Presentation is loading. Please wait.

Presentation is loading. Please wait.

NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs?

Published byColin Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs?"— Presentation transcript:

1 NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu

2 Agenda The Changing Landscape NGFWs Juniper AppSec How to Choose

3 Changing Landscapes… …of applications and threats

4 Applications/Threats Changed; Firewalls Not BUT…applications have changed Ports ≠ Applications IP Addresses ≠ Users Packets ≠ Content The gateway at the trust border is the right place to enforce policy control Sees all traffic Defines trust boundary Need visibility and control !!!

5 Web 2.0, Enterprise 2.0 Headaches for CISOs 1.Driven by new generation of addicted Internet users – smarter than you? 2.Full, unrestricted access to everything on the Internet is a right 3.They’re creating a giant social system - collaboration, group knowledge 4. Mobile device use exacerbates the problem – how to control them? 5.Large enterprises need new architectural solutions – suite for huge 6.Not waiting around for IT support or confirmation – IT is irrelevant 7.Result - a Social Enterprise full of potential risks … and rewards

6 Real-Life Reasons Source: Academic Freedom or Application Chaos (2nd Edition, March 2011) Palo Alto Networks 67% of the apps use port 80, port 443, or hop ports

7 Consensus among Analysts Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two. -Gartner Forrester’s Forrsights Security Survey indicates that the standalone IPS market is a relatively mature space but that the next- generation firewall markets are expanding …we anticipate a consolidation of firewalls and IPS to create an even more advanced multifunction security gateway. -Forrester DigiNotar, Google, Playstation Network, RSA, Comodo, Epsilon, Lockheed Martin, Many more…

8 Make the FW Useful Again! 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation

9 Why it has to be the firewall? 1.Path of least resistance - build it with legacy security boxes 2.Applications = threats 3.Can only see what you expressly look for 4.Can’t “allow, but…” IPS Applications Firewall 1.Most difficult path - can’t be built with legacy security boxes 2.Applications = applications, threats = threats 3.Can see everything 4.Can “allow, but…” IPSFirewall Applications Traffic decision is made at the firewall No application knowledge means bad decisions…

10 NGFWs

11 What is what?! Stateful Firewall IPS UTM Application Firewall / Application Proxy Next Generation Firewall (NGFW)

12 Stateful Firewall: blind, packet filters only

13 IPS: evasions, decryption issues Permissive rule base Inspect encrypted traffic Circumvention possible Source: NSS Labs - Q4 2009 Network Intrusion Prevention System Test Executive Summary

14 UTM: adding more stuff doesn’t solve the problem “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain Putting all of this in the same box is just slow Still no visibility or control of enterprise 2.0 Internet

15 Application Proxy: slow + focused on few apps only Proxy sits between the application source and destination Intercepting traffic (terminating and re-initiating) Limited set of applications Low performance Deep knowledge of protocols

16 Next Generation Firewalls New Modules New Architectures User identification Application Identification Content identification Rulebase consolidation Analyse encrypted traffic Both CTS and STC directions

17 And the Nominees are… NFGW = FW + IPS in the same box NGFW = FW + IPS integrated + Security Modul NGFW = Brand new architectures

18 FW & IPS issues Positive control – firewall like – Define what is allowed, block everything else Negative control – IPS like – Find it and block it – Great for blocking attacks – Bad for controlling applications – Ergo > Adding a bunch of application signatures to an IPS does not make it a firewall Application become evasive

19 FW & IPS issues, cont’d Model – Keep the FW + add an IPS style helper Problem – FW still allows traffic on unusual ports – Not smart enough to recognize applications – Must run all signatures on all ports – Performance issue – Management issue – Only blocking is possible

20 Real NGFWs Provide a Better Approach to IPS Integrating IPS into the firewall is NOT simply about convenience…it’s a necessity True integration of IPS with the NGFW solves problems that traditional IPS can’t 1. Controls threats on non-standard ports 2. Proactively reduces the attack surface 3. Controls the methods attackers use to hide 4. Integrates multiple threat prevention disciplines 5. Provides visibility and control of unknown threats

21 How to choose …Buyers Guide

22 Things to consider before buying NGFW 1.Identify and control applications on any port 2.Identify and control circumventors 3.Decrypt outbound SSL 4.Identify and control applications sharing the same connection 5.Provide application function control 6.Deal with unknown traffic by policy 7.Scan for viruses and malware in allowed collaborative applications 8.Enable the same application visibility and control for remote users 9.Make network security simpler, not more complex with the addition of application control 10.Deliver the same throughput and performance with application control active

23 Juniper AppSec

24 Customer Priorities Juniper Security Solutions Addressing the Evolving Threat Landscape Visibility into Web 2.0 Threats Scalable Policy Enforcement & Management Control of Application Usage Rapid Response to New Threats AppSecure Software Security Research Teams SRX Security Service Gateways

25 AppSecure direction Understand security risks Address new user behaviors Application Intelligence from User to Data Center Subscription service includes all modules and updates Juniper Security Lab provides 800+ application signatures Subscription service includes all modules and updates Juniper Security Lab provides 800+ application signatures AppTrack AppDoS IPS Block access to risky apps Allows user tailored policies Prioritize important apps Rate limit less important apps Protect apps from bot attacks Allow legitimate user traffic Remediate security threats Stay current with daily signatures AppFW AppQoS

26 INTEGRATED APPLICATION INTELLIGENCE: AppSecure

27 APPLICATION VISIBILITY

28 Thank you! Resources & Further readings Enterprise Strategy Group: The Network Application Security Architecture Requirement NSS Labs: Q2 2009 IPS Group Test Juniper Networks: ESG - The Network Application Security Architecture Requirement Palo Alto Networks: Academic Freedom or Application Chaos?

Download ppt "NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs?"

Similar presentations

Application Usage and Risk Report 7 th Edition, May 2011.

Application Usage and Risk Report 7 th Edition, May 2011.
Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.

Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
True Unified Threat Management

True Unified Threat Management
Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.

Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.
“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.

“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.

Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
Blue Coat: Your partner to sales success Nigel Hawthorn VP EMEA Marketing +44 7081 487 987

Blue Coat: Your partner to sales success Nigel Hawthorn VP EMEA Marketing
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
A Guide to major network components

A Guide to major network components
What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect.

What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect.

Similar presentations

Ads by Google