Beruflich Dokumente
Kultur Dokumente
Just
because
youre
paranoid
that
hackers
are
trying
to
steal
your
data
doesnt
mean
theyre
not
really
out
to
get
you!
Trends
in
informa-on
technology
development
and
employment
over
the
last
15
years
have
led
to
the
need
to
rethink
the
methodology
behind
modern
network
security.
To
enhance
the
challenge,
these
trends
occurred
simultaneously
in
major
industry,
all
levels
of
business,
and
personal
consumer
environments.
The
consumeriza-on
of
IT
has
resulted
in
IT-enabled
devicessuch
as
smartphones,
digital
music
and
video
players,
recorders,
cameras,
and
othersbecoming
so
commonplace
in
the
market
that
their
lower
pricing
resulted
in
an
explosion
of
individual
consumers
acquiring
technology-enabled
devices
for
personal
use.
This
extends
beyond
the
obvious
devices
listed
above.
IT-enabled
devices
now
include
such
appliances
as
refrigerator/freezers,
home
security
systems,
personal
home
networks
that
include
WiFi-enabled
televisions,
stereos,
and
even
the
automated
smart
house.
In
other
words,
what
we
have
to
be
mindful
of
today
is
the
Internet
of
Things
(IoT)
when
we
acquire
devices
and
appliances.
Because
consumers
have
embraced
technology
devices
for
both
communica0on
and
informa0on
sharing,
Social
Media
enterprise
has
been
embraced
at
the
business
level
as
a
way
to
reach
consumer
markets
and
supplement
Web
and
tradi0onal
marke0ng
and
communica0on
pathways.
With
so
many
applica0onsespecially
social
mediabeing
cloud
based,
the
challenge
of
network
security
expands
beneath
the
surface
of
trac
and
into
substance.
With
the
prolifera0on
of
inexpensive,
technology-enabled
devices
interac-ng
with
business
networksincluding
both
external
users
and
those
using
personal
devices
for
work
purposes
(Bring
Your
Own
Device
BYOD),
the
ques0on
becomes
one
of
how
to
provide
security,
network
visibility,
control,
and
user
visibility
simultaneously
without
an
exponen0al
increase
in
required
resources
The
primary
benets
of
NGFW
is
visibility
and
control
of
trac
entering
the
rewall
ports.
In
legacy
rewalls,
ports
were
opened
and
closed,
or
protocols
allowed
or
disallowed
without
considera0on
beyond
basic
characteris0cs.
With
NGFW,
administrators
are
provided
ner
granularity
that
provides
deeper
insight
into
the
trac
aNemp0ng
to
access
the
network.
This
includes
visibility
of
users
and
devices,
as
well
as
the
ability
to
allow
or
limit
access
based
on
specic
applica0ons
and
content
rather
than
accep0ng
or
rejec0ng
any
trac
using
a
par0cular
transmission
protocol.
This
is
the
primary
dierence
that
separates
tradi0onal
and
next
genera0on
rewalls
(NGFW).
NGFW
provides
enhancements
in
both
complex
security
protec0on
and
administrator
control
simplicity
over
tradi0onal
rewalls.
Edge Firewall
NGFW
Gatekeeper
Gatekeeper
Complex Architecture
Integrated Architecture
Complex Control
Simplied Control
These
diagrams
illustrate
beNer
the
visibility
and
control
capability
provided
when
NGFW
is
integrated
into
the
network
security
architecture.
Note
that
the
ports
are
iden0ed
with
trac
owing
through
them
as
well
as
specic
informa0on
about
the
user
sending
the
trac,
trac
origin,
and
the
type
(content)
of
trac
being
received.
This
informa0on
goes
beyond
the
basic
link
level
and
brings
security
into
OSI
levels
3
&
4
(applica0on
security
capability)
The
concept
of
Next
Genera0on
Firewall
(NGFW)
was
rst
men0oned
in
Gartners
2004
paper
0tled
Next-Genera3on
Firewalls
will
Include
Intrusion
Protec3on.
The
focus
of
that
eort
was
including
technologies
such
as
Deep
Packet
Inspec0on
(DPI),
Intrusion
Preven0on
System
(IPS),
and
general
applica0on
inspec0on
capabili0es
in
order
to:
Stop
threats
like
worms
and
viruses
Extend
protec0on
to
the
applica0on
layer
to
stop
packets
with
malicious
payloads
The
NGFW
concept
emerged
over
a
ve-year
period
from
its
original
deni0on
by
Gartner
in
2004.
(2004):
Firewall
with
integrated
IPS
coupled
with
Deep-Packet
Inspec0on
(DPI)
and
general
Applica0on-Inspec0on
capabili0es.
(2008):
Redened
as
security
devices
including
an
enterprise-level
rewall
with
integrated
IPS
or
DPI,
Applica0on
Iden0ca0on,
and
extra-rewall
intelligence
(such
as
Web
Content
Filtering).
(2009):
New
deni0on
published,
dening
NGFW
as
including
VPN,
integrated
IPS
operability
with
rewall
components,
applica0on
awareness,
and
Extra-rewall+
intelligence.
10
11
12
13
14
15
As
their
names
would
suggest,
Intrusion
Detec*on
Systems
(IDS)
and
Intrusion
Preven*on
Systems
(IPS)
accomplish
dierent
tasks.
Stand-alone
IDS
only
detects
and
iden0es
poten0al
threats,
but
does
not
take
ac0on
against
the
iden0ed
threats.
IPS,
on
the
other
hand,
takes
ac0on
against
threats,
preven0ng
them
from
exploi0ng
system
vulnerabili0es;
however,
the
purpose
of
IPS
is
to
react
to
detected
threats.
The
best
defense
system
is
and
integrated
IDS/IPS
system,
such
as
those
incorporated
in
some
NGFWsuch
as
the
For0gate
line
of
NGFW
appliances
and
UTM
systemsin
order
to
both
detect
and
prevent
threats
from
intruding
and
exploi0ng
protected
networks.
Another
func0on
of
NGFW
is
providing
Secure
Socket
Layer
(SSL)
encrypted
trac
inspec0on.
SSL
inspec0on
allows
for
decryp0on
of
SSL
trac,
inspec0on
of
the
contained
data
for
known
threats
of
unauthorized
trac,
and
then
encrypts
it
again
prior
to
forwarding
to
the
intended
recipient.
While
SSL
inspec0on
adds
security
by
screening
for
threats
aNemp0ng
to
bypass
protec0ons
by
riding
on
encrypted
trac,
the
resultant
tradeo
is
a
decrease
in
throughput
speed.
16
With
con0nued
movement
toward
mobile
and
BYOD
prac0ces,
integrated
user
authen0ca0on
takes
on
increased
importance.
With
sophis0ca0on
of
advanced
and
evolving
threats,
use
of
two-factoror
strong
authen0ca0on
has
become
more
prevalent.
In
addi0on
to
capabili0es
previously
discussed
as
extensions
to
NGFW
security
measures,
a
number
of
strong
authen0ca0on
factors
may
also
be
enabled:
Hardware,
sosware,
email,
and
Short
Message
Service
(SMS)
tokens.
Integra0on
with
Lightweight
Directory
Access
Protocol
(LDAP),
Ac0ve
Directory
(AD),
and
Radius
authen0ca0on.
End
user
self-service.
Cer0cate
Authority.
Single
sign
on
throughout
the
network.
(NOTE
FIGURE
ON
SLIDE
OF
EXTENDED
NGFW
CAPABILITIES)
The
Applica0on
Control
feature
of
extended
NGFW
serves
to:
Iden0fy
network
users.
Monitor
applica0ons
employed
by
those
users.
Block
applica0ons
represen0ng
a
risk
to
the
organiza0on.
However,
this
diers
from
how
the
Advanced
Threat
Protec0on
(ATP)
Web
Filtering
func0on
operates.
Applica0on
Control
Actual
Content
Web
Filtering
Type
of
Content
(Categoriza0on)
(NOTE
FIGURE
ON
SLIDE
OF
WEB
FILTERING
CONTROL
PANEL)
17
Added
capabili0es
beyond
the
basic
NGFW
deni0on
were
clearly
needed
to
address
advanced
and
emerging
future
threats.
Par0cularly,
enterprise
network
security
infrastructures
needed
ways
to
protect
against
evolving
classes
of
highly
targeted
and
tailored
aNacks
designed
to
bypass
common
defense
measures.
These
capabili0es
to
extend
those
included
in
the
NGFW
construct
include:
An-virus/malware.
Responsible
for
detec0ng,
removing,
and
repor0ng
on
malicious
code.
By
intercep0ng
and
inspec0ng
applica0on-based
trac
and
content,
an0virus
protec0on
ensures
that
malicious
threats
hidden
within
legi0mate
applica0on
content
are
iden0ed
and
removed
from
data
streams
before
they
can
cause
damage.
Using
AV/AM
protec0on
at
client
servers/devices
adds
an
addi0onal
layer
of
security.
An--botnet.
Responsible
for
detec0ng
and
reac0ng
to
Distributed
Denial
of
Service
(DDoS)
or
other
coordinated
network
aNacks.
Organiza0ons
may
prevent,
uncover,
and
block
botnet
ac0vi0es
using
An0-Bot
trac
paNern
detec0on
and
IP
regula0on
services
supplied
in
real-0me.
This
capability
is
important
in
detec0ng
and
reac0ng
to
Distributed
Denial
of
Service
(DDoS)
or
other
coordinated
network
aNacks.
Web
ltering.
Func0on
that
allows
or
blocks
Web
trac
based
on
type
of
content,
commonly
dened
by
categories.
Web
ltering
protects
endpoints,
networks
and
sensi0ve
informa0on
against
Web-based
threats
by
preven0ng
users
from
accessing
known
phishing
sites
and
sources
of
malware.
18
19
20
21
Edge
vs.
Core:
Where
in
the
network
infrastructure
to
place
the
NGFW
apparatus.
Deploying
NGFW
as
an
EDGE
network
rewall
provides
controls
while
op0mizing
protec0on
of
cri0cal
infrastructure.
Current
vs.
Extended
NGFW:
What
capabili0es
are
neededor
desiredfor
the
network
being
protected?
A
considera0on
whether
to
deploy
extended
NGFW
capabili0es
depends
on
the
nature
of
what
func0ons
will
be
accomplished
both
internally
and
external
to
the
network.
In
par0cular,
with
movement
to
more
cloud-based
and
web
applica0ons,
the
benets
of
extended
NGFW
may
be
best
suited
NOTE:
The
illustra0on
shows
that
Extended
NGFW
incorporates
the
capabili0es
of
current
NGFW
plus
enhanced
features
that
make
it
more
capable
against
modern
and
emerging
threats.
22
The
chart
below
illustrates
the
specic
details
that
aect
opera0on
of
NGFW
in
Flow-
based
vs.
Proxy-based
inspec0on
modes:
23
The
key
points
you
should
take
away
from
this
module
are:
The
dierence
between
Tradi0onal
Firewalls
and
NGFWand
why
that
is
important.
What
features
comprise
todays
NGFW.
What
evolving
extended
features
provide
to
NGFW.
What
key
considera0ons
(benets
and
trade-os)
come
with
deploying
NGFW.
The
concept
of
Next
Genera0on
Firewalls
developed
to
address
evolving
threats
as
technology
itself
evolved.
With
the
rapid
rise
of
technology
integra0on,
portability
and
BYOD
models
in
business,
educa0on,
and
other
environments,
combined
with
more
widespread
ability
for
hackers
from
novices
to
experts
to
develop
malicious
code,
a
system
deriving
from
the
ini0al
premise
of
NGFW
needed
to
develop
for
the
future.
Because
of
these
capabili0es
and
the
exibility
to
proac0vely
address
modern
and
developing
threat
environments
across
networks
of
varying
sizes,
NGFW
will
be
the
standard
in
network
rewall
protec*on
at
least
through
2020
24
Now
that
we
have
discussed
some
of
the
Next
Genera0on
Firewall
(NGFW),
their
components,
methods
of
deployment,
and
resul0ng
benets
&
tradeos,
are
there
any
ques0ons
before
moving
into
the
next
module?