5. UTM
UTM is multifunction network security products used by small
or midsize businesses(SMBs).
Advanced
Now App. awareness User awareness Content awareness
UTM
WLAN controller WAN optimization VoIP Gateway
…. Web-FW SSL Proxy DLP NAC Extended
UTM
URL filtering SSL VPN Anti-spam Anti-malware
Firewall IPsec VPN IPS Anti-virus Basic
2004 UTM
Defined by IDC, 2004
6. NGFW
Next-generation Firewall provides multiple protection
mechanisms and features designed to prevent threats/attacks
from network to application layers.
Support in-line Bump-in-the-wire config.
Minimum features;
Standard first-generation firewall capabilities
Integrated rather than merely colocated network IPS
Application awareness and full stack visibility
Extrafirewall intelligence : User ID directory, URL/IP DB
Support upgrade paths to address future threats
Defined by Gartner, 2009
7. NGFW - Application awareness
Role
Application Application
detection control
Regardless of the port, protocol, and Application access control
(SSL) encrypted traffic! and action control!
Composition
Application Decryption (SSL, SSH)
Application Protocol Decoding (Detect HTTP tunneling, individual function, etc.)
Application Signature
Application Heuristics (App. anomaly detection)
8. NGFW - Security Policy of NGFW
Existing FW NGFW
Allow SOURCE to DESTINATION Allow Application SOURCE to DESTINATION
SOURCE : IP addresses, Port # SOURCE : IP addresses, Port #, Users
DESTINATION : IP addresses, Port # DESTINATION : IP addresses, Port #
Allow 192.120.10.110 80 to any 80 Allow Facebook any any manager to any any
Allow the use of 80-port for designated IP. Allow the access of “Facebook” for designated user
group.
(regardless of the port, protocol, and encrypted traffic!)
9. NGFW vs. UTM #1
Range of
Security features UTM NGFW
Throughput NGFW
(FW+IPS+AV) UTM
Market SMB Enterprise
10. NGFW vs. UTM #2
UTM NGFW
App. ID
as a IPS pattern!
Port App. ID
Port
Traffic Classification Engine
Traffic Classification Engine
See applications only default port, See applications on every port, not just default port
Identify potentially malicious traffic by port Identify potentially malicious traffic by application type
11. NGIPS
Next-generation IPS builds on typical IPS solutions by
providing application & contextual awareness to promptly
assess threats, ensure a consistent and appropriate
response, and reduce an organization’s security expenditures.
Support in-line Bump-in-the-wire config.
Minimum features;
Standard first-generation IPS capabilities
Application awareness and full stack visibility
information sources ; user identities, vulnerability,
Context awareness : patching state and geo-location information, etc.
Content awareness
Agile engine : Support upgrade paths to address future threats
Defined by Gartner, 2011
12. NGIPS - Context awareness (Definition)
Context awareness(External intelligence, situational awareness) is the ability
to deliver additional, relevant information to the FW & IPS engine to
enable more accurate decisions to allow, alert, or block more
quickly, accurately, and securely with fewer false positives.
Context is the complex set of network circumstances.
Context awareness is understanding the entire environment.
Mgmt. system
Devices
Application (host profile
(client side) with OS)
Information
Context
Appliance awareness
Configuration Service Vulnerabilities Context
Security policy (server side (historical information!
application) patching state)
Special event detected!
Network
User ID Behaviors
(NBA)
How to respond?
14. NGIPS vs. NGFW #1
Context awareness
NGFW-v2
User Other
Content
awareness
NGFW Application
awareness
NGIPS
Existing Firewall Existing IPS
15. NGIPS vs. NGFW #2
Element Typical FW NGFW Typical IPS NGIPS NGFW v2
Attack signature O O O O
Application
Applications O O O awareness
User
Users (Identity) O O O awareness
Vulnerabilities O O
DITECT
Host profiles O O Context
Client applications/ awareness
Mobile devices O O O
Virtual machines O O O
NW Behavior
anomaly △ O O O NBA
Network access O O O O O
URL
CONTROL
Site access O O O filtering
User
User access O O awareness
Application
Lauer 7 access O O awareness
PaloAlto SourceFire
Vendors CheckPoint McAfee
SourceFire
16. The Meaning of Next-gen. Security #1
Evolution of Convergence
Awareness
NGFW
TCP/IP Layer
IPS UTM
Application
Transport
Internet
• Network-centric • Application-centric
Link
Convergence Convergence
• Colocated security • Closely integrated
feature security feature
17. The Meaning of Next-gen. Security #2
Age of Awareness (Expansion of DPI)
All of awareness NGIPS
for security
Context Awareness
NGFW
Application User
awareness awareness
• Full content
DLP, Anti-malware,
inspection URL filtering
Content awareness
Pattern awareness • Pattern matching
IPS
(Basic awareness) for attack detection Anti-DDoS
Deep Packet Inspection
18. The Meaning of Next-gen. Security #3
Hardened Security Management
Hardened
Configuration features!!
Policy setting Automation
Information
Mgmt.
Appliance Monitoring
Configuration
system
Security policy Visualization
Reporting
Detection
Context
Analysis
Blocking awareness
Context awareness is base of Active
Control!
19. The Future of Security Industry
Product
2 Modulization
4
6
Product 8 4
ESM
3 SIEM
Mgmt. 1
system 1 Consulting
3 4
Service 1 3 MSS
1990~ 2000~ 2010~ 2020~
Virus DB IPS DB Application DB Context DB
20. The most important thing for strategy is "Information",
The most important thing for planning is "Insight",
The most important thing for development is "Practical ability",
The most important thing for business is "Timing",
The most important thing for service is "Executive ability“.
The most important thing for outdoor activities is "Network",
The most important thing for business practice is "Political power"!
2013.02, By Claude Conrad