Let’s talk about NGFW
Let’s talk about NGFW
In a previous article on WAF, we looked at the differences between an application layer firewall and intrusion detection tools. However, this is not the end of the list of newfangled network protection tools. In this article, we’ll talk about Next Generation Firewalls, NGFWs. NGFW is commonly referred to as a deep traffic filtering firewall that is integrated with IDS/IPS and has the ability to control and block traffic at the application layer. This rather capacious definition covers a whole range of solutions with different functionalities.
Therefore, I propose to start by sorting out in order what threats and how NGFW and sandboxes protect the network from and how.
Network Threats
Consider a typical set of attacks on infrastructure. Here, DDoS attacks usually come first, followed by various phishing activities, attempts to guess passwords. To gain a foothold in the attacked network, attackers usually use various types of malware. Also, having gained access to the network infrastructure, an attacker can try to intercept traffic using man-in-the-middle (MitM) attacks. Well, another, “eternally alive” attack vector is the exploitation of vulnerabilities in software.
This is about typical attack vectors, but you should also not forget about APT attacks. An APT attack is a targeted continuous attack of increased complexity, the task of which is to detect secret, confidential or any valuable information on the user’s device and use it in the interests of cybercriminals.
Typical signs of an APT attack are its distribution over time, the focus on a large organization and its employees, the use of spear phishing and social engineering technologies aimed at specific employees in order to obtain specific access and information. Other characteristic signs of ART are various suspicious activities during non-working hours, for example, attempts to guess passwords for accounts, search and copy large amounts of information, as well as attempts to distribute various backdoors and trojans.
Where is NGFW needed?
Classical protection tools such as firewalls and antiviruses are not very useful in the fight against APT threats. So, a regular firewall parses the packet only to the transport level, without looking into the “stuffing” of the application level. As a result, attackers can use protocols and addresses allowed in access lists for their communications, as a result of which suspicious activity may go unnoticed. With antiviruses, the story is similar, but here an attacker, knowing which antivirus is used in an organization, can obfuscate his code in such a way that this antivirus does not suspect anything. To a certain extent, we can be protected from network threats by the IDS / IPS attack detection tools that we talked about in the previous article.
However, the functionality of NGFW can be much wider than in IPS, which allows you to more effectively deal with various attacks, including APT. Of course, when we talk about the wide functionality of NGFW solutions, marketing works to a certain extent, since many of these functions were previously included in UTM (Unified Threat Management) class solutions.
But let’s see what can be included in a modern NGFW solution. First of all, these are analysis tools at the application level – Application Control. Having received the packet, we parse it, starting from L3 and ending with the L7 level. In this way, we can detect suspicious activity on the network. For example, malware, having settled on the network, uses special domain names to connect to C&C. Generated using DGA (Domain Generation Algorithm). These names allow malware to connect to C&C servers using different domain names. So in the picture below, the malware on the victim’s machine sorts through domain names in search of the address of the control server.
A normal firewall will not be able to detect such activity in any way, because it will simply be requests to the DNS server on port 53, and if such activity is not prohibited on the FW, then the packets will pass. But in the case of NGFW, not everything is so simple. Looking into the package and seeing there a request for some suspicious domain name, NGFW may well block such a package.
Another basic functionality of any NGFW is URL filtering. Here we also look at the application layer in HTTP packets and look at which sites are being accessed. Various implementations of such functionality are possible, for example, using reputation lists of suspicious sites that the vendor provides for a fee. In the case of using HTTPS, encrypted traffic is also decrypted directly on NGFW.
Another component of NGFW is the ability to manage VPN connections to the corporate network. Management of remote connections to the corporate network allows you to implement the concept of zero trust (Zero Trust Network Access). In short, this concept assumes that the decision on whether to allow access to a particular user is made directly at the time of connection, based on various parameters, such as the OS and browser used, locale, geographic location, and much more. Thus, with the help of ZTNA, we can prevent an attacker from remotely accessing the corporate network, even if he managed to capture the credentials of a legitimate user.
Another integral component of almost any NGFW is the IPS functionality. As a rule, this functionality is implemented on the same device and activated by subscription, therefore, when calculating the capacity of NGFW equipment, it is necessary to take into account the requirements for traffic analysis in general and, in particular, for inspection of SSL traffic.
Also, as a rule, for an additional fee, you can activate such protection tools as anti-virus traffic scanning and anti-spam. Anti-virus scanning comes down to detecting files in the traffic and analyzing them for suspicious content. Another separate component can be the Sandbox sandbox, with which we can check in an emulated environment what this or that executable file actually does.
Some vendors, again for an additional fee, offer to add functionality to NGFM for analyzing logs like SIEM, traffic leak prevention (DLP), etc.
Implementation Options
Let’s talk about NGFW implementation options. Several options are possible. First of all, the classic and perhaps the most reliable implementation is the physical device. By using physical devices in a failover configuration, we are less likely to run into performance issues. It is also possible to use a virtual device or use a cloud service. Speaking about the use of fault-tolerant configurations, it is worth noting that two options are possible:
● High Availability. One cluster node is active and routes traffic, the second node is passive and is in hot standby, ready to become active in case of problems with the first one.
● Load Sharing. Both nodes are active and traffic is “shared” between them.
Typical representatives
In the old days, any self-respecting network vendor released solutions that they positioned as NGFW, and on the Russian market one could find solutions from Palo Alto, Check Point, Fortinet and other vendors. But now, in fact, only Russian solutions are available to us for the most part. The main Russian players in this market are Usergate, APKSH Continent, xFW 5 and Ideco. The most common are the solutions of the first two vendors.
These solutions have various capabilities, such as customization of ITU rules for various entities, including users. As expected by NGFW, it is possible to configure traffic filtering by any fields and headers. There is also functionality for working with VPN, while certified versions of solutions use GOST encryption.
NGFW also contains anti-virus functionality that allows you to check files for viruses, as they say, “on the fly”.
Each of the vendors in one form or another implemented support for fault tolerance, working in Active-Passive or Active-Active mode.
Conclusion
In general, NGFW class solutions are quite powerful means of protecting the network infrastructure, which makes it possible to detect many modern threats.
Finally, I invite you to free lessonWhere are we:
Let’s look at defense strategies.
Let’s define what a perimeter is.
We will study the means and methods of its protection.
I don’t have a perimeter! I have cloud paws. Let’s talk about modern ways to protect mixed environments.
Attending a webinar is a chance to test the course and get to know the instructor. Registration available via link.
