[Dr. WoW Season 2] [No 2] NGFW Functions

[Copy the link]
Released on : 2018-4-17 10:16:26   Latest reply:2018-04-23 14:37:21
1181 5
dr.wow    

Major NGFW Functions

It has been six years since Gartner officially defined NGFWs. The concept of NGFWs is now deeply rooted in people's minds. Gartner defined only NGFW mandatory capabilities, which can be summed up in four aspects: traditional firewall functions, IPS, external intelligence, application awareness and visibility. Different security vendors have different NGFW understandings and develop NGFW products based on their existing products. As a result, the NGFWs from different vendors provide different functions.

With the development of mobility, social networking, cloud, and big data, ICT networks keep changing. To adapt to these changes, NGFWs must continually provide more capabilities and so many security vendors are now trying to redefine NGFWs.

In addition to Gartner-defined traditional firewall functions (status detection, NAT, and VPN), application awareness and control, and IPS, Huawei NGFW products also provide the following functions:

l  Comprehensive threat prevention

Huawei NGFWs not only integrate firewall functions and IPS, but also provide antivirus, anti-spam, URL filtering, and data loss prevention (DLP) functions. In anti-APT scenarios, these functions effectively help eradicate Kill Chain —— we will explain this in more detail in Part 3.

l  Multi-dimensional control

Traditional stateful inspection firewalls implement policy control mainly based on quintuples. In addition to application-specific control, Huawei NGFWs can also interwork with third-party authentication servers, meaning that policies can be defined based on location and terminal type. In this way, Huawei NGFWs provide comprehensive control policies.

Dimension

Supported Function

Example

Who

Users and user groups

John

When

Schedule

Worktime

Where

Security zone

Trust

Location

Hollywood

Addresses and address groups

192.168.10.3

Terminal

Honor 6 Plus

What

Services and service groups

imap

Applications and application groups

eMule

How

Access mode

wireless-802.1x

 

l  Simplified management

Capability enhancement often means an increase in management complexity. However, Huawei's innovative Smart Policy technology makes NGFWs intelligent enough for simple management. Security administrators can use the default templates for fast policy deployment. Huawei NGFWs give security policy tuning suggestions based on network traffic analysis results and also identify redundant and invalid security policies to help simplify policy management.

l  Improved user experience

Huawei NGFWs provide bandwidth management functions to restrict low-value traffic, ensure bandwidth for mission-critical services, and forward delay-sensitive traffic preferentially. You can enable the quota management function to restrict the daily and monthly traffic volume or daily online duration of users. Huawei NGFWs also provide the intelligent routing function, which can select the optimal ISP egress, not only through the ISP address library, smart DNS, or transparent DNS but also according to the link quality, bandwidth, weights, and priorities, to implement load balancing. Route selection can also based on IPSec tunnel quality.

NGFW vs UTM

People familiar with UTM know that in IDC definitions, UTM is a traditional stateful inspection firewall that integrates functions such as antivirus, IPS, and anti-spam. Since both NGFWs and UTM provide security functions such as IPS and antivirus, what are the differences between them?

As mentioned above, application awareness and visibility are the core requirements on an NGFW, and a UTM usually doesn’t have the application awareness capability. There is also a difference in product positioning and performance. According to Gartner, NGFWs are security products developed for large-and medium-sized enterprises, whereas UTMs are primarily applicable for SMBs and branch offices of large enterprises with less than 1000 employees these enterprises prioritize function diversity and usability over performance.

The performance of many UTM products is severely degraded after IPS and antivirus are enabled. For some of the UTM products, the performance is degraded to as low as 20% after IPS and antivirus are enabled. In these cases, the functions are useless. When IDC defines UTM, it implies that UTM integrates many functions in a box, however not all of these functions are enabled. As for an NGFW, performance degradation is less than 50% after IPS and antivirus are enabled.

How does a NGFW achieve this? The engine and detection mode are the key points.

First, let's talk about the engine. UTM integrates functions in multiple boxes into one box. The number of boxes decreases, but logically, all functions are still performed in a series. Each security detection process is implemented by a separate engine, each packet goes through multiple rounds of detections, and each round of detection adds to the network delay.

Huawei NGFW products use the newly developed high-performance intelligent awareness engine (IAE) for unified detection and processing. The IAE first identifies the protocols and applications of traffic. Then the protocol decoding module parses the protocols and applications and inspects the decoded fields and contents separately. The detection items vary with the types of contents, and the multiple types of detection are implemented in parallel to shorten the detection time.

20180417101613011001.png

 

Of course, the improvement of NGFW performance relies on the hardware platform. Huawei IAE has built-in hardware offload function. The CPU-intensive operations can be processed by the Huawei-proprietary hardware platform to reduce the workload of CPUs and improve operation efficiency.

 

Now, let's talk about the detection mode. On many UTM products, detection is still based on files. For example, in antivirus checks, the UTM needs to receive and cache files and then scan them. This mode is apparently not applicable to gateway products, like firewalls because caching files requires memory and causes delay. In addition, large files are difficult to cache and are usually permitted. Therefore, security detection of large files is an irreparable security vulnerability.

Huawei NGFW products use flow-based file processing mechanism and can receive file fragments and implement security detection. As mentioned previously, the IAE security detections are concurrent. The file transmission delay is reduced, the overall performance is improved, and user experience is also improved.

20180417101614509002.png

 

For many UTM products, when network traffic exceeds the processing capability, file detection is bypassed, that is, the content security detection is not implemented. Customers and enterprise administrators have to choose between performance and security. Some enterprises purchase UTM products but do not enable many functions to prevent performance deterioration.

Firewall performance deterioration affects user experience on delay-sensitive services and collaborative applications, which further affects enterprise service quality and productivity. Nowadays, security and performance are equally important for many large enterprises. The mission of NGFWs is to compensate for traditional firewalls in terms of application awareness and to provide adequate performance.

 

 

To view the list of all Dr. WoW technical posts, click here.

This post was last edited by dr.wow at 2018-4-26 20:31.
  • x
  • convention:

Comment Reply

Go to the specified floor
WoodWood  Admin   Released on 2018-4-17 11:41:16 Helpful(0) Helpful(0)

GOOD
  • x
  • convention:

Comment Reply

wissal     Released on 2018-4-17 20:35:52 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Comment Reply

Have a nice day
w1  Moderator   Released on 2018-4-18 04:04:34 Helpful(0) Helpful(0)

Good
  • x
  • convention:

Comment Reply

Jamalb     Released on 2018-4-19 16:09:07 Helpful(0) Helpful(0)

Fine ...
  • x
  • convention:

Comment Reply

Jbattikh
Hamza     Released on 2018-4-23 14:37:21 Helpful(0) Helpful(0)

Thanks for providing Helpful Documentation.
  • x
  • convention:

Comment Reply

Reply
You need to log in to reply to the post Login | Register

If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top