Les pare-feux nouvelle génération pour les nuls (Livre Blanc en Anglais)


Published on

_ Qu'est ce qu'une application d'Entreprise 2.0? Vous verrez ici les nouveaux risques et les challenges pour votre organisation.
_ Pourquoi les pare-feux traditionnels sont inefficaces contre les menaces actuelles? Et pourquoi des réparations rapides ainsi que l'ajout de simples add-ons ne peuvent pas fonctionner.
_ Qu'est ce qu'un pare-feu nouvelle génération? Mais également qu'est ce qui n'en est pas un ! Et pourquoi ils vous en faut un (ou plusieurs).
_ Comment optimiser l'efficacité de votre pare-feu? En créant des stratégies efficaces, en vous posant les bonnes questions, et en segmentant votre réseau pour une performance optimale.
_ Découvrez des fonctions et possibilités avancées qui font de votre pare-feu nouvelle génération une solution puissante pour protéger votre réseau et reprendre le contrôle.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Les pare-feux nouvelle génération pour les nuls (Livre Blanc en Anglais)

  1. 1. Lawrence C. Miller, CISSPBrought to you by• Differentiate between “good”and “bad” applications• Identify evasive techniques usedby applications• Implement effective applicationand network controlsLearn to:Next-GenerationFirewallsMaking Everything Easier!™Open the book and find:• How Enterprise 2.0applications create newrisks for your organization• Why traditional firewallscan’t protect your network• How next-generationfirewalls stand apart fromother security solutions• What features andcapabilities you needin your firewallLawrence C. Miller, CISSP, has worked ininformation security for more than 20 years.He is the coauthor of CISSP For Dummies anda dozen other titles. He is also a Palo AltoNetworks customer and liked it so much hebought the company — well, he’s not thatrich (yet) — but he did write this book!ISBN 978-0-470-93955-0Book not for resaleGo to Dummies.com®for videos, step-by-step examples,how-toarticles,ortoshop!Traditional firewalls haven’t changed much overthe past 15 years and can no longer protect yournetwork. That’s because they were never designedto control all of the evasive, port-hopping, andencrypted Internet applications that are socommon today. You’ve added intrusion prevention,proxies, antivirus, URL filtering, and much more —all to no avail. It’s time to fix the firewall!• What Enterprise 2.0 applications are — andhow they create new risks and challenges foryour organization• Why traditional firewalls are ineffectiveagainst today’s threats — and why quickfixes and add-on capabilities don’t work• What a next-generation firewall is — whatit isn’t, and why you need one (or more)• How to get the most out of your firewall — bycreating effective policies, asking the rightquestions, and segmenting your network foroptimum performance• Discoveradvancedfeaturesandcapabilities —thatmakenext-generationfirewallsapowerfulsolution to protect your network and regaincontrolRegain control of the applicationsand users on your network!
  2. 2. About Palo Alto NetworksPalo Alto Networks™ is the network security company. Its next-generation firewalls enable unprecedented visibility andgranular policy control of applications and content — by user,not just IP address — at up to 10Gbps with no performancedegradation. Based on patent-pending App-ID™ technology,Palo Alto Networks firewalls accurately identify and controlapplications — regardless of port,protocol,evasive tactic,or SSLencryption — and scan content to stop threats and preventdata leakage. Enterprises can for the first time embrace Web 2.0and maintain complete visibility and control, while significantlyreducing total cost of ownership through device consolidation.For more information, visit www.paloaltonetworks.com.939550 cover.indd_2.indd 2939550 cover.indd_2.indd 2 10/29/10 2:14 PM10/29/10 2:14 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  3. 3. Next-GenerationFirewallsFORDUMmIES‰by Lawrence C. Miller, CISSP01_939550-ffirs.indd i01_939550-ffirs.indd i 10/1/10 1:32 PM10/1/10 1:32 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  4. 4. Next-Generation Firewalls For Dummies®Published byWiley Publishing, Inc.111 River StreetHoboken, NJ 07030-5774Copyright © 2011 by Wiley Publishing, Inc., Indianapolis, IndianaPublished by Wiley Publishing, Inc., Indianapolis, IndianaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in anyform or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without theprior written permission of the Publisher. Requests to the Publisher for permission should beaddressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Referencefor the Rest of Us!, The Dummies Way, Dummies.com, Making Everything Easier, and related tradedress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in theUnited States and other countries, and may not be used without written permission. Palo AltoNetworks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo AltoNetworks, Inc. All other trademarks are the property of their respective owners. Wiley Publishing,Inc., is not associated with any product or vendor mentioned in this book.LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKENO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETE-NESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES,INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE.NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS.THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITU-ATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOTENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PRO-FESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONALPERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLEFOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE ISREFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHERINFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THEINFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS ITMAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED INTHIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRIT-TEN AND WHEN IT IS READ.ISBN: 978-0-470-93955-0Manufactured in the United States of America10 9 8 7 6 5 4 3 2 1Publisher’s AcknowledgmentsFor general information on our other products and services, please contact our Business DevelopmentDepartment in the U.S. at 317-572-3205. For details on how to create a custom For Dummies book foryour business or organization, contact info@dummies.biz. For information about licensing the ForDummies brand for products or services, contact BrandedRights&Licenses@Wiley.com.Acquistions, Editorial, and MediaDevelopmentSenior Project Editor: Zoë WykesEditorial Manager: Rev MengleBusiness Development Representative:Karen HattanCustom Publishing Project Specialist:Michael SullivanComposition ServicesSenior Project Coordinator: Kristie ReesLayout and Graphics: Carl Byers,Carrie A. Cesavice, Cheryl GrubbsProofreader: Rebecca DenoncourSpecial Help from Palo Alto Networks:Chris King01_939550-ffirs.indd ii01_939550-ffirs.indd ii 10/1/10 1:32 PM10/1/10 1:32 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  5. 5. Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1About This Book ........................................................................ 1Foolish Assumptions ................................................................. 2How This Book Is Organized .................................................... 2Chapter 1: Understanding the Evolutionof Network Security..................................................... 2Chapter 2: Defining the Applicationand Threat Landscape................................................. 2Chapter 3: Recognizing the Challenges of LegacySecurity Infrastructures.............................................. 2Chapter 4: Solving the Problem withNext-Generation Firewalls........................................... 3Chapter 5: Deploying Next-Generation Firewalls......... 3Chapter 6: Ten Evaluation Criteria forNext-Generation Firewalls........................................... 3Glossary ............................................................................ 3Icons Used in This Book............................................................ 3Where to Go from Here ............................................................. 4Chapter 1: Understanding the Evolutionof Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Why Legacy Firewalls Are No Longer Effective...................... 6Data Leakage Is a Problem........................................................ 7Compliance Is Not Optional...................................................... 9Chapter 2: Defining the Application andThreat Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Applications Are Not All Good or All Bad............................. 12Applications Are Evasive ........................................................ 17Threats Are Coming Along for the Ride................................ 21Chapter 3: Recognizing the Challenges of LegacySecurity Infrastructures. . . . . . . . . . . . . . . . . . . . . . . . .25Whatever Happened to the Firewall? .................................... 26Port-based firewalls have poor vision ........................ 27Bolt-on functionality is fundamentally flawed ........... 28Firewall “helpers” don’t help........................................ 2902_939550-ftoc.indd iii02_939550-ftoc.indd iii 10/1/10 1:32 PM10/1/10 1:32 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  6. 6. Next-Generation Firewalls For DummiesivTraditional IPS Is a Poor Match for Today’s Threats.......... 30UTM Only Makes What Is Broken Cheaper........................... 33It’s Time to Fix the Firewall .................................................... 33Chapter 4: Solving the Problem withNext-Generation Firewalls. . . . . . . . . . . . . . . . . . . . . .35The Next-Generation Firewall................................................. 35Application identification............................................. 36User identification ......................................................... 39Content identification ................................................... 39Policy control................................................................. 42High-performance architecture ................................... 42What a Next-Generation Firewall Isn’t................................... 44Benefits of Next-Generation Firewalls ................................... 46Chapter 5: Deploying Next-Generation Firewalls. . . . .47Safe Enablement through Smart Policies.............................. 48Employee controls......................................................... 49Desktop controls............................................................ 50Network controls........................................................... 51Defining Your Requirements and Developing an RFP ......... 52Deployment Flexibility Matters.............................................. 56Addressing Mobile and Remote Users .................................. 57Chapter 6: Ten Evaluation Criteria forNext-Generation Firewalls. . . . . . . . . . . . . . . . . . . . . .59Identify Applications, Not Ports............................................. 59Identify Users, Not IP Addresses............................................ 60Identify Content, Not Packets................................................. 61Visibility .................................................................................... 62Control....................................................................................... 63Performance ............................................................................. 63Flexibility................................................................................... 63Reliability .................................................................................. 64Scalability.................................................................................. 64Manageability ........................................................................... 64Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6502_939550-ftoc.indd iv02_939550-ftoc.indd iv 10/1/10 1:32 PM10/1/10 1:32 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  7. 7. IntroductionWith new Internet-based threats being launched fasterthan ever and increasingly targeting “firewall friendly”applications and application-layer vulnerabilities, traditionalfirewalls are becoming less and less capable of adequatelyprotecting corporate networks.The rapid evolution of applications and threats, coupled withthe relative stagnation of traditional security technologies,has resulted in a loss of visibility and control for IT organiza-tions attempting to keep their enterprises secure.Despite their best efforts to restore application visibility andcontrol, and regain the advantage in protecting their networksand information assets, most organizations remain stymied.Lacking a truly innovative solution, they turn to specializedsingle-purpose security appliances that fail to fully addresstoday’s security challenges, and are not part of a comprehen-sive security strategy.The resulting appliance sprawl is costly and complex —characteristics that are never desirable in a solution. But intoday’s tough economic climate when organizations must domore with less — both money and IT staff — complex andcostly fixes are entirely unacceptable.Instead, an entirely new and innovative approach to networksecurity is needed — it’s time to reinvent the firewall!About This BookThis book provides an in-depth overview of next-generationfirewalls. It examines the evolution of network security,the rise of Enterprise 2.0 applications and their associatedthreats, the shortcomings of traditional firewalls, and theadvanced capabilities found in next-generation firewalls.03_939550-intro.indd 103_939550-intro.indd 1 10/1/10 1:33 PM10/1/10 1:33 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  8. 8. Next-Generation Firewalls For Dummies2Foolish AssumptionsThis book assumes you have a working knowledge of networksecurity. As such, it is written primarily for technical readerswho are evaluating potential new solutions to address theirorganizations’ security challenges.How This Book Is OrganizedThis book consists of six short chapters and an appendix.Here’s a brief synopsis of the chapters to pique your curiosity!Chapter 1: Understanding theEvolution of Network SecurityWe begin with a look at the role that firewalls traditionallyplay in network security, as well as some of the challenges ofnetwork security today.Chapter 2: Defining the Applicationand Threat LandscapeChapter 2 describes several trends affecting application devel-opment and their usage in enterprises. You find out aboutthe business benefits, as well as the security risks associatedwith various applications, and how new threats are exploiting“accessibility features” in Enterprise 2.0 applications.Chapter 3: Recognizing theChallenges of LegacySecurity InfrastructuresChapter 3 explains why traditional port-based firewalls andintrusion prevention systems are inadequate for protectingenterprises against new and emerging threats.03_939550-intro.indd 203_939550-intro.indd 2 10/1/10 1:33 PM10/1/10 1:33 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  9. 9. Introduction 3Chapter 4: Solving the Problemwith Next-Generation FirewallsChapter 4 takes a deep dive into the advanced features andcapabilities of next-generation firewalls. You learn what anext-generation firewall is, what it isn’t, and how it can benefityour organization.Chapter 5: Deploying Next-Generation FirewallsChapter 5 explains the importance of security policies andcontrols, and the role of next-generation firewalls in imple-menting those policies and controls. You also get some helpdefining specific technical requirements for your organization,and planning the deployment of a next-generation firewall onyour network.Chapter 6: Ten Evaluation Criteriafor Next-Generation FirewallsHere, in that familiar For Dummies Part of Tens format, wepresent ten features to look for and criteria to consider whenchoosing a next-generation firewall.GlossaryAnd, just in case you get stumped on a technical term orabbreviation here or there, we include a glossary to help yousort through it all!Icons Used in This BookThroughout this book, we occasionally use icons to callattention to important information that is particularly worthnoting. Sadly, James Dean (the pop icon, not the sausage guy)03_939550-intro.indd 303_939550-intro.indd 3 10/1/10 1:33 PM10/1/10 1:33 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  10. 10. Next-Generation Firewalls For Dummies4isn’t available to point this information out for you, so we doit instead!This icon points out information or a concept that may wellbe worth committing to memory, so don’t make like a wiseguy and fuggedaboutit — instead, make wise and don’t everforget it!You won’t find a map of the human genome or the secret tocold fusion here (or maybe you will, hmm), but if you’re seek-ing to attain the seventh level of NERD-vana, take note! Thisicon explains the jargon beneath the jargon.Thank you for reading, hope you enjoy the book, please takecare of your writers. Seriously, this icon points out helpfulsuggestions and useful nuggets of information that may justsave you some time and headaches.The Surgeon General has determined . . . well okay, it’s actu-ally nothing that hazardous. Still, this icon points out potentialpitfalls and easily confused concepts.Where to Go from HereIt’s been said that a journey of a thousand miles begins with asingle step. Well, at 72 pages, reading this book is more likea quick — but informative — jaunt across your living room!Don’t worry about missing the plot, or spoiling the ending.Each chapter in this book is written to stand on its own, sofeel free to start wherever you’d like and jump ahead to thechapters that interest you most. Of course, if you’re a littlemore of a traditionalist, you could just turn the page and startat the beginning!03_939550-intro.indd 403_939550-intro.indd 4 10/1/10 1:33 PM10/1/10 1:33 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  11. 11. Chapter 1UnderstandingtheEvolutionofNetworkSecurityIn This Chapter▶ Understanding why port-based firewalls have become obsolete▶ Addressing the data leakage problem▶ Achieving regulatory complianceJust as antivirus software has been a cornerstone of PCsecurity since the early days of the Internet, firewalls havebeen the cornerstone of network security.Today’s application and threat landscape renders traditionalport-based firewalls largely ineffective at protecting corporatenetworks and sensitive data. Applications are the conduitthrough which everything flows — a vector for our businessand personal lives — along with their associated benefits andrisks. Such risks include new and emerging threats, data leak-age, and noncompliance.This chapter explains how traditional firewalls operate, whythey cannot meet today’s application and threat challenges,and how data leakage and compliance issues are defining net-work security and the need for a better firewall.04_939550-ch01.indd 504_939550-ch01.indd 5 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  12. 12. Next-Generation Firewalls For Dummies6Why Legacy Firewalls AreNo Longer EffectiveA firewall, at its most basic level, controls traffic flow betweena trusted network (such as a corporate LAN) and an untrustedor public network (such as the Internet). The most commonlydeployed firewalls today are port-based (or packet filtering)firewalls, or some variation (such as stateful inspection) ofthis basic type of firewall. These firewalls are popular becausethey are relatively simple to operate and maintain, generallyinexpensive, have good throughput, and have been the preva-lent design for more than two decades.In the rapid pace of the Internet Age, nearly two decadesmeans the basic technology behind port-based firewalls ismedieval. In fact, network security is often likened to the DarkAges — a network perimeter is analogous to the walls of acastle, with a firewall controlling access — like a drawbridge.And like a drawbridge that is either up or down, a port-basedfirewall is limited to just two options for controlling networktraffic: allow or block.Port-based firewalls (and their variants) use source/destina-tion IP addresses and TCP/UDP port information to determinewhether or not a packet should be allowed to pass betweennetworks or network segments. The firewall inspects the firstfew bytes of the TCP header in an IP packet to determine theapplication protocol — for example, SMTP (port 25), andHTTP (port 80).Most firewalls are configured to allow all traffic originatingfrom the trusted network to pass through to the untrustednetwork, unless it is explicitly blocked by a rule. For example,the Simple Network Management Protocol (SNMP) might beexplicitly blocked to prevent certain network informationfrom being inadvertently transmitted to the Internet. Thiswould be accomplished by blocking UDP ports 161 and 162,regardless of the source or destination IP address.Static port control is relatively easy. Stateful inspection fire-walls address dynamic applications that use more than onewell-defined port (such as FTP ports 20 and 21). When a com-puter or server on the trusted network originates a session04_939550-ch01.indd 604_939550-ch01.indd 6 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  13. 13. Chapter 1: Understanding the Evolution of Network Security 7with a computer or server on the untrusted network, a con-nection is established. On stateful packet inspection firewalls,a dynamic rule is temporarily created to allow responsesor replies from the computer or server on the untrustednetwork. Otherwise, return traffic needs to be explicitly per-mitted, or access rules need to be manually created on thefirewall (which usually isn’t practical).All of this works well as long as everyone plays by the rules.Unfortunately, the rules are more like guidelines and noteveryone using the Internet is nice!The Internet now accounts for the majority of traffic travers-ing enterprise networks. And it’s not just Web surfing. TheInternet has spawned a new generation of applications beingaccessed by network users for both personal and businessuse. Many of these applications help improve user and busi-ness productivity, while other applications consume largeamounts of bandwidth, pose needless security risks, andincrease business liabilities — for example, data leaks andcompliance — both of which are addressed in the follow-ing sections. And many of these applications incorporate“accessibility” techniques, such as using nonstandard ports,port-hopping, and tunneling, to evade traditional port-basedfirewalls.IT organizations have tried to compensate for deficienciesin traditional port-based firewalls by surrounding them withproxies, intrusion prevention systems, URL filtering, and othercostly and complex devices, all of which are equally ineffec-tive in today’s application and threat landscape.Data Leakage Is a ProblemLarge scale, public exposures of sensitive or private dataare far too common. Numerous examples of accidental anddeliberate data leakage continue to regularly make nightmareheadlines, exposing the loss of tens of thousands of creditcard numbers by a major retailer, or social security numbersleaking by a government agency, health care organization, oremployer. For example, in December 2008, an improperly con-figured and prohibited peer-to-peer (P2P) file sharing applica-tion exposed a database of 24,000 U.S. Army soldiers’ personalinformation to the public domain. Unfortunately, such incidents04_939550-ch01.indd 704_939550-ch01.indd 7 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  14. 14. Next-Generation Firewalls For Dummies8are not isolated: the U.S. Army’s Walter Reed Medical Center,a U.S. Government contractor working on Marine One, andPfizer Corporation all had earlier high-profile breaches of asimilar nature. In all of these cases, sensitive data was leakedvia an application that was expressly prohibited by policy butnot adequately enforced with technology.Data leakage prevention (DLP) technologies are being toutedas a panacea and have captured the attention of many ITorganizations. Unfortunately, given the scope, size, and dis-tributed nature of most enterprise datasets, just discoveringwhere the data is and who owns it is an insurmountable chal-lenge. Adding to this challenge, questions regarding accesscontrol, reporting, data classification, data at-rest versus datain-transit, desktop and server agents, and encryption abound.As a result, many DLP initiatives within organizations prog-ress slowly and eventually falter.Many data loss prevention solutions attempt to incorporate toomuch of the information security function (and even includeelements of storage management!) into an already unwieldyoffering. Needless to say, this broadened scope adds complex-ity, time, and expense — both in hard costs and in staff time.Thus, DLP technologies are often cumbersome, ironicallyincomplete (focusing mostly on the Web and e-mail), and formany organizations — overkill . . . not to mention expensive!Furthermore, many of the recent breaches caused byunauthorized and improperly configured P2P file sharingapplications wouldn’t have been prevented by the typicalimplementation of DLP technologies on the market today —because control of applications isn’t addressed.Some organizations will have to go through the effort of alarge-scale DLP implementation — which should include datadiscovery, classification, and cataloging. But for most organi-zations, controlling the applications most often used to leaksensitive data and stopping unauthorized transmission of pri-vate or sensitive data, such as credit card and social securitynumbers, is all that is needed. Exerting that control at trustboundaries (the network perimeter) is ideal — whether thedemarcation point is between inside and outside or internalusers and internal resources in the datacenter. The firewallsits in the perfect location, seeing all traffic traversing differ-ent networks and network segments. Unfortunately, legacy04_939550-ch01.indd 804_939550-ch01.indd 8 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  15. 15. Chapter 1: Understanding the Evolution of Network Security 9port- and protocol-based firewalls can’t do anything about anyof this — being ignorant of applications, users, and content.To effectively address data leakage with a firewall solution,organizations should✓ Gain control over the applications on their network —thus limiting the avenues of data leakage✓ Scan the applications they do want on their networks, forsensitive or private data✓ Understand which users are initiating these applicationtransactions and why✓ Implement appropriate control policies and technologyto prevent accidental or intentional data leakageIf enterprises could control the flow of sensitive or privatedata at the perimeter, many of the data loss incidents that reg-ularly make the news could be avoided. Unfortunately, legacysecurity infrastructures, with traditional firewalls as the cor-nerstone, are ill-equipped to provide this functionality.Compliance Is Not OptionalWith more than 400 regulations worldwide mandatinginformation security and data protection requirements,organizations everywhere are struggling to attain and main-tain compliance. Examples of these regulations includeHIPAA, FISMA, FINRA, and GLBA in the U.S., and the EU DataProtection Act (DPA) in Europe.Ironically, perhaps the most far-reaching, most effective, andbest-known compliance requirement today isn’t even a gov-ernment regulation. The Payment Card Industry Data SecurityStandard (PCI DSS) was created by the major payment cardbrands (American Express, MasterCard, Visa, and others) toprotect companies, banks, and consumers from identity theftand fraudulent card use. And as economies rely more andmore on payment card transactions, the risks of lost card-holder data will only increase, making any effort to protectthe data critical — whether compliance-driven or otherwise.PCI DSS is applicable to any business that transmits, pro-cesses, or stores payment cards (such as credit cards or debit04_939550-ch01.indd 904_939550-ch01.indd 9 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  16. 16. Next-Generation Firewalls For Dummies10cards), regardless of the number or amount of transactionsprocessed.Companies that do not comply can be subject to stiff penaltiesincluding fines of up to $25,000 per month for minor violations,fines of up to $500,000 for violations that result in actual lost orstolen financial data, and loss of card-processing authorization(making it almost impossible for a business to operate).While compliance requirements are almost entirely basedon information-security best practices, it is important toremember that security and compliance aren’t the same thing.Regardless of whether or not a business is PCI compliant, adata breach can be very costly. According to research con-ducted by Forrester, the estimated per record cost of a breach(including fines, cleanup, lost opportunities, and other costs)ranges from $90 (for a low profile, nonregulated company) to$305 (for a high-profile, highly regulated company).Security and compliance are related, but they are not thesame thing!PCI DSS version 1.2 consists of 12 general requirementsand more than 200 specific requirements. Of the 12 generalrequirements, the following specifically address firewall andfirewall-related requirements:✓ Requirement 1: Install and maintain a firewall configura-tion to protect cardholder data.✓ Requirement 5: Use and regularly update anti-virus soft-ware or programs.✓ Requirement 6: Develop and maintain secure systemsand applications.✓ Requirement 7: Restrict access to cardholder data bybusiness need-to-know.✓ Requirement 10: Track and monitor all access to net-work resources and cardholder data.✓ Appendix F: To use network segmentation to reducePCI DSS scope, an entity must isolate systems that store,process, or transmit cardholder data from the rest of thenetwork.04_939550-ch01.indd 1004_939550-ch01.indd 10 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  17. 17. Chapter 2DefiningtheApplicationandThreatLandscapeIn This Chapter▶ Identifying applications as good, bad, or good and bad▶ Understanding accessibility tactics▶ Recognizing the speed and sophistication of today’s threatsNetwork security used to be relatively simple — every-thing was more or less black and white — either clearlybad or clearly good. Business applications constituted goodtraffic that should be allowed, while pretty much everythingelse constituted bad traffic that should be blocked.Problems with this approach today include the fact that appli-cations have become✓ Increasingly “gray” — classifying types of applications asgood or bad is not a straightforward exercise.✓ Increasingly evasive.✓ The predominant vector of today’s cybercriminals andthreat developers.This chapter explores the evolving application and threatlandscape, the blurring distinction between user- and business-applications, and the strategic nature of many of these applica-tions (and their associated risks) for businesses today.05_939550-ch02.indd 1105_939550-ch02.indd 11 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  18. 18. Next-Generation Firewalls For Dummies12Applications Are NotAll Good or All BadOver the past decade, the application landscape has changeddramatically for organizations. Corporate productivityapplications have been joined by a plethora of personaland consumer-oriented applications. This convergence ofcorporate infrastructures and personal technologies is beingdriven by a trend known as consumerization which, accord-ing to Gartner, will be the most significant trend affecting ITthrough 2015.The process of consumerization occurs as users increasingly findpersonal technology and applications that are more powerful orcapable, more convenient, less expensive, quicker to install, andeasier to use, than corporate IT solutions. These user-centric“lifestyle” applications and technologies enable individuals toimprove their personal efficiency, handle their non-work affairs,and maintain online personas, among other things. Commonexamples include Google Docs, instant messaging applications,and Web-based e-mail. Enterprise 2.0 applications highlight thedissolution of the traditional distinctions between business andpersonal use. More often than not, the same applications usedfor social interaction are being used for work-related purposes.And as the boundary between work and their personal livesbecomes less distinct, users are practically demanding that thesesame tools be available to them in their workplaces.Catering to this demand, technology vendors and developersenjoy vast economies of scale and the pervasive benefits ofviral marketing. Selling small quantities to literally hundredsof millions of individual users, rather than large quantities torelatively few corporate customers means✓ Shorter buying cycles — a purchase is a personal choicerather than a corporate decision.✓ Focusing on functionality and ease of use, rather thanstandards and interoperability.✓ Constantly and rapidly improving products, based onlarge-scale and virtually instantaneous user feedback.The adoption of Enterprise 2.0 applications is being driven byusers, not by IT. The ease with which they can be accessed,05_939550-ch02.indd 1205_939550-ch02.indd 12 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  19. 19. Chapter 2: Defining the Application and Threat Landscape 13combined with the fact that today’s knowledge workers areaccustomed to using them, points toward a continuation of theconsumerization trend. Defined by Appopedia (www.theappgap.com) as “a system of web-based technologies that pro-vide rapid and agile collaboration, information sharing, emer-gence and integration capabilities in the extended enterprise,”Enterprise 2.0 applications have taken the world by storm.What started as a few applications that were mostly focusedon searching, linking, and tagging, rapidly shifted to a hordeof applications that enable authoring, networking, and sharing.Examples of first-generation Enterprise 2.0 applications include✓ Wikis such as Socialtext✓ Blogging tools such as Blogger✓ RSS tools such as NewsGator✓ Enterprise bookmarking and tagging tools such as Cogenz✓ Messaging tools such as AOL Instant Messenger (AIM)Examples of second-generation Enterprise 2.0 applicationsinclude✓ Content management tools such as SharePoint✓ Browser-based file sharing tools such as MegaUpload.com✓ Complex social networks such as Facebook✓ Publishing tools such as YouTube✓ Unified messaging tools such as Skype✓ Posting tools such as Twitter and social bookmarkingTo gain an appreciation for how rapidly the innovation and adop-tion cycles have accelerated for these applications, consider thefollowing (based on an analysis of 347 organizations worldwide):✓ In less than 18 months since its inception in April 2008,Facebook chat has overtaken Yahoo! IM and AIM insideenterprises, further demonstrating how much stickierEnterprise 2.0 applications are over Enterprise 1.0applications.✓ Between March 2009 and September 2009, the enterprisepenetration of Google Docs has increased from 33 per-cent to 82 percent.05_939550-ch02.indd 1305_939550-ch02.indd 13 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  20. 20. Next-Generation Firewalls For Dummies14✓ In that same time period, Twitter use in enterprisesjumped 252 percent in terms of sessions and 775 percentin terms of bandwidth.Unsure of how to leverage the consumerization trend in theirbusiness processes, many organizations either implicitlyallow these personal technologies and Enterprise 2.0 appli-cations by simply ignoring their use in the workplace, orexplicitly prohibit their use, but are then unable to effectivelyenforce such policies with traditional firewalls and securitytechnologies. Neither of these two approaches is ideal, andboth incur inherent risks for the organization. In addition tolost productivity, adverse issues for the organization include✓ Creating a subculture of back-channel or undergroundworkflow processes that are critical to the businesses’operations, but are known only to a few users and fullydependent on personal technologies and applications.✓ Introducing new risks to the entire networking and com-puting infrastructure, due to the presence of unknown,and therefore unaddressed and unpatched, vulnerabili-ties, as well as threats that target normal application anduser behavior — whether a vulnerability exists in theapplication or not.✓ Being exposed to non-compliance penalties for organiza-tions that are subject to regulatory requirements such asHIPAA, FINRA, and PCI DSS.✓ Having employees circumvent controls with externalproxies, encrypted tunnels, and remote desktop applica-tions, making it difficult, if not impossible, for securityand risk managers to see the risks they’re attempting tomanage.The challenge is not only the growing diversity of the applica-tions, but also the inability to clearly and consistently classifythem as good or bad. Although many are clearly good (lowrisk, high reward), and others are clearly bad (high risk, lowreward), most are somewhere in between. Moreover, the endof the spectrum that these applications fall on can vary fromone scenario to the next and from user to user or from ses-sion to session.05_939550-ch02.indd 1405_939550-ch02.indd 14 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  21. 21. Chapter 2: Defining the Application and Threat Landscape 15For example, using a social networking application to shareproduct documentation with a prospective customer wouldbe “good” (medium risk, high reward), while using the sameapplication to forward details of an upcoming release to a“friends list” that includes employees of a competitor wouldbe “not so good” (high risk, no reward).Indeed, many organizations now use a variety of social net-working applications to support a wide range of legitimatebusiness functions, such as recruiting, research and devel-opment, marketing, and customer support — and many areeven inclined to allow the use of lifestyle applications, tosome extent, as a way to provide an “employee friendly”work environment and improve morale.Enabling Facebook usage whileprotecting the businessFacebook is rapidly extending itsinfluence from the personal world tothe corporate world, as employeesuse these applications to get theirjobs done. At the same time, manyorganizations are looking at thenearly 500 million Facebook users asan opportunity to conduct research,execute targeted marketing, gatherproduct feedback, and increaseawareness. The end result is thatFacebook can help organizationsimprove their bottom line.However, formally enabling the useof Facebook introduces several chal-lenges to organizations. Many orga-nizations are unaware of how heavilyFacebook is being used, or for whatpurpose. In most cases, policies gov-erning specific usage are nonexis-tent or unenforceable. Finally, userstend to be too trusting, operating ina “click now, think later” mentalitywhich introduces significant secu-rity risks.Like any application that is broughtinto the enterprise by end-users,blindly allowing Facebook mayresult in propagation of threats, lossof data, and damage to the corpo-rate reputation. Blindly blockingFacebook is also an inappropriateresponse because it may play animportant role in the business andmay force users to find alterna-tive means of accessing it (such asproxies, circumvention tools, andothers). Organizations should followa systematic process to develop,enable, and enforce appropriateFacebook usage policies whilesimultaneously protecting networkresources.(continued)05_939550-ch02.indd 1505_939550-ch02.indd 15 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  22. 22. Next-Generation Firewalls For Dummies161. Find out who’s using Facebook.There are many cases wherethere may already be a “corpo-rate” Facebook presence estab-lished by marketing or sales, soit is critical that IT determinewhich social networking appli-cations are in use, who is usingthem, and the associated busi-ness objectives. By meetingwith the business groups anddiscussing the common com-pany goals, IT can use this stepto move away from the image of“always saying no” and towardsthe role of business enabler.2. Develop a corporate Facebookpolicy. Once Facebook usagepatterns are determined, orga-nizations should engage indiscussions regarding whatshould and should not be saidor posted about the company,the competition, and the appro-priate language. Educatingusers on the security risks asso-ciated with Facebook is anotherimportant element to encourag-ing usage for business purposes.Organizations need to changethe “click now, think later”mentality to a “think now, thenclick” attitude to better protectboth users and the organizationfrom potential threats carried bysocial networks.3. Use technology to monitor andenforce policy. The outcomeof each of these discussionsshould be documented with anexplanation of how IT will applysecurity policies to safely andsecurely enable use of Facebookwithin enterprise environments.Documenting and enforcing a socialnetworking usage policy can helporganizations improve their bottomline while boosting employee morale.An added benefit is that it can helpbridge the chasm that commonlyexists between the IT departmentand business groups.(continued)Research from McKinsey and Company and the Associationfor Information and Image Management (AIIM) shows thatcompanies are seeing measurable benefits from the use ofEnterprise 2.0 applications and technologies. Specific benefitsinclude an increased ability to share ideas, more rapid accessto knowledge experts, and a reduction in travel, operations,and communications costs. For example, you can now maketicket reservations on Delta Airlines’ Facebook page!Today’s network security solutions, therefore, must be ablenot only to distinguish one type of application from the next,but also to account for other contextual variables surround-ing its use and to vary the resulting action that will be takenaccordingly.05_939550-ch02.indd 1605_939550-ch02.indd 16 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  23. 23. Chapter 2: Defining the Application and Threat Landscape 17Applications Are EvasiveAlthough “distinguishing one type of application from thenext” sounds simple, it really isn’t — for a number of reasons.In order to maximize their accessibility and use, many appli-cations are designed from the outset to circumvent traditionalfirewalls, by dynamically adjusting how they communicate.For the end-user, this means an application can be used fromanywhere, at anytime. Common tactics include✓ Port hopping, where ports/protocols are randomlyshifted over the course of a session✓ Use of non-standard ports, such as running Yahoo!Messenger over TCP port 80 (HTTP) instead of the stan-dard TCP port for Yahoo! Messenger (5050)✓ Tunneling within commonly used services, such aswhen peer-to-peer (P2P) file sharing or an instant mes-senger (IM) client like Meebo is running over HTTP✓ Hiding within SSL encryption, which masks the applica-tion traffic, for example, over TCP port 443 (HTTPS)The Spring 2010 Application Usage and Risk Report by PaloAlto Networks found that out of 741 unique applications ana-lyzed, 65 percent were designed for accessibility using thesetechniques. Figure 2-1 shows the comparative growth of appli-cations using accessibility features over the past 18 months(covered by three semi-annual Application Usage and RiskReports).Many standard client-server applications are being redesignedto take advantage of Web technologies. Figure 2-1 shows that30 percent (149) of the accessibility-focused applicationsanalyzed in the report are client-server-based, a fact that con-tradicts the notion that “accessible” applications always usethe browser. At the same time, enterprises are increasinglyembracing cloud-based Web services such as Salesforce.com,WebEx, and Google Apps — which often initiate in a browserbut then quickly switch to more client-server behavior (richclient, proprietary transactions, and others).05_939550-ch02.indd 1705_939550-ch02.indd 17 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  24. 24. Next-Generation Firewalls For Dummies18Google applications:The epitome of Enterprise 2.0?To a certain extent, many of theapplications that Google publishesepitomize Enterprise 2.0 (Web 2.0and Internet-based applicationsthat are used for business pur-poses). The Spring 2010 ApplicationUsage and Risk Report by Palo AltoNetworks identifies 22 Google appli-cationsthatcoverawidefunctionalityspectrum: productivity (Google Docs,Analytics, Calendar), social network-ing (Orkut), communications (Gmail,Gtalk, Voice) and entertainment(YouTube, Picasa). These applica-tions were found with overwhelmingfrequency in organizations partici-pating in the study (see the followingfigure).Category and Technology Breakdown of Applications ThatPort Hop, Use Port 80 or Port 4433827 103 11242920114236211416112420160 50 100 150 20012 111 218 323 627 1041 132525 232 1133 1056 1665 1774 13127 16MediaCollaborationBusiness-SystemsGeneral-InternetNetworkingSpring 2010 (182)Fall 2009 (141)Spring 2009 (111)Spring 2010 (112)Fall 2009 (93)Spring 2009 (54)Spring 2010 (76)Fall 2009 (64)Spring 2009 (47)Spring 2010 (70)Fall 2009 (51)Spring 2009 (40)Spring 2010 (52)Fall 2009 (38)Spring 2009 (30)Number of ApplicationsClient-server Browser-based Network-protocol Peer-to-peerFigure 2-1: Comparative growth of applications with accessibility “features.”05_939550-ch02.indd 1805_939550-ch02.indd 18 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  25. 25. Chapter 2: Defining the Application and Threat Landscape 19When compared to Palo AltoNetworks’ Fall 2009 ApplicationUsage and Risk Report, several factssupport the trend toward increasedusage of Enterprise 2.0 applications:✓ Google Docs consumed 55 per-cent more bandwidth and 42percent more sessions on a perorganization basis.✓ Google Calendar consumed 18percent more bandwidth and 30percent more sessions on a perorganization basis.✓ Bandwidth consumption forGoogle Talk Gadget shot up by56 percent while Google Talkdropped 76 percent. Google TalkGadget is a Flash-based browserplugin that performs the samefunctions as the client-server—based Google Talk. The most sig-nificant difference is the fact thatit is browser-based and there-fore easier to use in environ-ments where desktop controlsrestrict application installationby end-users.Frequency that Specific GoogleApplications Were DetectedSpring 2010GoogleDocsGoogleCalendarGmail GoogleAnalyticsGmailChatGoogleTalkGoogleTalk Gadget100%80%60%40%20%0%79%92% 95%78%53%74%81%05_939550-ch02.indd 1905_939550-ch02.indd 19 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  26. 26. Next-Generation Firewalls For Dummies20Finally, many new business applications also use these sametechniques to facilitate ease of operation while minimizing dis-ruptions for customers, partners, and the organization’s ownsecurity and operations departments. For example, RPC andSharepoint use port hopping because it is critical to how theprotocol or application (respectively) functions, rather thanas a means to evade detection or enhance accessibility.Further emphasizing the fact that many applications are notwhat they seem to be, the most commonly found applicationsthat can port-hop are a combination of business and personaluse applications (see Figure 2-2). Of these, only three arebrowser-based (Sharepoint, Mediafire, and Ooyla); the othersare peer-to-peer or client-server.Most Frequently Detected Applicationsthat can Hop PortsSharepoint iTunes MSRPC Skype BitTorrent MSNVoice Ooyla Mediafire eMule Teamviewer100%80%60%40%20%0%54%78% 77%73%60% 60%55% 51%42%83%Figure 2-2: Most frequently detected applications that can hop ports.The result is that HTTP and HTTPS now account for approxi-mately two thirds of all enterprise traffic. This is not a prob-lem, per se, but it does exacerbate an inherent weakness of05_939550-ch02.indd 2005_939550-ch02.indd 20 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  27. 27. Chapter 2: Defining the Application and Threat Landscape 21traditional security infrastructure. Specifically, the widevariety of higher-order applications riding on top of HTTPand HTTPS — whether or not they actually serve a legitimatebusiness purpose — are practically indistinguishable for oldernetwork security solutions. The negative impact of organiza-tions further losing control over their network communica-tions is clear and underlines the fact that the applicationlandscape has evolved dramatically.Threats Are ComingAlong for the RideThe increasing prevalence of application-layer attacks isyet another disturbing trend. Threats that directly targetapplications can pass right through the majority of enter-prise defenses, which have historically been built to providenetwork-layer protection. Threat developers exploit the samemethods (described in the previous section) to infiltrate net-works that application developers utilize to promote ease ofuse and widespread adoption, such as tunneling within appli-cations. The evasion techniques built into these and manyother modern applications are being leveraged to providethreats with “free passage” into enterprise networks. It is nosurprise, therefore, that greater than 80 percent of all newmalware and intrusion attempts are exploiting weaknesses inapplications, as opposed to weaknesses in networking compo-nents and services. Together with the implicit trust that usersplace in their applications, all of these factors combine tocreate a “perfect storm.” The motivation for hackers has alsoshifted — from gaining notoriety to making money. The nameof the game today is information theft. Consequently, it is nolonger in a hacker’s best interests to devise threats that are“noisy” or that are relatively benign. To be successful, a thiefmust be fast, or stealthy — or both.For those hackers who favor speed over sophistication —speed of initial threat generation, speed of modification, andspeed of propagation — the goal is to develop, launch, andquickly spread new threats immediately on the heels of thedisclosure of a new vulnerability. The resulting zero-day andnear-zero-day exploits then have an increased likelihood ofsuccess because reactive countermeasures, such as patching05_939550-ch02.indd 2105_939550-ch02.indd 21 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  28. 28. Next-Generation Firewalls For Dummies22and those tools that rely on threat signatures (such as antivirussoftware and intrusion prevention), are unable to keep up —at least during the early phases of a new attack.This speed-based approach is facilitated in large part by thewidespread availability of threat development Web sites, tool-kits, and frameworks. Unfortunately, another by-product of theseresources is the ability to easily and rapidly convert “known”threats into “unknown” threats — at least from the perspec-tive of signature-based countermeasures. This transformationcan be accomplished either by making a minor tweak to thecode of a threat, or by adding entirely new propagation andexploit mechanisms, thereby creating what is commonlyreferred to as a blended threat.Mariposa: How exposed are we?On July 28, 2010, the U.S. FederalBureau of Investigation (FBI)announced the arrest of a Slovenianhacker, allegedly the creator of the“Mariposa” botnet — one of the larg-est criminal botnets ever discovered.Built with a computer virus known as“Butterfly Bot,” the Mariposa botnetsteals passwords for Web sites andfinancial institutions, and is esti-mated to have infected as many as 8to 12 million computers in nearly 200countries. According to ChristopherDavis, CEO of Defence Intelligence,it would be easier “to provide a listof the Fortune 1000 companies thatweren’t compromised, rather thanthe long list of those who were.”Financial estimates of the damageto networks and the actual datastolen are still being calculated, andalthough the bot’s creator has beenarrested, criminals from around theworld who purchased his bot con-tinue to steal data from millions ofunsuspecting victims.Mariposa spreads itself across ninedifferent P2P networks includingAres, BearShare, Direct Connect,eMule, iMesh, Kazaa, Gnutella,BitTorrent (via LimeWire client), andShareaza. Essentially, for each P2Pnetwork, there is a Mariposa fold-ershare feeding the bot executable.In addition to P2P applications, MSNInstant Messaging is also used as aspreader. The following figure showsthe most common Mariposa spread-ers found in an analysis of 363 orga-nizations conducted by Palo AltoNetworks’ Application and ThreatResearch Team.Some more detailed analysis of the363 organizations exposes somesobering statistics:05_939550-ch02.indd 2205_939550-ch02.indd 22 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  29. 29. Chapter 2: Defining the Application and Threat Landscape 23MSNGnutellaAresDirect-ConnectKazaaImeshEmuleBitTorrent10% 30% 50% 70% 90%89%67%58%54%44%21%16%Top Mariposa Spreaders Found20%✓ 312 (86 percent) of the organiza-tions had at least one of the P2Papplications used by Mariposa.✓ An average of three of the nineP2P applications were found ineach organization.✓ Total bandwidth consumed bythe P2P applications that arecapable of spreading Mariposawas 17.3 terabytes or an averageof 55 gigabytes per organization.✓ Session consumption by P2Pspreaders was 555 million or anaverage of 1.8 million sessionsper organization.✓ MSN was found in 322 of theorganizations (89 percent).Resource consumption per orga-nization was 2.8 gigabytes ofbandwidth and 67,400 sessionsrespectively.With MSN appearing in 89 percentof the organizations and an averageof three P2P applications appear-ing in more than 85 percent of theorganizations, it is reasonable tospeculate that many organizationsare exposed.The Mariposa botnet is a clear exam-ple of how real threats are not justhitching a ride on many of today’smost popular applications — they’reracking up some serious frequentflyer miles!05_939550-ch02.indd 2305_939550-ch02.indd 23 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  30. 30. Next-Generation Firewalls For Dummies24Many of today’s threats are built to run covertly on networksand systems, quietly collecting sensitive or personal data,and going undetected for as long as possible. This approachhelps to preserve the value of the stolen data and enablesrepeated use of the same exploits and attack vectors. Asa result, threats have become increasingly sophisticated.Rootkits, for example, have become more prevalent. Thesekernel-level exploits effectively mask the presence of othertypes of malware, enabling them to persistently pursue thenefarious tasks they were designed to accomplish (such asintercepting keystrokes).Targeted attacks and advanced persistent threats (APTs),such as “Aurora,” against specific organizations or individu-als are another major concern. In this case, hackers oftendevelop customized attack mechanisms to take advantageof the specific equipment, systems, applications, configura-tions, and even personnel employed in a specific organizationor at a given location, and quietly collect sensitive data overextended periods. According to Verizon’s 2010 Data BreachInvestigations Report, 70 percent of data breaches resultedfrom external agents.The increasing speed and sophistication of threats empha-size the need for proactive countermeasures with extensivevisibility and control at the application-layer of the networkcomputing stack.05_939550-ch02.indd 2405_939550-ch02.indd 24 10/1/10 1:34 PM10/1/10 1:34 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  31. 31. Chapter 3RecognizingtheChallengesofLegacySecurityInfrastructuresIn This Chapter▶ Inspecting weaknesses in legacy port-based firewalls▶ Examining the shortcomings of intrusion prevention▶ Addressing device sprawlAs the application and threat landscape has quicklyevolved, the impact within many organizations is that IThas lost control. The inability of their existing security infra-structure to effectively distinguish good or desirable appli-cations from those that are bad or unwanted, forces mostIT shops to take an inflexible and untenable “all-or-nothing”approach to security, in which they either/or:✓ Take a permissive stance — an approach that ensuresthe accessibility of important applications, but alsoallows unwanted applications and threats on the corpo-rate network✓ Just say “no” in order to maintain a high state of security,but at the risk of limiting business agility and productiv-ity, alienating users and business units, and creatingan underground subculture of backdoor processes tocircumvent security controls.Instead, IT needs the capability to exert granular control andprovide in-depth protection down to the level of individualapplications, in order to confidently say “yes” to legitimate06_939550-ch03.indd 2506_939550-ch03.indd 25 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  32. 32. Next-Generation Firewalls For Dummies26requests from the business and its end-users. Unfortunately,traditional network security infrastructures have failed tokeep pace and are unable to provide this functionality.In this chapter, you find out how the new application andthreat landscape has challenged these legacy security devices,particularly firewalls, beyond their capability to effectivelyprotect today’s networks.Whatever Happenedto the Firewall?Have you noticed that nobody gets excited about a firewallanymore? There was a time when the firewall was the singlemost important security device in your network. So whathappened?The answer is a bit of a cliché, but — the Internet has changedeverything! Years ago, most firewalls did a pretty good jobof controlling traffic in and out of corporate networks. That’sbecause application traffic was generally well behaved. E-mailwould typically flow through port 25, FTP was assigned toport 20, and the whole “Web surfing” was hanging, uhhh, port80. Everybody played by the rules that “ports + protocols =applications” and the firewall had everything under control.Blocking a port meant blocking an application. Nice and simple.Unfortunately, the Internet has never really been nice andsimple. And that is truer today than ever before. Today, theInternet often accounts for 70 percent or more of the trafficon your corporate network. And it’s not just port 80 Web surf-ing. Typically, 20 to 30 percent of it is encrypted SSL trafficon port 443. Even worse, there is a plethora of new Internetapplications that insist on making their own rules. They wrapthemselves in other protocols, sneak through ports that don’tbelong to them, and bury themselves inside SSL tunnels. Inshort, they just don’t play fair.All these applications carry some inherent risk to your busi-ness. And they play host to clever new threats that can slipthrough your firewall undetected. Meanwhile, your firewalljust sits there like nothing is wrong because it’s still playingby rules that don’t exist anymore!06_939550-ch03.indd 2606_939550-ch03.indd 26 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  33. 33. Chapter 3: The Challenges of Legacy Security Infrastructures 27Port-based firewallshave poor visionBecause they are deployed in-line at critical network junctions,firewalls see all traffic and, therefore, are the ideal resourceto provide granular access control. The problem, however, isthat most firewalls are “far-sighted.” They can see the generalshape of things, but not the finer details of what is actuallyhappening. This is because they operate by inferring theapplication-layer service that a given stream of traffic is asso-ciated with, based on the port number used in the packet’sheader, and they only look at the first packet in a session todetermine the type of traffic being processed, typically toimprove performance. They rely on a convention — not arequirement — that a given port corresponds to a givenservice (for example, TCP port 80 corresponds to HTTP). Assuch, they are also incapable of distinguishing between differ-ent applications that use the same port/service (see Figure 3-1).ORACLESaaSCollaboration/MediaPersonalGmailmeebolive 365.comJoostYou Tubefacebook PartyPokerRIGHTNOWGoogleworkdayNETSUITEsalesforce.comLogMe InBitTorrentLimeWiremsnmsnskypeskypeskypeskypewebwebexexFigure 3-1: Port-based firewalls can’t see or control applications06_939550-ch03.indd 2706_939550-ch03.indd 27 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  34. 34. Next-Generation Firewalls For Dummies28The net result is that traditional, “port-based” firewalls havebasically gone blind. Besides being unable to account forcommon evasion techniques such as port hopping, protocoltunneling, and the use of nonstandard ports, these firewallssimply lack the visibility and intelligence to discern which net-work traffic✓ Corresponds to applications that serve a legitimate busi-ness purpose✓ Corresponds to applications that can serve a legitimatebusiness purpose but, in a given instance, are being usedfor unsanctioned activities✓ Should be blocked because it includes malware or othertypes of threats, even though it corresponds to legiti-mate business activitiesOn top of everything else, their control model is typically toocoarse-grained. Said firewalls can either block or allow traffic,but offer little variation in between to craft a more appropri-ate response for all of the “gray” applications that enterpriseswould ultimately like to support — for example, by allowingcertain functions within an application but not others, allow-ing but also applying traffic-shaping policies, allowing butscanning for threats or confidential data, or allowing based onusers, groups, or time of day.It doesn’t really help matters that the most common stepstaken to address the inadequacies of traditional firewalls have,for all intents and purposes, been completely unsuccessful.Bolt-on functionality isfundamentally flawedMany purveyors of traditional firewalls have attempted tocorrect the far-sighted nature of their products by incorporat-ing deep packet inspection (DPI) capabilities. On the surface,adding a measure of application-layer visibility and control inthis manner appears to be a reasonable approach. However,the boost in security effectiveness that can be achieved in mostcases is only incremental because the additional capability isbeing “bolted on,” and the foundation it is being bolted on tois weak to begin with. In other words, the new functionality isadded on rather than integrated, and the port-based firewall,06_939550-ch03.indd 2806_939550-ch03.indd 28 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  35. 35. Chapter 3: The Challenges of Legacy Security Infrastructures 29with its complete lack of application awareness, is still usedfor initial classification of all traffic. The problems and limita-tions this leads to include✓ Applications that should not be on the network areallowed onto the network.✓ Not everything that should be inspected necessarily getsinspected. Because the firewall is unable to accuratelyclassify application traffic, deciding which sessions to passalong to the DPI engine becomes a hit-or-miss proposition.✓ Policy management gets convoluted. Rules on how tohandle individual applications essentially get “nested”within the DPI portion of the product — which itself isengaged as part of a higher/outer level access controlpolicy.✓ Inadequate performance forces compromises to bemade. Inefficient use of system resources and CPU andmemory intensive application-layer functionality put con-siderable strain on the underlying platform. To accountfor this situation, administrators can only implementadvanced filtering capabilities selectively.Firewall “helpers” don’t helpOver the years, enterprises have also tried to compensate fortheir firewalls’ deficiencies by implementing a range of supple-mentary security solutions, often in the form of standaloneappliances. Intrusion prevention systems, antivirus gateways,Web filtering products, and application-specific solutions —such as a dedicated platform for instant messaging security —are just a handful of the more popular choices. Unfortunately,the outcome is disappointingly similar to that of the DPIapproach, with an additional twist.Not everything that should get inspected does because thesefirewall helpers either can’t see all of the traffic, rely on thesame port- and protocol-based classification scheme that hasfailed the legacy firewall, or only provide coverage for a lim-ited set of applications. Policy management is an even greaterproblem given that access control rules and inspection require-ments are spread among several consoles and involve multiplepolicy models. And performance is still an issue as well, at leastin terms of having a relatively high aggregate latency.06_939550-ch03.indd 2906_939550-ch03.indd 29 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  36. 36. Next-Generation Firewalls For Dummies30Then comes the kicker: device sprawl. As one “solution” afteranother is added to the network, the device count, degree ofcomplexity, and total cost of ownership all continue to rise.Capital costs for the products themselves and all of the support-ing infrastructure that is required are joined by a substantialcollection of recurring operational expenditures, including sup-port/maintenance contracts, content subscriptions, and facilitiescosts (power, cooling, and floor space) — not to mention anarray of “soft” costs such as those pertaining to IT productivity,training, and vendor management. The result is an unwieldy,ineffective, and costly endeavor that is simply not sustainable.Traditional IPS Is a Poor Matchfor Today’s ThreatsIntrusion Prevention Systems (IPS) detect and block attacksfocused on vulnerabilities that exist in systems and applications.Unlike Intrusion Detection Systems (IDS) that focus only on alert-ing, IPS systems are intended to be deployed in-line to activelyblock attacks as they are detected. One of the core capabilitiesof an IPS is the ability to decode protocols to more accuratelyapply signatures. This allows IPS signatures to be applied tovery specific portions of traffic, thereby reducing the percentageof false positives that were often experienced with signature-only systems. It is important to note that most IPS offerings willuse port and protocol as the first pass of traffic classification,which, given the evasive characteristics of today’s applications,may lead to an erroneous identification of the application. Andbecause IPS systems are focused mainly on attacks, they aretypically deployed in conjunction with a firewall as a separateappliance or as a combination firewall and IPS.IPS is designed to stop threats using a “find it and kill it”approach. It is not designed to control applications. But evenfor stopping threats, IPS has its flaws.Given the new application and threat landscape, organizationsare also reexamining traditional intrusion prevention systems(IPS). The major IPS vendors are struggling to differentiateacross several basic elements of IPS:✓ Server and data center protection. There are only ahandful of detection and prevention techniques, and06_939550-ch03.indd 3006_939550-ch03.indd 30 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  37. 37. Chapter 3: The Challenges of Legacy Security Infrastructures 31most IPS products support them all. These techniquesinclude protocol anomaly detection, stateful patternmatching, statistical anomaly detection, heuristic analy-sis, blocking of invalid or malformed packets, and IPdefragmentation and TCP reassembly (for anti-evasion).Most IPS vendors also use vulnerability-facing signatures(as opposed to exploit-facing signatures) and turn offserver-to-client protection to improve performance.✓ Research and support. This comes down to how muchactual research vendors are doing, and how quickly theycan respond to help enterprises protect against newattacks and vulnerabilities. Much is made of the efforts ofthe research teams of IPS vendors, and while there cer-tainly are differences, much of the research is outsourcedto a few industry research stalwarts. The other aspect iscritical — regardless of who does the research — can thevendor deliver timely updates to protect customers fromnew and emerging threats?✓ Performance. Organizations are clearly sensitized toIPS performance issues. A recent Infonetics study citedthe introduction of traffic/application latency and band-width/performance as major concerns causing enter-prises to deploy “out-of-band” IPS. Clearly, being able tokeep up with enterprise expectations for throughput andlatency is top of mind for many customers.As defenses mature, however, attackers evolve. Given that intru-sion detection and prevention systems, like firewalls, are basedon legacy techniques that are relatively well-understood, newattacks are able to exploit well-known weak spots, including✓ Application-borne threats. Threat developers are usingapplications, both as targets and as transmission vec-tors. Applications provide fertile ground for both meth-ods. Some application-borne threats are well understood(for example, many of the threats that move across socialnetworks — Koobface, Boface, or Fbaction) — others arenot (such as Mariposa, using MSN Messenger and P2Pfile sharing applications to spread). Regardless, attackersfind it far easier to piggyback on applications, and starttheir attack with the client.✓ Encrypted threat vectors. The other important techniquethat threats employ is encryption. While security research-ers have warned for years that encryption can be used by06_939550-ch03.indd 3106_939550-ch03.indd 31 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  38. 38. Next-Generation Firewalls For Dummies32various threats, encrypted attacks still need a conduit —enter user-centric applications. Users are easily dupedinto clicking on encrypted links (too many users think thatHTTPS means “safe”), which can send encrypted threatssailing through enterprise defenses. This is increasinglysimple on social networks, where the level of trust isextremely high. The other closely related vector is obfusca-tion via compression — traditional IPS can’t decompress,and thus can’t scan compressed content.A common theme here is the level of control needed to preventthese newer threats — controlling applications and content,decrypting SSL, unzipping content to look for threats — all ofwhich goes well beyond what IPS traditionally does. A majorlimitation of IPS, despite all of the work to transition from IDS(intrusion detection systems), is that it remains a negativesecurity model, and is architected as such. Put more simply,IPS relies on a “find it and kill it” model — which doesn’t workvery well for the types of control necessary to deal with manyof these new threats that move over applications. Nor does itlend itself to an architecture and platform capable of decrypt-ing and classifying all traffic.A positive security model operates by expressly allowing allcommunications that are known to be benign, appropriate, ornecessary, and excluding everything else. A negative securitymodel operates by seeking to classify only undesirable com-munications and content, and employing countermeasures forthose that are known to be bad.A word on data leaksSome of the biggest information-security news stories over the pasttwo years involve the leaking of con-fidential or sensitive organizationaldata via applications (for example,U.S. government agencies andcontractors, pharmaceuticals, andretailers). In most cases, the appli-cations that the data leaked acrosswere expressly forbidden — unfor-tunately, their policies couldn’t beenforced with traditional firewallsand IPS. Given these high-profilesecurity breaches, it is no wonderthat organizations are starting tolook for a better solution to helpprotect against such embarrassingincidents.06_939550-ch03.indd 3206_939550-ch03.indd 32 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  39. 39. Chapter 3: The Challenges of Legacy Security Infrastructures 33UTM Only Makes WhatIs Broken CheaperUnified Threat Management (UTM) devices are another newapproach to modern security challenges that are based ontraditional techniques. UTM solutions were born as securityvendors began bolting intrusion prevention and antivirus add-ons to their stateful firewalls in an effort to reduce the costof deployment. UTM products do not perform their functionsany better than stand-alone devices. Instead, they provideconvenience to the customer by integrating multiple func-tions into one device. Unfortunately, UTMs have a reputationfor being inaccurate, hard to manage, and performing poorlywhen services are enabled, relegating them to environmentswhere the value of device consolidation outweighs the down-side of lost functionality, manageability, or performance.The primary advantage of the UTM solution is that it typicallydoes a reasonable job of addressing the issues associatedwith device sprawl. Instead of having all of the “helper” coun-termeasures deployed as separate devices, with UTM they allcome in one physical package.But so what? The result is really no different than the bolted-on approach and, therefore, exhibits the same deficiencies.Inadequate application classification and resulting blind spotsin the inspections that are performed remain as fundamentalproblems, while performance and policy management issuesare compounded even further based on having to account formultiple additional countermeasures instead of just one.It’s Time to Fix the FirewallTraditional port-based firewalls really don’t provide any valueanymore — not in a world where network boundaries are dis-integrating and Internet applications are exploding.But you already know that, which is why you’ve been forcedto make up for their glaring deficiencies with more specializedappliances — intrusion prevention systems, proxies, antivirus,anti-spyware, URL filtering, and more. Sure, these tools add06_939550-ch03.indd 3306_939550-ch03.indd 33 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  40. 40. Next-Generation Firewalls For Dummies34some incremental value, but it’s getting harder to justify theiradditional cost and complexity — especially during challeng-ing economic times.More security appliances don’t necessarily mean a moresecure environment. In fact, the complexity and inconsistencyassociated with such an approach can actually be a detrimentto your organization’s security.In a February 2009 interview with Network World magazine,Craig Shumard, Chief Information Security Officer (CISO) atCigna, referred to the growing stack of security products inhis organization as “unsustainable” and likened it to the “lean-ing tower of Pisa,” saying “we can’t continue to operate 15 to25, or more, security products . . . we [can’t] continue to justadd new security products to the environment and expectthat we will use them effectively.” Clearly, it’s a strategy thatdoes not scale. More importantly, none of these additionalproducts give you the visibility and control you need over theapplications running on your network.It’s time to address the core problem. It’s time to fix the fire-wall! After all, the firewall sits at the most critically importantplace in the network, and really should be that centralizedpoint of visibility and control over everything entering andleaving the network.06_939550-ch03.indd 3406_939550-ch03.indd 34 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  41. 41. Chapter 4SolvingtheProblemwithNext-GenerationFirewallsIn This Chapter▶ Identifying applications, users, and content▶ Comparing performance between next-generation and legacy firewallarchitectures▶ Recognizing the security and business benefits of next-generationfirewallsNetwork security in most enterprises is fragmented andbroken, exposing them to unwanted business risks andever-rising costs. Traditional network security solutions havefailed to keep pace with changes to applications, threats, andthe networking landscape. Furthermore, the remedies putforth to compensate for their deficiencies have, for the mostpart, proven ineffective. It is time to reinvent network security.This chapter is about next-generation firewalls (NGFWs): whata next-generation firewall is, what it isn’t, and how it can ben-efit your organization.The Next-Generation FirewallTo restore the firewall as the cornerstone of enterprisenetwork security, next-generation firewalls “fix the problemat its core.” Starting with a blank slate, next-generation fire-walls classify traffic by the application’s identity in order toenable visibility and control of all types of applications —including Web 2.0, Enterprise 2.0, and legacy — running on07_939550-ch04.indd 3507_939550-ch04.indd 35 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  42. 42. Next-Generation Firewalls For Dummies36enterprise networks. The essential functional requirementsfor an effective next-generation firewall include the ability to:✓ Identify applications regardless of port, protocol, evasivetechniques, or SSL encryption before doing anything else✓ Provide visibility of and granular, policy-based controlover applications, including individual functions✓ Accurately identify users and subsequently use identityinformation as an attribute for policy control✓ Provide real-time protection against a wide array ofthreats, including those operating at the application layer✓ Integrate, not just combine, traditional firewall and net-work intrusion prevention capabilities✓ Support multi-gigabit, in-line deployments with negligibleperformance degradationTypical capabilities of traditional firewalls include packetfiltering, network- and port-address translation (NAT), statefulinspection, and virtual private network (VPN) support. Typicalintrusion prevention capabilities include vulnerability- andthreat-facing signatures, and heuristics.The key to NGFWs is the ability to do everything a traditionalfirewall does with the advanced capabilities that combineinnovative identification technologies, high-performance, andadditional foundational features to yield an enterprise-classsolution.Application identificationEstablishing port and protocol is an important first step inapplication identification but, by itself, is insufficient. Robustapplication identification and inspection enables granularcontrol of the flow of sessions through a firewall based on thespecific applications that are being used, instead of just rely-ing on the underlying set of often indistinguishable networkcommunication services (see Figure 4-1).Positive application identification is the traffic classifica-tion engine at the heart of NGFWs. It requires a multi-factorapproach to determine the identity of applications on thenetwork, regardless of port, protocol, encryption, or evasive07_939550-ch04.indd 3607_939550-ch04.indd 36 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  43. 43. Chapter 4: Solving the Problem with Next-Generation Firewalls 37tactics. Application identification techniques used in NGFWs(see Figure 4-2) include✓ Application protocol detection and decryption.Determines the application protocol (for example, HTTP)and, if SSL is in use, decrypts the traffic so that it can beanalyzed further. Traffic is reencrypted after all the identi-fication technologies have had an opportunity to operate.✓ Application protocol decoding. Determines whether theinitially detected application protocol is the “real one,”or if it is being used as a tunnel to hide the actual appli-cation (for example, Yahoo! Instant Messenger might beinside HTTP).✓ Application signatures. Context-based signatures lookfor unique properties and transaction characteristics tocorrectly identify the application regardless of the portand protocol being used. This includes the ability todetect specific functions within applications (such as filetransfers within IM sessions).SMTPSkype Yahoo!IMGmail WebExLimewireApplication-centricTraffic ClassificationPort 443Port 443Port 443Port 80Port 80Port 80Port 25Port 25Port 25Figure 4-1: Application-centric traffic classification identifies specificapplications flowing across the network, irrespective of theport and protocol in use.07_939550-ch04.indd 3707_939550-ch04.indd 37 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  44. 44. Next-Generation Firewalls For Dummies38✓ Heuristics. For traffic that eludes identification by sig-nature analysis, heuristic (or behavioral) analyses areapplied — enabling identification of any troublesomeapplications, such as P2P or VoIP tools that use propri-etary encryption.webwebexexORACLEskypeskypeskypeskypemeeboYou TubefacebookGoogleMEGAMEGAUPLOADUPLOADsalesforce.comLogMe InBitTorrenttalkmsnmsnApplicationProtocolDetection/DecryptionApplicationProtocolDecodingApplicationSignatureHeuristicsFigure 4-2: NGFW techniques used to identify applications regardless ofport, protocol, evasive tactic, or SSL encryption.Having the technology to accurately identify applications isimportant, but understanding the security implications of anapplication so that an informed policy decision can be madeis equally important. Look for a NGFW solution that includesinformation about each application, and its behaviors andrisks, to provide IT administrators with application knowledgesuch as known vulnerabilities, ability to evade detection, filetransfer capabilities, bandwidth consumption, malware trans-mission, and potential for misuse.07_939550-ch04.indd 3807_939550-ch04.indd 38 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  45. 45. Chapter 4: Solving the Problem with Next-Generation Firewalls 39User identificationUser identification technology links IP addresses to specificuser identities, enabling visibility and control of networkactivity on a per-user basis. Tight integration with LDAP direc-tories, such as Microsoft Active Directory (AD), supports thisobjective in two ways. First, it regularly verifies and maintainsthe user-to-IP address relationship using a combination oflogin monitoring, end-station polling, and captive portal tech-niques. Next, it communicates with AD to harvest relevantuser information, such as role and group assignments. Thesedetails are then available to:✓ Gain visibility into who specifically is responsible for allapplication, content, and threat traffic on the network✓ Enable the use of identity as a variable within accesscontrol policies✓ Facilitate troubleshooting/incident response andreportingsWith user identification, IT departments get another powerfulmechanism to help control the use of applications in an intel-ligent manner. For example, a social networking applicationthat would otherwise be blocked because of its risky naturecan be enabled for individuals or groups that have a legiti-mate need to use it, such as the human resources department(see Figure 4-3).Content identificationContent identification infuses next-generation firewalls withcapabilities previously unheard of in enterprise firewalls, suchas real-time prevention of threats within permitted traffic,control of Web surfing activities, and file and data filtering.✓ Threat prevention. This component prevents spyware,viruses, and vulnerabilities from penetrating the network,regardless of the application traffic on which they ride.• Application decoder. Pre-processes data streamsand inspects it for specific threat identifiers.07_939550-ch04.indd 3907_939550-ch04.indd 39 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  46. 46. Next-Generation Firewalls For Dummies40PaulEngineeringSteveFinanceFinanceGroupNancyMarketing10.0.0.2710.0.0.2110.0.0.18210.0.0.29 IdentificationEnd StationPollingRoleDiscoveryCaptivePortalFigure 4-3: User identification integrates enterprise directories foruser-based policies, reporting, and forensics.• Stream-based virus and spyware scanning.Scanning traffic as soon as the first packets of afile are received — as opposed to waiting until theentire file is in memory — maximizes throughputand minimizes latency.• Uniform threat signature format. Performance isenhanced by avoiding the need to use separatescanning engines for each type of threat. Viruses,spyware, and vulnerability exploits can all bedetected in a single pass.• Vulnerability attack protection (IPS). Robust rou-tines for traffic normalization and defragmentationare joined by protocol-anomaly, behavior-anomaly,and heuristic detection mechanisms to provide pro-tection from the widest range of both known andunknown threats.✓ URL filtering. Although not required, URL filtering isanother tool sometimes used to classify content. An inte-grated, on-box URL database allows administrators to07_939550-ch04.indd 4007_939550-ch04.indd 40 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  47. 47. Chapter 4: Solving the Problem with Next-Generation Firewalls 41monitor and control Web surfing activities of employeesand guest users. Employed in conjunction with user iden-tification, Web usage policies can even be set on a per-user basis, further safeguarding the enterprise from anarray of legal, regulatory, and productivity related risks.✓ File and data filtering. Taking advantage of in-depthapplication inspection, file and data filtering enablesenforcement of policies that reduce the risk of unauthor-ized file and data transfer. Capabilities include the abil-ity to block files by their actual type (not based on justtheir extension), and the ability to control the transferof sensitive data patterns such as credit card numbers.This complements the granularity of application identi-fication, which for many applications offers the abilityto control file transfer within an individual application(such as IM).With content identification, IT departments gain the abilityto stop threats, reduce inappropriate use of the Internet, andhelp prevent data leaks — all without having to invest in apile of additional products and risk appliance sprawl (seeFigure 4-4).DATACC#SSNFilesVulnerabilityExploitsVirusesSpywareWebFilteringTHREATS URLS01010101010101010101010101010101010101010001010001001010101011011011010100100100101011011011010110101001010110101001001010101010101010101011010101010101010101100111010000101101101101010010010010101101101101010010010010111110100000001101001010110101001010110100010111010Content IdentificationFigure 4-4: Content identification unifies content scanning for threats,confidential data, and URL filtering.07_939550-ch04.indd 4107_939550-ch04.indd 41 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  48. 48. Next-Generation Firewalls For Dummies42Policy controlIdentifying the applications in use (application identifica-tion), who is using them (user identification), and what theyare using them for (content identification) is an importantfirst step in learning about the traffic traversing the net-work. Learning what the application does, the ports it uses,its underlying technology, and its behavior is the next steptowards making an informed decision about how to treatthe application. Once a complete picture of usage is gained,organizations can apply policies with a range of responsesthat are more fine-grained and appropriate than simply“allow” or “deny” — the only options available in traditionalport-based firewalls. This is made possible by the combina-tion of application-, user-, and content identification, andthe positive security model of next-generation firewalls.Traditional port-based firewalls have the security model, butlack intelligence. Other security devices might have someof the intelligence, but not the security model. Examples ofpolicy control options in NGFWs include✓ Allow or deny✓ Allow but scan for exploits, viruses, and other threats✓ Allow based on schedule, users, or groups✓ Decrypt and inspect✓ Apply traffic shaping through QoS✓ Apply policy-based forwarding✓ Allow certain application functions✓ Any combination of the aforementionedHigh-performance architectureHaving a comprehensive suite of application awarenessand content inspection capabilities is of little value if ITadministrators are unable to fully engage them due to per-formance constraints. Therefore, it is important to select anext-generation firewall that is designed from the start todeliver high performance. The issue is not just that thesecapabilities are inherently resource intensive. There’s also07_939550-ch04.indd 4207_939550-ch04.indd 42 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.
  49. 49. Chapter 4: Solving the Problem with Next-Generation Firewalls 43the tremendous traffic volume confronting today’s securityinfrastructure, not to mention the latency sensitivity of manyapplications. Rated throughput and reasonable latency shouldbe sustainable under heavy loads, even when all applicationand threat inspection features are engaged simultaneously —which is the ideal configuration from a security perspective.For traditional security products, especially those withbolted-on capabilities, each high-level security function isperformed independently. This multi-pass approach requireslow-level packet processing routines to be repeated numeroustimes. System resources are used inefficiently and significantlatency is introduced (see Figure 4-5).L2/L3 Networking,L2/L3 Networking,HA ConfigHA ConfigManagement,Management,ReportingReportingL2/L3 Networking,HA, ConfigManagement,ReportingPort/Protocol-based IDFirewall Policy HTTP DecoderURL FilteringPolicyIPS SignaturesIPS Policy AV PolicyAV SignaturesIPS Decoder AV Decoder& ProxyPort/Protocol-based IDPort/Protocol-based IDPort/Protocol-based IDL2/L3 Networking,L2/L3 Networking,HA ConfigHA ConfigManagement,Management,ReportingReportingL2/L3 Networking,HA, ConfigManagement,ReportingL2/L3 Networking,L2/L3 Networking,HA ConfigHA ConfigManagement,Management,ReportingReportingL2/L3 Networking,HA, ConfigManagement,ReportingL2/L3 Networking,L2/L3 Networking,HA ConfigHA ConfigManagement,Management,ReportingReportingL2/L3 Networking,HA, ConfigManagement,ReportingFigure 4-5: Legacy multi-pass architectures.07_939550-ch04.indd 4307_939550-ch04.indd 43 10/1/10 1:35 PM10/1/10 1:35 PMThese materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.