[Dr. WoW Season 2] [No 1] Next-Generation Firewall

Latest reply: May 19, 2018 01:29:44 1316 4 2 0

Learn Firewalls with Dr. WoW season 2 returns. In thisseason, Dr. WoW is going to talk about NGFWs. But, what are NGFWs? Follow Dr.WoW to learn more.

What Are NGFWs?

NGFWs is short for Next-Generation Firewalls. They are security conceptand product model supported by many security vendors and the trend in firewalldevelopment. In 2007, Gartner, a research and advisory firm, put forward theconcept of NGFWs. In 2009, Gartner released an official publication defining thenext-generation firewall as "a wire-speed integratednetwork platform that perform deep inspection of traffic and blocking ofattacks." According to Gartner, an NGFW must provide the following fourthings.

1. Traditional firewall functions
An NGFW is a substitute for traditional firewalls in the new environmentand must be forward compatible with traditional firewall functions, includingpacket filtering, protocol status detection, NAT, and VPN.

2. IPS and firewall integration
An NGFW must support the IPS function and be able to integrate itseamlessly with firewall functions, meaning that 1+1 > 2. Gartner speciallyemphasizes that IPS and firewall should be integrated rather than interworking.For example, a firewall should be able to automatically update and deliversecurity policies when malicious traffic is detected by the IPS, without manualinvolvement. In other words, a firewall integrated with IPS is moreintelligent. NGFW and IPS markets are converging, particularly in enterpriseboundary deployment scenarios, in which NGFW is replacing standalone IPSproducts.

3. Application awareness and full stack visibility
Application awareness, refined security policies based on applications,and hierarchical bandwidth control are the most important capabilitiesintroduced by NGFWs. Traditional stateful inspection firewalls work at Layer 2through Layer 4 and do not inspect packet payloads. NGFWs can inspect Layer 7,providing visibility into and control over network services.

4. Capability to incorporate information from outsidethe firewall to enhance management and control
NGFWs can use user, location, vulnerability and network resourceinformation on other IT systems to help improve and optimize security policies.For example, because IP addresses are changing in mobile working scenarios, NGFWscan integrate a user authentication system to implement security policies basedon users instead of IP addresses.

Why Do We Need NGFWs?

In the traditional firewall era, the Internet had just developedconnecting to static web browsing, email, and FTP downloading for informationsharing. The boundary between network applications for work and those for play wasclear. Network traffic was primarily generated by storage-forwardingapplications, and the applications, port numbers, and protocols had clearmappings. (Ports and protocols are primary control objects.) Firewalls filterednetwork traffic based on ports.

Then, new applications, such as IM, P2P, VoIP, game, and video appsemerged one after another. Furthermore, Apple stimulated the development of themobile Internet era. Now, the Internet is a part of everything in our lives andhas become a necessity.
The Internet enriches people's lives and also improves their workefficiency. However, networks are borderless; therefore, work and life are notso easy to separate. If employees play computer games, watch online videos, orchat with friends during working hours, it is more than just a productivityissue. Bandwidth abuse, sensitive information leaks, and application-specificattacks may also occur. Just like each beautiful city may have an unsightly area,mobile Internet and social network applications have vulnerabilities.
Networks may run instant messaging, teleconferencing, streaming media,file sharing, online storage, VoIP, P2P, game, and entertainment applications. Enterprisesmust be able to tell legitimate applications from risky and bandwidthexhausting applications, block social media and entertainment applications, andeliminate potential threats, to ensure bandwidth for normal services. Allthese tasks fall on the shoulder of firewalls.
The protocol identification technology of traditional firewalls inspectsonly the 5-tuple of packets and identifies applications by port number of theTCP/UDP packets. This is also called port identification. Port identificationdelivers high detection efficiency, but has waning applicability due to modernuses of the internet. Many new applications use diversified port hidingtechnologies to evade detection.
The most common method is to use an ephemeral port. For example, usingport 8000 for HTTP communication, port 80 for Skype communication, and enablingthe FTP service on port 2121. Therefore, applications cannot be identified byport identification alone. Some applications even use random ports forcommunication or transmit ciphertext data. The port identification technologyapparently cannot identify these protocols.
It is common that a protocol, especially a standard protocol, can be usedin multiple applications. Developers usually develop application software basedon standard protocols. A typical example is HTTP. With the development of Web2.0, enterprise IT systems have become increasingly Web-based, and more andmore applications use HTTP, almost in all Internet application domains. Foranother example, there are plenty of P2P protocol-based downloadingapplications. Therefore, protocol identification results cannot be directlyused for application control to avoid collateral damage.
Similarly, an application can use multiple protocols for communication.For example, Thunder software uses multiple protocols, including HTTP, BT,ED2K, FTP, and Thunder proprietary protocols. All these protocols can be usedto download files, although they download resources of different types.Therefore, application identification must inspect the traffic of all relatedprotocols.

Complex traffic and application-port relationships make it difficult toidentify applications. Enterprises urgently need visibility into traffic toimplement control policies on applications, and NGFWs are intended for thisjob.

To view the list of all Dr. WoW technical posts, click here.


This post was last edited by dr.wow at 2018-04-10 02:34.
  • x
  • convention:

Admin Created Apr 10, 2018 06:03:20 Helpful(0) Helpful(0)

  • x
  • convention:

Come on!
Created Apr 11, 2018 19:08:12 Helpful(0) Helpful(0)

Can't wait for No. 2 ! THX Dr. WoW
  • x
  • convention:

Created Apr 17, 2018 05:56:54 Helpful(0) Helpful(0)

Posted by j84068257 at 2018-04-11 19:08 Can't wait for No. 2 ! THX Dr. WoW
The No.2 has been released. For details, click http://forum.huawei.com/enterprise/en/thread-446909.html.
  • x
  • convention:

Created May 19, 2018 01:29:44 Helpful(0) Helpful(0)

  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits