The Evolution of the Firewall, Why You Need a Next Generation Firewall

By - July 30, 2013

As security threats continue to evolve, we must ensure our defense strategies are keeping pace.  One important element of most defense strategies has been the Internet border firewall.  Firewalls are an excellent example of a continually changing technology attempting to keep the latest threats at bay.  Early firewalls limited their decision to permit or deny traffic based the attributes of TCP/IP including source IP address, source port, destination IP address and destination port.  Stateful packet inspection was soon added which allowed the firewall to track session information and permit or deny packets based on the rules defined by TCP.  Some manufacturers began offering subscription services to their devices that would block known malware sites – again using source and destination IP addresses as the deciding attribute.

While this may seem advanced, an analogy between packet inspection and package inspection may put things in a better perspective.  Consider package handling and inspection by US Customs.  Imagine the risk if packages and containers entering US borders were never opened for inspection and permitted based only on the address and return address.  Stateful firewalls, while effective, lacked the ability “open” the package (packet) and determine if the contents were truly safe to pass.

The current generation of firewall technology is aptly called Next-Generation Firewalls (NGFW).  What makes a firewall Next-Generation?  Gartner defines NGFWs as follows:

“Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or non-enterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated.”

That said, to be considered Next Generation, a firewall, in addition to stateful inspection, must provide:

  • Application-level inspection
  • Intrusion prevention
  • Regular updates to signatures/attack databases

Application-level inspection analyzes the stream of data rather than each individual packet.  By analyzing the stream of data for a particular session, it is possible to detect and block peculiarities that may be embedded within the stream.  For example, malware embedded within an http stream can be detected and blocked with application-level inspection.  By comparison, a stateful firewall would have allowed the packet since it only considers network-layer headers.  In addition, application awareness allows NGFWs to provide granular access to applications instead of simply blocking all access.  For example, NGFWs may be configured to allow access to social media sites for general use but block access to games within those same sites.

Another aspect of application inspection is encryption.  Encryption can hide embedded malware from the application-level inspection process unless SSL inspection is an included option with the firewall.  With the rise in the number of attacks carried out over encrypted sessions, an argument could be made that NGFWs should also include a form of SSL inspection.

Intrusion prevention utilizes behavior-based analysis along with signature-based anomaly detection to detect potential threats.  IPS can prevent attacks by identifying traffic patterns that are outside of “normal” conditions.  This is most effective in combating zero-day attacks where fast-propagating worms may scan the network in order to infect other systems.  IPS systems will typically create a baseline of “normal” day-to-day traffic flows and can be configured to block conditions that are outside of that baseline.

While not specifically mentioned by Gartner as part of a NGFW, remote access capabilities should not be overlooked.  Most companies will deploy remote access VPN capabilities to employees and vendors using their firewall as the termination point.  It is important that these next generation features (application inspection, IPS, etc.) are tightly integrated into the remote access capabilities of the NGFW.

To summarize, here is a list of the Next Generation features that should be included in a firewall investment:

  • Application-level inspection
  • Intrusion prevention
  • Regular updates to signatures/attack databases
  • SSL inspection
  • VPN capabilities that integrate with IPS and application inspection

Companies today need granular control of their Internet traffic that allows business related applications to be kept safe and prioritized while at the same time taming employee’s access to time wasting applications or potentially dangerous sites.

For more information on this or other ways next-generation features can be integrated into your network, contact McGladrey’s technology consulting professionals at 800.274.3978 or email us. In addition, please check out our services offerings on our website.

By: Scott Hermanson, RSM LLP

Scott leads the national network and unified communication solutions team, which encompasses network cyber-defense technologies, transport systems and unified communication platforms. Prior to joining RSM in 2003, Scott worked for a software company as a senior network engineer where he was responsible for the design and implementation of data and voice networks to support financial transactions in excess of over $1 million every minute and up to 800,000 online traders. Scott also has an extensive background in network design and architecture. He has designed infrastructures to support both front and back-office financial transactions with a variety of firms. Scott has great discipline in the field of network documentation and operational procedures. He has created web-based systems to capture network-based move, add and change requests, and a live documentation management system. He also has detailed experience for the implementation of network monitoring and management tools from a variety of vendors. In order to accommodate government regulation of financial-based networks, Scott has designed networks for five nines of availability. During his employment with a software company, the core network designed by Scott was able to switch all 800,000 users and over a dozen back-end connections to a remote recovery facility in less than three minutes. Switching services to the remote facility was performed once per month to ensure clients of the business continuance plan.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Receive Posts by Email

Subscribe to the IT Infrastructure blog and receive notifications of new posts by email.
  • This field is for validation purposes and should be left unchanged.