Conversation with Solar NGFW Business Development Director Andrey Shcherbakov about the concept of NGFW and the use of open source in it

The topic of NGFW in connection with the departure of Western companies has increasingly begun to emerge in the field of Russian information security. Here and there we hear news that different companies have their own NGFW solutions. One of these was demonstrated at the “Cybersecurity in Finance” forum. Therefore, I decided to ask Andrey Shcherbakov, responsible for the development of business products at NGFW Solar. Why is the new generation firewall still called the new generation, is it so bad to use open source solutions in its creation, and is a “home” NGFW needed? Enjoy reading!

The concept of Firewall or “firewall” has existed for quite some time. How does next‑generation firewall (NGFW) or “new generation firewall” differ from Firewall?

The firewall that everyone is familiar with operates at the L3 and L4 levels and provides its data for statistical analysis, analysis in the SOC, and analysis of cyber incident investigations. NGFW already works at the application level, that is, according to the OSI L3, L4, L7 model and provides rich statistics on events that have occurred. It is important to understand that NGFW is a complex of systems and the Firewall has become part of this complex. That's why we decided to use the term Next Generation Firewall. In addition to the firewall, NGFW includes streaming antivirus (this is standard according to Gartner), IPS and DPI. In principle, any system can be added to this complex and it should not only work compatible, but the merging of systems should produce a result that is multiple times greater than if the systems worked simply together. The synergy of systems gives a greater effect than working separately in one perimeter – not 1+1=2, but 1+1=3.

Then another clarifying question: the term has existed since 2012–13, and this is quite a long time; Isn’t it easier to simply call it Firewall, since the solution has already absorbed the concept of Firewall and no one has been calling it Next Generation Firewall for a long time?

Yes, the term has been around for quite some time and there are various debates about how important it is to call Next Generation. When choosing a name for our solution, we thought of simply calling it Network Firewall, but the market was already accustomed to certain terminology, so we decided to do it in a way that was more convenient for clients.

NGFW has some kind of division according to criteria, for example, the number of attacks, the volume of processed traffic, the number of usersy?

There is a certain division in NGFW, but it is not very correct, since any NGFW must perform the declared functions. The solution must ensure perimeter security, carry out effective network segmentation, detect attacks, block malware, perform specific filtering – this is one side. On the other hand, it is important for a business to have a wide range of segmentation and division. Categorization by performance of firewalls is, for example, high-performance, low-performance, and so on. A simple example: we will not buy a solution for a small facility that we will install in a data center and vice versa. Therefore, everyone who has an NGFW builds their lineup based on the performance of their firewalls.

What do you think is responsible for the surge in the emergence of NGFW solutions in the Russian Federation? What had a greater impact: the departure of foreign companies or the simplification of the creation of NGFW?

If we talk about the general development of NGFW in the Russian Federation, then, in addition to the departure of foreign companies, the Russian market turned out to be ready to create products of this class, and the necessary expertise has accumulated. However, we must understand: foreign manufacturers have been building their products for 30–40 years, and our companies now have to overcome the path of creating next-generation firewalls and multifunctional firewalls over these decades.

In this sense, our company’s autonomy helped: we have the largest commercial SOC in Russia, our own cyber threat research center. Moreover, the center looks at the attacks that are occurring, prepares a signature, automatically updates it in our NGFW, and NGFW analyzes these cyber attacks and transmits statistics to the SOC, and through our own expertise we improve our solutions.

Was your NGFW created from scratch, or did you use an open source solution and significantly rework it?

Let me start with the fact that open source solutions are not always bad, as they may say, it is important to use them correctly. Our solution is a hybrid system, we used some of our own, for example, our expertise, and some are open source.

We did not develop the product from scratch, but based it on a large number of functional modules. It is based on the developments of the development center – Solar webProxy and a number of modules from Solar Dozor. We have the largest implementation in Europe of a DLP system (Sber company) and SWG solutions – these are schools with more than 1 million users.

If you work carefully with open source, you can achieve good results. The main problem is undocumented features and holes. Our open source is deeply redesigned, we use elements of safe development – we check it through Solar appScreener and a team of pintesters. In general, Russian operating systems are based on many open source components, which makes it possible to quickly provide the end customer with the necessary functionality.

Is your NGFW a software and hardware system (SHC)? What kind of hardware does it use, and how common is it in the Russian Federation? Was the hardware design of the board created by your company?

While our project is designed for hardware, for obvious reasons I cannot announce the filling itself. In terms of creating the PAK, we turned out to be faster than we planned, and the “hardware component” of the solution itself is completely domestic, even the microcircuits. When creating it, we took two paths. First, we order everything from our partner: serial hardware, internals, and so on. By the way, the partner himself and his devices are well-known on the market and are in active demand. The second way is that we have design documentation developed by us and our own team of circuit designers. This allows us to design our own hardware, produce it and in the future, including the hardware accelerator that we are announcing. (At the time of the interview, the partner company and the characteristics of the production models were not disclosed).

You said that the solution is PAC, but will there be only software NGFW??

We haven’t announced anything yet, but there are plans. In general, many are skeptical about NGFW as a software solution only. NGFW should be both hardware and software, because it is an opportunity to provide services, an opportunity for customers to receive security services cheaper.

I understand correctly that your partner produces at least surface mounting of boards in Russia.

Yes

During testing of NGFW, was there a comparison only with Russian solutions or with foreign ones?

We initially aimed at the enterprise segment, so, of course, we focused on the performance indicators of Western solutions. In our methodology, we indicated the number of CPS, the number of MCCs, what packets we run, the number of rules (logged/unlogged), and show the enabled functionality.

We give people the opportunity to openly see what load our NGFW holds under different conditions. We presented a year ago. In it we stated 5 Gb/s in NGFW mode, 20 Gb/s in firewall mode with application control.

Within the framework of the Ural Forum (Author's note – “Cybersecurity in finance”) We presented NGFW on design hardware, not on production hardware. And during load demonstrations, our solution not only once again confirmed its high efficiency, but also exceeded the performance of the method – 10 Gb/s on NGFW, 40 Gb/s in FW mode on L7.

To what extent is NGFW now a boxed solution? For example, is your NGFW easy to install?

NGFW is a complex product. This is not to say that an ordinary person can come, insert the wires and start using it. Still, you need special knowledge to operate it. We strive to ensure that our solutions are understandable to ordinary information security and IT specialists. We actually have a line of interfaces familiar to the market that are quite friendly.

But here it also depends on the request, if you need a boxed solution, we can provide a “box”, the client’s specialists will connect it and use it. On the other hand, large companies do not need “boxes”; they need customized solutions for specific conditions. To simplify customization, there is a graphical shell so that client specialists simply have this opportunity and use the necessary functions.

In the context of constant leaks and the constant progression of cyber attacks, does it make sense to create “home” NGFWs or is it enough for the average user to have cyber hygiene rules and antivirus on all home devices?

This is more of a philosophical question about building cybersecurity. Obviously, employees working remotely must have secure access to corporate resources. Therefore, the burden of ensuring cybersecurity even in a remote workplace falls on the company.

If we are talking about a specific user, when he really ensures his own security, then this is not only a question of “home” NGFW. Yes, cyber attacks have become more severe. But users may need to use less expensive solutions. And cyber hygiene is definitely needed. For example, I work in the field of information security and try to be very careful about my actions on the network. By the way, instead of a “home” NGFW, it would be possible to provide users with cloud-based information security solutions. Perhaps our community would also be interested in moving towards cloud technology. In any case, compliance with cyber hygiene is the basis of any cyber defense, and the creation of “home” NGFW or cloud information security solutions for the B2C segment is a debatable issue.

Of course, I would be happy to test such hardware, because it is always interesting to look at the devices for yourself, but there is a caveat: I will not be able to fully test the functionality of such equipment. Then I need to assemble a server room and find traffic somewhere else. Well, raise your competencies to the level of an average information security specialist. Therefore, I will limit myself to asking specialists about these solutions. Perhaps one of the other companies, I think, will also be willing to talk about their NGFW.