UTM UTM is multifunction network security products used by small or midsize businesses(SMBs). AdvancedNow App. awareness User awareness Content awareness UTM WLAN controller WAN optimization VoIP Gateway …. Web-FW SSL Proxy DLP NAC Extended UTM URL filtering SSL VPN Anti-spam Anti-malware Firewall IPsec VPN IPS Anti-virus Basic2004 UTM Defined by IDC, 2004
NGFW Next-generation Firewall provides multiple protection mechanisms and features designed to prevent threats/attacks from network to application layers. Support in-line Bump-in-the-wire config. Minimum features; Standard first-generation firewall capabilities Integrated rather than merely colocated network IPS Application awareness and full stack visibility Extrafirewall intelligence : User ID directory, URL/IP DB Support upgrade paths to address future threats Defined by Gartner, 2009
NGFW - Application awareness Role Application Application detection control Regardless of the port, protocol, and Application access control (SSL) encrypted traffic! and action control! Composition Application Decryption (SSL, SSH) Application Protocol Decoding (Detect HTTP tunneling, individual function, etc.) Application Signature Application Heuristics (App. anomaly detection)
NGFW - Security Policy of NGFW Existing FW NGFW Allow SOURCE to DESTINATION Allow Application SOURCE to DESTINATION SOURCE : IP addresses, Port # SOURCE : IP addresses, Port #, Users DESTINATION : IP addresses, Port # DESTINATION : IP addresses, Port # Allow 220.127.116.11 80 to any 80 Allow Facebook any any manager to any any Allow the use of 80-port for designated IP. Allow the access of “Facebook” for designated user group. (regardless of the port, protocol, and encrypted traffic!)
NGFW vs. UTM #1 Range ofSecurity features UTM NGFW Throughput NGFW (FW+IPS+AV) UTM Market SMB Enterprise
NGFW vs. UTM #2 UTM NGFW App. ID as a IPS pattern! Port App. ID Port Traffic Classification Engine Traffic Classification Engine See applications only default port, See applications on every port, not just default port Identify potentially malicious traffic by port Identify potentially malicious traffic by application type
NGIPS Next-generation IPS builds on typical IPS solutions by providing application & contextual awareness to promptly assess threats, ensure a consistent and appropriate response, and reduce an organization’s security expenditures. Support in-line Bump-in-the-wire config. Minimum features; Standard first-generation IPS capabilities Application awareness and full stack visibility information sources ; user identities, vulnerability, Context awareness : patching state and geo-location information, etc. Content awareness Agile engine : Support upgrade paths to address future threats Defined by Gartner, 2011
NGIPS - Context awareness (Definition) Context awareness(External intelligence, situational awareness) is the ability to deliver additional, relevant information to the FW & IPS engine to enable more accurate decisions to allow, alert, or block more quickly, accurately, and securely with fewer false positives. Context is the complex set of network circumstances. Context awareness is understanding the entire environment. Mgmt. system Devices Application (host profile (client side) with OS) Information Context Appliance awareness Configuration Service Vulnerabilities Context Security policy (server side (historical information! application) patching state) Special event detected! Network User ID Behaviors (NBA) How to respond?
NGIPS vs. NGFW #1 Context awarenessNGFW-v2 User Other Content awareness NGFW Application awareness NGIPS Existing Firewall Existing IPS
NGIPS vs. NGFW #2 Element Typical FW NGFW Typical IPS NGIPS NGFW v2 Attack signature O O O O Application Applications O O O awareness User Users (Identity) O O O awareness Vulnerabilities O ODITECT Host profiles O O Context Client applications/ awareness Mobile devices O O O Virtual machines O O O NW Behavior anomaly △ O O O NBA Network access O O O O O URLCONTROL Site access O O O filtering User User access O O awareness Application Lauer 7 access O O awareness PaloAlto SourceFire Vendors CheckPoint McAfee SourceFire
The Meaning of Next-gen. Security #1 Evolution of Convergence Awareness NGFW TCP/IP Layer IPS UTM Application Transport Internet • Network-centric • Application-centric Link Convergence Convergence • Colocated security • Closely integrated feature security feature
The Meaning of Next-gen. Security #2 Age of Awareness (Expansion of DPI)All of awareness NGIPS for security Context Awareness NGFW Application User awareness awareness • Full content DLP, Anti-malware, inspection URL filtering Content awareness Pattern awareness • Pattern matching IPS (Basic awareness) for attack detection Anti-DDoS Deep Packet Inspection
The Meaning of Next-gen. Security #3 Hardened Security Management Hardened Configuration features!! Policy setting Automation Information Mgmt. Appliance Monitoring Configuration system Security policy Visualization Reporting Detection Context Analysis Blocking awareness Context awareness is base of Active Control!
The Future of Security Industry Product 2 Modulization 4 6Product 8 4 ESM 3 SIEMMgmt. 1system 1 Consulting 3 4Service 1 3 MSS 1990~ 2000~ 2010~ 2020~ Virus DB IPS DB Application DB Context DB
The most important thing for strategy is "Information", The most important thing for planning is "Insight", The most important thing for development is "Practical ability", The most important thing for business is "Timing", The most important thing for service is "Executive ability“. The most important thing for outdoor activities is "Network",The most important thing for business practice is "Political power"! 2013.02, By Claude Conrad