What Is Next-Generation Access?

The next generation firewall, namely Next Generation Firewall, referred to as NG Firewall, is a high-performance firewall that can comprehensively respond to application-layer threats. Through in-depth insight into users, applications, and content in network traffic, and with a new high-performance single-path heterogeneous parallel processing engine, NGFW can provide users with effective application-layer integrated security protection, helping users to conduct business safely and simplify users Network security architecture.

Next-generation firewall

Next generation

In 2009, a well-known consulting agency

Next-generation firewalls need to have the following minimum attributes:

Supports online BITW (block in cable) configuration without interfering with network operation.

· Can be used as

The integrated engine packet processing flow is roughly divided into the following stages:

Packet inbound processing phase

The inbound mainly completes the reception of data packets and the packet parsing process at the L2-L4 layer, and determines whether it is necessary to enter the firewall security policy processing flow based on the analysis results, otherwise the packet will be dropped. In this process, it is also determined whether the VPN data is encrypted. If it is, it will be decrypted before further analysis.

Main engine processing stage

The main engine process will roughly go through three processes: firewall policy matching and session creation, application identification, and content detection.

Create session information

When a data packet enters the main engine, a session lookup is performed first to see if there is a session associated with the data packet. If it exists, it will match and correspond according to the firewall policy that has been set. Otherwise, you need to create a session. The specific steps are briefly described as follows: search for information related to forwarding; then search for policy information related to NAT; finally, search for the policy of the firewall and check whether the policy is allowed. If it is allowed, the corresponding session is established according to the previous policy information. If it is not allowed, the packet is dropped.

Application identification

After completing the initial firewall security policy matching and creating the corresponding session information, the data packet will be detected and processed by the application. If the application is an already identifiable application, the application will identify and mark the application and proceed directly to the next processing flow. . If the application is an unidentified application, an application identification sub-process needs to be performed to perform feature matching, protocol decoding, and behavior analysis on the application to mark the application. After the application marking is completed, the corresponding application security policy is searched. If the policy allows, the next stage of the process is prepared; if the policy does not allow it, it is discarded directly.

Content detection

The last process of the main engine's work is the content detection process, which mainly requires deep protocol decoding, content parsing, pattern matching, and other operations on the data packet to achieve full parsing of the content of the data packet; then by finding the corresponding content security The policies are matched, and actions such as discard, alarm, and log are performed according to the security policy.

Outbound packet processing stage

After the data packet passes the content detection module, it will enter the outbound processing flow. First, the system searches for information such as routing, and then performs QOS and IP packet fragmentation operations. If the data goes through the VPN tunnel, it needs to be encrypted by VPN, and finally the data is forwarded.

Relationship with unified strategy

The unified policy is to effectively integrate security modules at different levels through the same set of security policies to achieve intelligent system matching at the policy matching order and level. Its main purpose is to provide better availability. For example: For some products, HTTP detection, URL filtering is done through the proxy module, while intrusion detection for other protocols uses another engine. Users must understand the dependencies between these modules and make the correct purchases to achieve the required functions, and a unified strategy can effectively solve the above problems. ^[1]

Examples of next-generation firewall implementation include blocking and alerting against fine-grained network security policy violations, such as using Webmail, anonymizer, end-to-end, or remote computer control. Blocking known source access to such services based on destination IP addresses no longer meets security requirements. A fine-grained policy will require blocking only certain types of application communications to other allowed destinations, and using redirection to make it impossible to implement that communication based on clear blacklist rules. This means that even if some applications are designed to bypass detection or use SSL encryption, next-generation firewalls will still recognize and block such programs. Another advantage of service identification includes bandwidth control. For example, because end-to-end traffic that is useless or not allowed is rejected, bandwidth consumption is greatly reduced.

Less than 1% of Internet connections are protected by next-generation firewalls. However, with the advent of next-generation networks, the application of next-generation firewalls is already an irresistible trend. It is reasonable to believe that by the end of 2014, the proportion of protection using this product will rise to 35%, and at the same time, 60% of them will be To repurchase next-generation firewalls.

Large enterprises will gradually adopt next-generation firewalls to replace their existing firewalls with the advent of normal firewall and IPS update cycles, or upgrade firewalls due to increased bandwidth requirements or attacks. Many firewall and IPS vendors have upgraded their products to provide business identification and some next-generation firewall features, and many emerging companies are paying close attention to next-generation firewall capabilities. According to Gartner's research report, changes in threat conditions and changes in business and IT processes have prompted network security managers to look for products with next-generation firewall capabilities in their next firewall / IPS update cycle. The key to the success of the next-generation firewall vendors is to prove that the features of the first-generation firewall and IPS can match the current first-generation functions, and also have the next-generation firewall functions, or have a certain price. Advantage.

The Dilemma of Network Security Management in Complex Environments

With the continuous deepening of network security requirements, a large number of users such as governments, finance, and large enterprises have divided the network into more detailed security areas, and deployed next-generation firewall devices at the borders of each security area. For all network managers, the continuous increase in the number of security devices will undoubtedly increase management costs, and even become a burden on daily security operation and maintenance work, which will negatively affect network security management. For large networks, network managers often need to deploy security policies and security protection rules on each security device one by one, and in daily maintenance, they also need to upgrade devices one by one, similar to repeated tasks. It will take a lot of time, and a lot of manual operations will inevitably bring the risk of misconfiguration.

For a high-risk, high-traffic, multi-service complex network environment, the next-generation firewall devices deployed across the network work in different security areas and fight against each other. For effective security management, managers often need to monitor each The operating status, traffic conditions, and threat status of the equipment, etc., are undoubtedly an inefficient and difficult task for most information departments with insufficient human resources. The information monitored is often difficult due to poor real-time performance. Omissions and other issues have no effect on improving the security of the entire network.

Security management should be oriented towards risks rather than simply responding to security incidents. Network security also follows such directions and trends. How to foresee risks in a timely manner and how to quickly trace the source and take response measures after security incidents are placed on every network. Difficulties before managers. Experts believe that, based on big data mining technology, managers can undoubtedly find abnormal conditions in the network more quickly, and then identify threats as early as possible and take intervention measures to achieve active defense. The premise of this solution is to have the ability to collect and concentrate data and intelligent analysis capabilities. ^[2]

Development trends and needs

At present, the development of next-generation firewalls at home and abroad is very rapid. Most security vendors have released next-generation firewall products, and even some absolute leaders in the field of traditional firewalls are pushing next-generation firewalls. PaloAlto, the pioneer of the next-generation firewall, quickly became the leader in the enterprise firewall market in Gartner's Magic Quadrant. However, from the perspective of actual domestic acceptance, the next-generation firewall needs more market investment to replace the traditional firewall. Huang Hai said, "It takes time and money for customers to realize that the next-generation firewall can bring changes to existing security management. In particular, the Chinese market may be more conservative than overseas, and the degree of marketization is also slightly worse. These reasons will lead to more obstacles and resistances in the implementation of new ideas and technologies contained in next-generation firewalls. "

Huang Hai went on to say that at present, from the perspective of the needs of enterprise users, the growing demand for next-generation firewalls reflects the current needs of enterprise users for cost-effective basic network security functions. With the advancement of security technology and the evolution of the hacker culture, when talking about basic network security functions ten years ago, many enterprise customers think of traditional firewalls, which can divide security domains and perform access control. But in recent years, the proliferation of applications, botnets, worms, Trojans, and APT attacks has been a wake-up call for many enterprise customers. Enterprises must deploy IPS and content-level security devices to increase the security protection and management capabilities of the entire network system. However, compared with traditional firewall equipment, professional IPS equipment is expensive. If you really upgrade the network security system, it will cost a lot of money to the enterprise. Therefore, at this time, it is necessary to have a more cost-effective security device to resolve the contradictory relationship between corporate customers' funding and security needs. So the next-generation firewall appears at this time. ^[5]

1. Can Next-Generation Firewalls Defend Attacks Against Server and Client Applications and Their Defense Process

2. Whether it can be circumvented or escaped

3. Whether it is stable and reliable

4. Whether the solution can strengthen the inbound and outbound application strategy

5. Whether the solution can strengthen the inbound and outbound identity strategy

6. How is its performance ^[6]

   Plug and play installation

   Plug and play configuration allows the enterprise to automatically upload the initial configuration of the device to a management server. Remote locations can connect to this management server via the Transport Layer Security (TLS) protocol. Plug and play can quickly implement rapid deployment and installation for large networks in different geographical locations, while reducing the trouble of on-site access and manual configuration to the equipment. Automation can also reduce the risk of errors.

   Efficient and centralized troubleshooting tools

   If an enterprise's firewall has efficient and centralized troubleshooting tools, troubleshooting doesn't necessarily take up much of the security team's time. This tool should be integrated into the firewall and should not be patched later. Such a tool should also have multiple functions that an enterprise can control from a single, central location. The ideal tools include extensive remote diagnostics and other diagnostic functions, as well as integrated communication capture tools, network forensic analysis, session monitoring, and configuration snapshots.

   Fast and reliable remote updates

   Updates are another easier and more efficient feature that an efficient firewall can provide. The fast and reliable remote update feature enables technicians to implement secure and controllable software updates across the entire network, and uses minimal communication. Managing such tasks in one central location can reduce operating costs and allow setup time to take tens of minutes instead of hours or days. Fast and reliable updates can also reduce operational risks. After the new version fails, enterprises can use the "reverse" function to restore to the previous version. In addition, companies can quickly and reliably determine when to operate during abnormal business hours (or any other time that has the least impact on the network), thereby achieving near 100% uptime and availability.

   Task automation

   Task automation does not only bring great benefits to the upgrade of network firewalls. Network firewalls should also allow administrators to automate any repetitive resource- and time-consuming task and determine its time. This feature is not only useful for tasks that may affect the service, but also for activities such as daily reporting. Once tasks are automated and timed, no manual labor is required, and administrators can balance network load with non-critical operations to ensure high availability.

   Element sharing and reuse

   Element sharing and reuse can reduce workload and risk of errors. With a high-quality next-generation firewall, administrators do not have to set configuration information for individual components or customers every time they need to change, but can reuse the same elements to manage service changes for multiple customer groups.

   Strategy validation and analysis tools

   Many next-generation firewalls are equipped with a large set of firewall rules, which can complicate troubleshooting tasks and introduce unnecessary burdens at the expense of performance. These rules are often repeated and sometimes even the destination address is lost in the translation. Policy verification and analysis tools make it easy to check and eliminate unused or duplicate rules without sacrificing security. Clearing redundant rules can improve system performance, increase security, simplify the process of network troubleshooting, and clear unnecessary data from the database.

   Role-based administrative access control

   Not all administrators should have the same access to security components. Role-based access control allows users to define multiple administrative access rights based on the responsibilities of each administrator. The enterprise should be able to define one or more roles for each administrator and limit the components that each role applies to. The firewall's detailed control options should include strict, highly granular control over the administrator privileges involved in each element and element type, and control the level of read and write operations. ^[7]

   Choosing next-generation firewall performance

   When picking the next-generation firewall-specific performance to be deployed, the network and security team should work together. A conservative approach to selecting performance is more appropriate for two reasons. First, the administrator responsible for network security must be proficient at operating and monitoring new performance. Second, many functions are licensed separately and require upfront and ongoing funding to maintain them.

   The most straightforward method is to choose a next-generation firewall platform that provides all the services you want to deploy, but only buy the licenses for those services that you want to use immediately. Introduce a set of services that closely match the niche products you currently have, and then slowly transition to the next-generation firewall. Once everything is under control, you can start thinking about deploying one of the new features until you slowly reach your desired end state. ^[8]

   URL filtering. Some firewalls can perform URL-based content filtering and site reputation analysis. Although not as powerful and distinctive as individual content filtering products (such as those from Websense, BlueCoat, or other vendors), URL filtering can add application and traffic analysis capabilities to already running intrusion detection processes.

   SSL termination and inspection. Attackers are very smart, they make malware and attack suites, and they use encrypted channels like SSL to carry sensitive data and machine commands. Some organizations may think that this should be a must-have feature for next-generation firewalls, but many companies are not ready to regulate SSL or cannot do so for some privacy-related reasons.

   Malware virtual sandbox. Some newer next-generation firewall products have begun to integrate malware sandboxing and analytics into the product, which will help detect more advanced malware infections.
   In addition, features such as ease of use and deployment, integration with tools and technologies in existing environments, and user login with default devices can be considered. ^[9]

   If most of the data is stored in private data centers, perimeter security using next-generation firewalls (NGFW) and network access control (NAC) is an important data protection measure. The firewall will prevent users outside the corporate network from accessing the data, while NAC is responsible for ensuring that users and devices have the correct data access permissions.

   On the other hand, if the data is stored in the cloud now or in the future, the overall architecture security should focus on security tools that are compatible with cloud platforms. For example, many NGFWs support virtual platform compatibility with cloud platforms. Similarly, cybersecurity measures should focus on using secure Web gateways (SWGs) and malware sandboxes to prevent data loss between networks. In addition, these tools can limit the transmission of potentially malicious software data across corporate networks, various cloud service providers, and the Internet. Many SWGs and malware sandboxes provide cloud services, so they are more suitable for businesses that store data in the cloud. ^[10]

   IN OTHER LANGUAGES

   • English
   • Čeština
   • Dansk
   • Deutsch
   • Svenska
   • Français
   • Italiano
   • Nederlands
   • Norsk
   • Polski
   • Português
   • Español
   • 日本語
   • 한국어