Firewalls is an information security program that prevents specific type of information between the outside world and the inside world.
VPN Technology is a secure and separate network, which allows users connect to the internet through an encrypted tunnel by encapsulating the packet.
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Next Generation Firewalls and VPN Technology
1. DEPARTMENT OF COMPUTER SCIENCE AND INFORMATICS
A report on
Next Generation Firewalls
&
VPN Technology
Date: 10/02/2017
Course: Information Security
Course Code: INFT 308
3. Next Generation Firewalls and VPN Technology | 3
ABSTRACT
Next Generation Firewalls
Next-generation firewalls (NGFWs) have developed out of necessity in today’s computing
environments, where malware attacks have grown in sophistication and intensity and have
found ways of exploiting weaknesses in traditional firewalls. Because the firewall is the first
line of defence against such attacks, and protection of the corporate network is of the utmost
importance, it stands to reason that firewalls have evolved as well to meet the threat. Where
traditional firewalls have fallen down is in their inability to inspect the data payload of
network packets and their lack of granular intelligence in distinguishing different kinds of
web traffic. With most network traffic using web protocols, traditional firewalls cannot
distinguish between legitimate business applications and attacks, so they must either allow all
or reject all. Clearly, something beyond a traditional firewall was needed that could carry out
advanced security functions without impacting the latency of the network, which is what led
to the development of NGFWs.
4. Next Generation Firewalls and VPN Technology | 4
TABLE OF CONTENT
ABSTRACT............................................................................................3
CHAPTER ONE – NEXT GENERATION FIREWALLS................................5
INTRODUCTION.......................................................................................5
Firewalls ...............................................................................................5
Next Generation Firewalls......................................................................6
Next generation firewalls services .............................................................7
Application identification.......................................................................7
User identification.................................................................................7
Content identification............................................................................7
Policy control ........................................................................................8
High-performance architecture..............................................................9
Traditional Firewalls and Next-generation Firewalls..................................9
Similarities between the two..................................................................9
Differences between the two ..................................................................9
CHAPTER TWO – VPN TECHNOLOGY ..................................................10
ABSTRACT.............................................................................................10
INTRODUCTION.....................................................................................11
VIRTUAL PRIVATE NETWORK (VPN) TECHNOLOGY...............................12
How a VPN Works?..............................................................................12
What Makes a VPN? ............................................................................13
VPN Technologies ................................................................................14
5. Next Generation Firewalls and VPN Technology | 5
CHAPTER ONE – NEXT GENERATION FIREWALLS
INTRODUCTION
Firewall has been used for many years as something to keep the bad people out of the
corporate network and keeping your data safe. Now, the phrase on the lips of networking
professionals is Next Generation Firewalls, where the safety of the application is king.
The firewall has come a long way since the packet-filtering days of time long past. The first
firewalls were developed by the Digital Equipment Corporation (DEC) back in the late
1980s. These early firewalls operated mainly on the first four layers of the Open Systems
Interconnection (OSI) model, intercepting traffic on the wire and inspecting the properties of
every individual packet to determine if they matched a configured set of rules (source and
destination address and port numbers, for example). These packets would then either be
dropped or forwarded as appropriate. This method of traffic inspection, while rapid, was soon
found to be unnecessarily resource-intensive and led directly to the introduction of circuit-
level firewalls, later known as ―stateful‖ firewalls, pioneered by Check Point Software
Technologies. This first next-generation of firewalls looked deeper into the transport layer
headers and maintained a table of currently active connections allowing the ―state‖ of a
connection (new, active, non-existent) to be used as a part of the rule-set. The introduction of
the stateful firewall led to the packet-filtering firewall, becoming known as stateless.
Firewalls
Antivirus software has been a cornerstone of computers security since the early days of the
Internet; firewalls have been the cornerstone of network security. Applications are the
channel through which everything flows. A vector for our business and personal lives along
with their associated benefits and risks. Such risks include new and emerging threats, data
leakage, and noncompliance. Traditional firewalls operate, why they cannot meet today’s
application and threat challenges, and how data leakage and compliance issues are defining
network security and the need for a better firewall.
6. Next Generation Firewalls and VPN Technology | 6
Most firewalls are configured to allow all traffic originating from the trusted network to pass
through to the untrusted network, unless it is explicitly blocked by a rule. For example, the
Simple Network Management Protocol (SNMP) might be explicitly blocked to prevent
certain network information from being inadvertently transmitted to the Internet.
Port-based firewalls have poor vision
Figure 1: Port-based firewalls can’t see or control applications
Firewalls see all traffic and, therefore, are the ideal resource to provide rough access control.
The problem, however, is that most firewalls are ―far-sighted.‖ They can see the general
shape of things, but not the finer details of what is actually happening. This is because they
operate by inferring the application-layer service that a given stream of traffic is associated
with, based on the port number used in the packet’s header, and they only look at the first
packet in a session to determine the type of traffic being processed, typically to improve
performance. The net result is that traditional, ―port-based‖ firewalls have basically gone
blind. Besides being unable to account for common evasion techniques such as port hopping,
protocol tunnelling, and the use of nonstandard ports, these firewalls simply lack the visibility
and intelligence to discern which network traffic.
Next Generation Firewalls
A next-generation firewall is application-aware deal in ports and protocols, next-generation
firewalls drill into traffic to identify the applications traversing the network. Passing through
it, taking action to block traffic that might exploit Web application vulnerabilities.
To restore the firewall as the cornerstone of network security, next-generation firewalls “fix
the problem at its core.” Next-generation firewalls classify traffic by the application’s
identity in order to enable visibility and control of all types of applications running on
networks. The essential functional requirements for an effective next-generation firewall
include the ability to:
Identify applications regardless of port, protocol, evasive techniques.
Accurately identify users and subsequently use identity information as an attribute for
policy control.
Provide real-time protection against a wide array of threats, including those operating
at the application layer.
7. Next Generation Firewalls and VPN Technology | 7
Integrate, not just combine, traditional firewall and network intrusion prevention
capabilities.
Support multi-gigabit, in-line deployments with negligible performance degradation.
NEXT GENERATION FIREWALLS SERVICES
Application identification
Application protocol detection and decryption.
Application protocol decoding.
Application signatures.
Heuristics
Figure 2: Application-centric traffic classification identifies Figure 3: NGFW techniques used to identify applications
applications flowing across the network, irrespective of the regardless of port, protocol, and encryption.
port and protocol in use.
User identification
With user identification, is another powerful mechanism to help control the use of
applications in an intelligent manner. For example, a social networking application
that would otherwise be blocked because of its risky nature can be enabled for individuals or
groups that have a legitimate need to use it, such as the human resources department.
Content identification
Content identification infuses next-generation firewalls with capabilities previously unheard
of in enterprise firewalls, such as real-time prevention of threats within permitted traffic,
control of Web surfing activities, and file and data filtering. Threat prevention: This
component prevents spyware, viruses, and vulnerabilities from penetrating the network,
regardless of the application traffic on which they ride.
8. Next Generation Firewalls and VPN Technology | 8
Figure 4: User identification integrates enterprise directories for user-based policies, reporting, and forensic
With content identification, information technology departments gain the ability to stop
threats, reduce inappropriate use of the Internet, and help prevent data leaks all without
having to invest in a pile of additional products and risk appliance.
Figure 5: Content identification unifies content scanning for threats, confidential data, and URL filtering.
Policy control
Identifying the applications in use (application identification), who is using them (user
identification), and what they are using them for (content identification) is an important first
step in learning about the traffic traversing the network. Learning what the application does,
the ports it uses, its underlying technology, and its behaviour is the next step towards making
an informed decision about how to treat the application.
Examples of policy control options in next generation firewalls (NGFWs) include;
Allow or deny
Allow but scan for exploits, viruses, and other threats
Allow based on schedule, users, or groups
Decrypt and inspect
Apply traffic shaping through qualify od service (QoS)
Apply policy-based forwarding
Allow certain application functions
Any combination of the aforementioned
9. Next Generation Firewalls and VPN Technology | 9
High-performance architecture
It is important to select a next-generation firewall that is designed from the start to deliver
high performance. There’s also the tremendous traffic volume confronting today’s security
infrastructure, not to mention the latency sensitivity of many applications. Rated throughput
and reasonable latency should be sustainable under heavy loads, even when all application
and threat inspection features are engaged simultaneously, which is the ideal configuration
from a security perspective. This multi-pass approach requires low-level packet processing
Figure 6: Single-pass parallel processing architecture and separate control and data planes provide enterprise
performance.
routines to be repeated numerous times. System resources are used inefficiently and
significant. Next generation technology (NGFW) that uses single-pass architecture eliminates
repetitive handling of packets, reducing the burden placed on hardware and minimizing
latency. Other innovations, such as customized hardware architecture that maintains separate
data and control planes, help provide an enterprise-class solution.
Traditional Firewalls and Next-generation Firewalls
Similarities between the two
Static packet filtering that blocks packets at the point of interface to a network, based on
protocols, ports, or addresses.
Stateful inspection or dynamic packet filtering, which checks every connection on every
interface of a firewall for validity
Port address translation that facilitates the mapping of multiple devices on a LAN to a
single IP address
Differences between the two
According to Gartner, firewall is ―a deep-packet inspection firewall that moves beyond
port/protocol inspection and blocking to add application-level inspection, intrusion
prevention, and bringing intelligence from outside the firewall.‖
Integrated signature-based intrusion prevention system (IPS), which specifies which kinds
of attacks to scan for and report on
Capability to incorporate information from outside the firewall, including directory-based
policies, white lists, and black lists
Secure sockets layer (SSL) decryption to enable identification of undesirable encrypted
applications.
10. Next Generation Firewalls and VPN Technology | 10
CHAPTER TWO – VPN TECHNOLOGY
ABSTRACT
Virtual Private Network (VPN) is a communication network which provides secure data
transmission in an unsecured or public network by using any combination of technologies. A
virtual connection is made across the users who are geographically dispersed and networks
over a shared or public network, like the Internet. Even though the data is transmitted in a
public network, VPN provides an impression as if the data is transmitted through private
connection. This paper provides a survey report on VPN security and its technologies.
11. Next Generation Firewalls and VPN Technology | 11
INTRODUCTION
A virtual private network (VPN) is the collection of private and public network such as
Internet, and performs secure data transmission. A virtual private network can establish
secured virtual links among different organizations, such as branch offices. It will not provide
any other external service between them and it will not allow any other organization to
interrupt them. A VPN sends data between two systems across a public network in such a
way that the transmitted data is transparent to the other systems connected in the network.
This transparency in data transmission is possible because VPN emulates point to point link
between the two systems. Point to point link is provided by encapsulation of data. Data
encapsulation is done by wrapping the data with a header, which provides routing
information. This process is called as tunnelling.
To provide confidentiality to the encapsulated data, the data is secured by encryption. When
data reaches a tunnel end point, the encapsulated data is decrypted and forwarded to its final
destination point. VPN allows organizations to connect to their branch offices or to other
companies over a public network while maintaining secure communications. The VPN
connection across the Internet logically operates as a wide area network (WAN) link between
the sites. The secure connection across the internet appears to the user as a private network
communication despite the fact that this communication occurs over a public internetwork
hence the name virtual private network.
A typical VPN might have a main local-area network (LAN) at the corporate headquarters of
a company, other LANs at remote offices or facilities, and individual users that connect from
out in the field. A VPN is a private network that uses a public network (usually the Internet)
to connect remote sites or users together. Instead of using a dedicated, real-world connection,
such as leased line, a VPN uses "virtual" connections routed through the Internet from the
company's private network to the remote site or employee.
12. Next Generation Firewalls and VPN Technology | 12
VIRTUAL PRIVATE NETWORK (VPN) TECHNOLOGY
A Virtual Private Network (VPN) is a secure and separate network, which let users connect
to the internet through an encrypted tunnel bypassing their public network and securely
transfers their internet data packets through it, VPN is just like a firewall in computers which
protects you from the local area network (LAN) attacks, VPN works as an online firewall to
protect you from all the cyber hazards and attackers, to use a VPN an active connection is
mandatory. VPNs are a mix of various technologies which;
Gives you Anonymity over the internet
Hides your IP address and internet activities from your intrusive security protocol
(ISP) and other snoopers like government surveillance and security agencies
provide internet security and privacy
Let you bypass geo-restrictions and access all the blocked websites when you are
outside your country
Gives you absolute protection from cyber attackers like hackers, spammers, etc.
Let you share files using peer-to-peer (P2P) file sharing websites
How a VPN Works?
Virtual Private Network (VPN) uses mix of various technologies like dedicated connection
and encryption protocols to create virtual point-to-point connections and connects you to the
internet through an encrypted tunnel and transmits all your internet data through this tunnel
and the data transmitter is so secure that even if intercepted, the snooper cannot read the data
because of the encryption. This way VPNs can provide you security and anonymity over the
internet which is required when you are torrenting or using peer–to-peer (P2P) file sharing
platforms or to avoid hacking, spamming, snooping by the government and surveillance
agencies and other cyber-attacks. VPNs also let you change your geographical location
without being physically moving to any other country you can show the internet you are in
that country, how? The answer is simple, VPN alters your IP address and let you choose any
country’s server provided by it and changes your IP address to that country’s IP address. This
way you can access all the blocked websites of any country you wish to.
13. Next Generation Firewalls and VPN Technology | 13
What Makes a VPN?
There are two common types of VPNs.
Remote-Access VPN: Also called a Virtual Private Dial-up Network (VPDN), this is
a user-to-LAN connection used by a company that has employees who need to connect
to the private network from various remote locations. Typically, a corporation that
wishes to set up a large remote-access VPN provides some form of Internet dial-up
account to their users using an Internet service provider (ISP). The telecommuters can
then dial a 1-800 number to reach the Internet and use their VPN client software to
access the corporate network. Remote-access VPNs permit secure, encrypted
connections between a company's private network and remote users through a third-
party service provider.
Site-to-Site VPN: Through the use of dedicated equipment and large-scale encryption,
a company can connect multiple fixed sites over a public network such as the Internet.
Each site needs only a local connection to the same public network, thereby saving
money on long private leased-lines. Site-to-site VPNs can be further categorized into
intranets or extranets. A site-to-site VPN built between offices of the same company is
said to be an intranet VPN, while a VPN built to connect the company to its partner or
customer is referred to as an extranet VPN.
14. Next Generation Firewalls and VPN Technology | 14
A well-designed VPN can greatly benefit a company. For example, it can:
Extend geographic connectivity
Reduce operational costs versus traditional WANs
Reduce transit times and traveling costs for remote users
Improve productivity
Simplify network topology
Provide global networking opportunities
Provide telecommuter support
Provide faster Return On Investment (ROI) than traditional WAN
What features are needed in a well-designed VPN? It should incorporate these items:
Security
Reliability
Scalability
Network Management
Policy Management
VPN Technologies
A well-designed VPN uses several methods in order to keep your connection and data secure.
Data Confidentiality: This is perhaps the most important service provided by any
VPN implementation. Since your private data travels over a public network, data
confidentiality is vital and can be attained by encrypting the data. This is the process
of taking all the data that one computer is sending to another and encoding it into a
form that only the other computer will be able to decode.
Most VPNs use one of these protocols to provide encryption.
o IPsec: Internet Protocol Security Protocol (IPsec)
o PPTP/MPPE — Microsoft Point-to-Point Encryption (MPPE).
o L2TP/IPsec - Layer 2 Tunnelling Protocol (L2TP).
15. Next Generation Firewalls and VPN Technology | 15
Data Integrity: While it is important that your data is encrypted over a public
network, it is just as important to verify that it has not been changed while in transit.
For example, IPsec has a mechanism to ensure that the encrypted portion of the
packet, or the entire header and data portion of the packet, has not been tampered
with. If tampering is detected, the packet is dropped.
Data Origin Authentication: It is extremely important to verify the identity of the
source of the data that is sent. This is necessary to guard against a number of attacks
that depend on spoofing the identity of the sender.
Anti-Replay: This is the ability to detect and reject replayed packets and helps
prevent spoofing.
Data Tunnelling/Traffic Flow Confidentiality: Tunneling is the process of
encapsulating an entire packet within another packet and sending it over a network.
Data tunneling is helpful in cases where it is desirable to hide the identity of the
device originating the traffic.
Tunneling requires three different protocols.
o Passenger protocol: the original data that is carried.
o Encapsulating protocol: the protocol that is wrapped around the original
data.
o Carrier protocol: the protocol used by the network over which the
information is traveling.