takes ac0on against threats, preven0ng them from exploi0ng
system vulnerabili0es; however, the purpose of IPS is to react to detected threats.
The best defense system is and integrated IDS/IPS system, such as those incorporated in
some NGFWsuch as the For0gate line of NGFW appliances and UTM systemsin
order to both detect and prevent threats from intruding and exploi0ng protected
networks.

Another func0on of NGFW is providing Secure Socket Layer (SSL) encrypted trac
inspec0on. SSL inspec0on allows for decryp0on of SSL trac, inspec0on of the contained
data for known threats of unauthorized trac, and then encrypts it again prior to
forwarding to the intended recipient.
While SSL inspec0on adds security by screening for threats aNemp0ng to bypass
protec0ons by riding on encrypted trac, the resultant tradeo is a decrease in
throughput speed.

16

With con0nued movement toward mobile and BYOD prac0ces, integrated user
authen0ca0on takes on increased importance.
With sophis0ca0on of advanced and evolving threats, use of two-factoror strong
authen0ca0on has become more prevalent.
In addi0on to capabili0es previously discussed as extensions to NGFW security measures, a
number of strong authen0ca0on factors may also be enabled:
Hardware, sosware, email, and Short Message Service (SMS) tokens.
Integra0on with Lightweight Directory Access Protocol (LDAP), Ac0ve Directory (AD), and
Radius authen0ca0on.
End user self-service.
Cer0cate Authority.
Single sign on throughout the network.
(NOTE FIGURE ON SLIDE OF EXTENDED NGFW CAPABILITIES)

The Applica0on Control feature of extended NGFW serves to:
Iden0fy network users.
Monitor applica0ons employed by those users.
Block applica0ons represen0ng a risk to the organiza0on.

However, this diers from how the Advanced Threat Protec0on (ATP) Web Filtering func0on
operates.
Applica0on Control Actual Content
Web Filtering Type of Content (Categoriza0on)
(NOTE FIGURE ON SLIDE OF WEB FILTERING CONTROL PANEL)

17

Added capabili0es beyond the basic NGFW deni0on were clearly needed to address
advanced and emerging future threats.
Par0cularly, enterprise network security infrastructures needed ways to protect against
evolving classes of highly targeted and tailored aNacks designed to bypass common
defense measures.
These capabili0es to extend those included in the NGFW construct include:
An-virus/malware. Responsible for detec0ng, removing, and repor0ng on malicious
code. By intercep0ng and inspec0ng applica0on-based trac and content, an0virus
protec0on ensures that malicious threats hidden within legi0mate applica0on
content are iden0ed and removed from data streams before they can cause
damage. Using AV/AM protec0on at client servers/devices adds an addi0onal layer of
security.
An--botnet. Responsible for detec0ng and reac0ng to Distributed Denial of Service
(DDoS) or other coordinated network aNacks. Organiza0ons may prevent, uncover,
and block botnet ac0vi0es using An0-Bot trac paNern detec0on and IP regula0on
services supplied in real-0me. This capability is important in detec0ng and reac0ng to
Distributed Denial of Service (DDoS) or other coordinated network aNacks.
Web ltering. Func0on that allows or blocks Web trac based on type of content,
commonly dened by categories. Web ltering protects endpoints, networks and
sensi0ve informa0on against Web-based threats by preven0ng users from accessing
known phishing sites and sources of malware.

18

Code emula-on. Allows tes0ng of unknown or poten0ally malicious trac in a virtual

environment by emula0ng the actual environment to which the trac was
addressed.
Sandboxing. Isola0ng unknown or poten0ally malicious codes to fully execute all
func0ons before allowing the trac to download into the network. If malicious
ac0vity is discovered, Advanced Threat Protec0on (ATP) can block it.

Sandboxes? Is this Back to the Future? Arent sandboxes old technology?
Well, the answer is, simplyyes!
Sandboxes were ini0ally developed to safely examine executable les prior to
permivng them access to a system or network.
Now sandboxes run applica0on data into which malicious code may be embedded,
such as Adobe Reader, JavaScript, or others that may infect opera0ng systems.
Modern sandboxes help detect and iden0fy new threatsincluding old legacy threats
in new veneersby emula0ng endpoint device environments to analyze poten0al
threat behaviors.
In this way, rela0vely unknown malware and APTs may be detected, iden0ed,
cataloged, and the rewall directed to block the threat.

19

The illustrated concept of this extended capability is known as Advanced Threat

Protec*on (ATP), and incorporates sandboxing.

By integra0ng these extended features, ATP provides enhanced network security by
providing addi0onal protec0ons against evolving threats, including:
Dual-level sandboxing. Code examina0on in simulated and virtual environments to
detect previously uniden0ed threats.
Detailed repor0ng. Repor0ng on system, process, le, & network behavior, including
risk assessments.
Secure Web Gateway (SWG). By adding web ltering, botnet, and call back detec0on,
preven0ng communica0ons with malicious sites.
Op0ons:
v Share iden0ed threat informa0on and receive updated in-line protec0ons.
v Integrate with other systems to simplify network security deployment.

20

NGFW brings a unique combina0on of hardware- and sosware-related segmenta0on

capabili0es to allow isola0on of cri0cal network sec0ons, such as data centers.

Two perspec-ves on deployment of NGFW include:
Edge vs. Core: Where in the network infrastructure to place the NGFW apparatus.
Current vs. Extended NGFW: What capabili0es are neededor desiredfor the network
being protected?

Likewise, two inspec-on op-ons may be considered when deploying NGFW:
The two inspec0on op0ons used to inspect trac are ow-based and proxy-based
inspec0ons, each with their own benets and tradeos, again, depending on the type
and desired level of protec0on and performance for which the network is being
congured.

21

Edge vs. Core: Where in the network infrastructure to place the NGFW apparatus.
Deploying NGFW as an EDGE network rewall provides controls while op0mizing
protec0on of cri0cal infrastructure.

Current vs. Extended NGFW: What capabili0es are neededor desiredfor the
network being protected?
A considera0on whether to deploy extended NGFW capabili0es depends on the
nature of what func0ons will be accomplished both internally and external to the
network. In par0cular, with movement to more cloud-based and web applica0ons,
the benets of extended NGFW may be best suited
NOTE: The illustra0on shows that Extended NGFW incorporates the
capabili0es of current NGFW plus enhanced features that make it more
capable against modern and emerging threats.

22

The chart below illustrates the specic details that aect opera0on of NGFW in Flow-
based vs. Proxy-based inspec0on modes:

23

The key points you should take away from this module are:
The dierence between Tradi0onal Firewalls and NGFWand why that is important.
What features comprise todays NGFW.
What evolving extended features provide to NGFW.
What key considera0ons (benets and trade-os) come with deploying NGFW.

The concept of Next Genera0on Firewalls developed to address evolving threats as
technology itself evolved. With the rapid rise of technology integra0on, portability and BYOD
models in business, educa0on, and other environments, combined with more widespread
ability for hackers from novices to experts to develop malicious code, a system deriving from
the ini0al premise of NGFW needed to develop for the future.
Because of these capabili0es and the exibility to proac0vely address modern and
developing threat environments across networks of varying sizes, NGFW will be the standard
in network rewall protec*on at least through 2020

24

Now that we have discussed some of the Next Genera0on Firewall (NGFW), their
components, methods of deployment, and resul0ng benets & tradeos, are there any
ques0ons before moving into the next module?

Module 3 introduces an integrated and forward-adaptable concept called Unied Threat

Management.