NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs?
Agenda The Changing Landscape NGFWs Juniper AppSec How to Choose
Changing Landscapes… …of applications and threats
Applications/Threats Changed; Firewalls Not BUT…applications have changed Ports ≠ Applications IP Addresses ≠ Users Packets ≠ Content The gateway at the trust border is the right place to enforce policy control Sees all traffic Defines trust boundary Need visibility and control !!!
Web 2.0, Enterprise 2.0 Headaches for CISOs 1.Driven by new generation of addicted Internet users – smarter than you? 2.Full, unrestricted access to everything on the Internet is a right 3.They’re creating a giant social system - collaboration, group knowledge 4. Mobile device use exacerbates the problem – how to control them? 5.Large enterprises need new architectural solutions – suite for huge 6.Not waiting around for IT support or confirmation – IT is irrelevant 7.Result - a Social Enterprise full of potential risks … and rewards
Real-Life Reasons Source: Academic Freedom or Application Chaos (2nd Edition, March 2011) Palo Alto Networks 67% of the apps use port 80, port 443, or hop ports
Consensus among Analysts Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two. -Gartner Forrester’s Forrsights Security Survey indicates that the standalone IPS market is a relatively mature space but that the next- generation firewall markets are expanding …we anticipate a consolidation of firewalls and IPS to create an even more advanced multifunction security gateway. -Forrester DigiNotar, Google, Playstation Network, RSA, Comodo, Epsilon, Lockheed Martin, Many more…
Make the FW Useful Again! 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation
Why it has to be the firewall? 1.Path of least resistance - build it with legacy security boxes 2.Applications = threats 3.Can only see what you expressly look for 4.Can’t “allow, but…” IPS Applications Firewall 1.Most difficult path - can’t be built with legacy security boxes 2.Applications = applications, threats = threats 3.Can see everything 4.Can “allow, but…” IPSFirewall Applications Traffic decision is made at the firewall No application knowledge means bad decisions…
NGFWs
What is what?! Stateful Firewall IPS UTM Application Firewall / Application Proxy Next Generation Firewall (NGFW)
Stateful Firewall: blind, packet filters only
IPS: evasions, decryption issues Permissive rule base Inspect encrypted traffic Circumvention possible Source: NSS Labs - Q Network Intrusion Prevention System Test Executive Summary
UTM: adding more stuff doesn’t solve the problem “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain Putting all of this in the same box is just slow Still no visibility or control of enterprise 2.0 Internet
Application Proxy: slow + focused on few apps only Proxy sits between the application source and destination Intercepting traffic (terminating and re-initiating) Limited set of applications Low performance Deep knowledge of protocols
Next Generation Firewalls New Modules New Architectures User identification Application Identification Content identification Rulebase consolidation Analyse encrypted traffic Both CTS and STC directions
And the Nominees are… NFGW = FW + IPS in the same box NGFW = FW + IPS integrated + Security Modul NGFW = Brand new architectures
FW & IPS issues Positive control – firewall like – Define what is allowed, block everything else Negative control – IPS like – Find it and block it – Great for blocking attacks – Bad for controlling applications – Ergo > Adding a bunch of application signatures to an IPS does not make it a firewall Application become evasive
FW & IPS issues, cont’d Model – Keep the FW + add an IPS style helper Problem – FW still allows traffic on unusual ports – Not smart enough to recognize applications – Must run all signatures on all ports – Performance issue – Management issue – Only blocking is possible
Real NGFWs Provide a Better Approach to IPS Integrating IPS into the firewall is NOT simply about convenience…it’s a necessity True integration of IPS with the NGFW solves problems that traditional IPS can’t 1. Controls threats on non-standard ports 2. Proactively reduces the attack surface 3. Controls the methods attackers use to hide 4. Integrates multiple threat prevention disciplines 5. Provides visibility and control of unknown threats
How to choose …Buyers Guide
Things to consider before buying NGFW 1.Identify and control applications on any port 2.Identify and control circumventors 3.Decrypt outbound SSL 4.Identify and control applications sharing the same connection 5.Provide application function control 6.Deal with unknown traffic by policy 7.Scan for viruses and malware in allowed collaborative applications 8.Enable the same application visibility and control for remote users 9.Make network security simpler, not more complex with the addition of application control 10.Deliver the same throughput and performance with application control active
Juniper AppSec
Customer Priorities Juniper Security Solutions Addressing the Evolving Threat Landscape Visibility into Web 2.0 Threats Scalable Policy Enforcement & Management Control of Application Usage Rapid Response to New Threats AppSecure Software Security Research Teams SRX Security Service Gateways
AppSecure direction Understand security risks Address new user behaviors Application Intelligence from User to Data Center Subscription service includes all modules and updates Juniper Security Lab provides 800+ application signatures Subscription service includes all modules and updates Juniper Security Lab provides 800+ application signatures AppTrack AppDoS IPS Block access to risky apps Allows user tailored policies Prioritize important apps Rate limit less important apps Protect apps from bot attacks Allow legitimate user traffic Remediate security threats Stay current with daily signatures AppFW AppQoS
INTEGRATED APPLICATION INTELLIGENCE: AppSecure
APPLICATION VISIBILITY
Thank you! Resources & Further readings Enterprise Strategy Group: The Network Application Security Architecture Requirement NSS Labs: Q IPS Group Test Juniper Networks: ESG - The Network Application Security Architecture Requirement Palo Alto Networks: Academic Freedom or Application Chaos?