SlideShare a Scribd company logo

Why Its time to Upgrade a Next-Generation Firewall

Ali Kapucu
Ali Kapucu

The bad guys keep getting better. They have found out advanced techniques that get around our old defenses. Scanning for their signatures was enough for a while, but not now. We can no longer just lock a few ports and feel safe at night. An application port can change everyday. These security bandits hijack IP addresses, hiding behind legitimate people to launch their attacks. Stopping them has gotten harder; our defenses have become more durable. Older enterprise firewalls and IPS are not enough anymore.

Technology
1 of 34
Why It's Time to Upgrade to a Next-Generation Firewall Ali Kapucu Network Design Engineer akapucu@kent.edu May 23, 2014
Ali Kapucu (akapucu@kent.edu) (linkedin.com/in/alikapucu) • Network Design Engineer @ Kent State University • Routing • Switching • Wireless • Firewall Admin • Linux Server Admin • Security Engineer & Instructor • Penetration Tester • Researcher & Blogger (alikapucu.com) Speaker Speaker
• Evaluation of Network Security • Challenges of Legacy Security Infrastructure • Enterprise - Web 2.0 • What do you want to do? • Old School firewalls are pointless!!! • Firewall Helpers • Unified Threat Management • Next Generation Firewalls • What is it? • Why next-generation? • What NGFW’s can do? • Features of NGFW • Good fit for Enterprise Networks (SP3) • UTM vs NGFW • Benefits of Next-Generation Firewalls • Implementing Next generation firewalls • Defining your Requirements and developing RFP • Things you need to consider • Questions Outline Outline
Evaluation of Network Security
EvaluationofNetworkSecurity Evaluation of Network Security
EvaluationofNetworkSecurity Legacy Firewalls Port 443 Port 80 443 80 443 80 21 What does firewalls do?
EvaluationofNetworkSecurity Legacy Firewalls •Rule matching criteria - Source address - Destination address - Service (port) - Schedule •Action - Accept - NAT - Drop - Reject
Challenges of Legacy Security Infrastructure
ChallengesofLegacySecurityInfrastructure Enterprise - Web 2.0
Old School firewalls are pointless!!! ChallengesofLegacySecurityInfrastructure
ChallengesofLegacySecurityInfrastructure What do you want to do?
Firewall Helper VPN IDS IPS AV Anti-Spam URL-Filter Traffic Shaper IPS DLP Proxy Anti-Malware ChallengesofLegacySecurityInfrastructure
Firewall Helper • Stand-alone, non- integrated security • Created gaps in security strategy • Mix of off-the-shelf systems and applications • Difficult to deploy / manage / use • High cost of ownership ChallengesofLegacySecurityInfrastructure
Unified Threat Management ChallengesofLegacySecurityInfrastructure
UTM ChallengesofLegacySecurityInfrastructure Advantages • Reduced complexity: Single security solution. Single Vendor. • Simplicity: Avoidance of multiple software installation and maintenance • Easy Management: Plug & Play Architecture, Web-based GUI for easy management • Reduced technical training requirements, one product to learn. Internet
UTM Disadvantages • Single point of failure for network traffic, unless HA (High-Availability) is used • Single point of compromise if the UTM has vulnerabilities • Potential impact on latency and bandwidth when the UTM cannot keep up with the traffic ChallengesofLegacySecurityInfrastructure
Next Generation Firewalls
NextGenerationFirewalls Next Generation Firewalls
NextGenerationFirewalls What is it? Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
NextGenerationFirewalls Why next-generation? Deep Packet Inspection
NextGenerationFirewalls What NGFW’s can do? CRMERP Student work You Tube IM ApplicationWeb mail Casual Traffic
What NGFW’s can do? CRM ERP Student works You Tube IM Application Web mail Casual Traffic
NextGenerationFirewalls Features of NGFW • Standard capabilities of the first-generation firewall such as packet filtering, stateful protocol inspection, NAT, VPN connectivity, etc. • Truly integrated intrusion prevention includes support for both vulnerability facing and threat facing signatures, and suggesting action based on IPS activity. • Full stack visibility and application identification: ability to enforce policy at the application layer independently from port and protocol. • Extra firewall intelligence: Ability to create blacklists or whitelists and being able to map traffic to users and groups using active directory. • Adaptability to the modern threat landscape which support upgrade paths for integration of new information feeds and new techniques to address future threats. • SSL decryption to enable identifying undesirable encrypted application • Non-disruptive in-line bump-in-the-wire configuration
NextGenerationFirewalls Good fit for Enterprise Networks (Single-Pass Parallel Processing (SP3)) • Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on network-specific hardware • User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration for encryption, decryption, and decompression. • Content-ID content analysis uses dedicated, specialized content scanning engine • On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging, and reporting without touching data processing hardware.
Cavium Multi-Core Security Processors • App-ID/Decoders • IPv6 • DOS Protection Profiles • Session setup and tear-down • Session table • Segment reassembly, normalization • 100k URL filtering cache • Disabled fast-path flows: ‘set session offload no’ 20Gbps Network Processor (FPGA) • 20 Gpbs front-end network processing • Hardware accelerated per- packet route lookup, MAC lookup and NAT • App-Override flows • PBF 10Gbps Data PlaneSwitch Fabric 10Gbps ... ...... QoS Flow control Route, ARP, MAC lookup NAT Switch Fabric FPGA (Security Profiles) FPGA (Security Profiles) SSL IPSec De- Compress. SSL IPSec De- Compress. SSL IPSec De- Compress. CPU 12 CPU 1 CPU 2 CPU 12 CPU 1 CPU 2 CPU 12 CPU 1 CPU 2 RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM Control Plane Core 1 RAM RAM SSD SSD Core 2 Core 3 Core 4 Signature Match HW Engine • AV, Anti Spyware, and Vulnerability protection signatures • File and data filtering signatures Device Server • Quad-core mgmt • High speed logging and route update • Dual Hard-drive • Web Portals/Response pages • 80 Gbps switch fabric interconnect • 20 Gpbs QoS engine Architecture
• Multiple security services are rather collocated than integrated; a separate engine is used for every service. • Performance can drastically drop when all security services are enabled. • Capable of scanning encrypted traffic like SSL. • Rather controls access “old school” style: per port, protocol plus URL/content filtering. Some form of application control can be achieved using the combination of the web proxy and IPS. • The main functions of an UTM are allow, block and log. Some form of QoS or bandwidth control is present; only specific applications can be optimized or limited. • Partial real-time visibility into the network traffic; e.g. threats detected, URLs accessed by users or protocol used on the network. • Controlling access per users is possible for web traffic with the help of the web proxy. NextGenerationFirewalls UTM vs NGFW • Multiple security services are integrated; a single engine is used for all services.. • Due to the single-pass architecture, performance is maintained at an acceptable level even when all security services are activated. • Capable of scanning encrypted traffic like SSL. • In addition to the old school way of controlling access, a NGFW natively controls access to applications and their features meaningless of port and protocol. Includes a growing database of application signatures. • The NGFW’s functions include allow, block, log, monitor and bandwidth control; the last one is also integrated to offer application bandwidth management. • Great real-time visibility into the network traffic; the admin can view/monitor what applications the users access and how much bandwidth they consume along with the threats detected or protocols used from a single console. • Controlling access per users is possible for all network traffic. Furthermore access to applications and their features is also controlled per users.
NextGenerationFirewalls Benefits of Next-Generation Firewalls  Visibility and control The enhanced visibility and control provided by NGFWs enable enterprises to focus on business relevant elements such as applications, users, and content for policy controls, instead of having to rely on nebulous and misleading attributes like ports and protocols, and to better and more thoroughly manage risks and achieve compliance, while providing threat prevention for allowed applications.  Safe enablement Achieve comprehensive coverage by providing a consistent set of protection and enablement capabilities for all users, regardless of their location.  Simplification Reduce complexity of the network security and its administration by removing the need for numerous stand-alone products. This consolidation reduces hard capital costs, as well as ongoing “hard” operational expenses, such as support, maintenance, and software subscriptions.  IT and business alignment Enable IT to confidently say “yes” to the applications needed to best support the Business by giving them the ability to identify and granularly control applications while protecting against a broad array of threats.
Implementing Next generation firewalls
ImplementingNextgenerationfirewalls Defining your Requirements and developing RFP Application identification  Is identification based on IPS or DPI technology? If so, how are accuracy, completeness, and performance issues addressed when scanning network traffic?  How are unknown applications handled?  Are custom application signatures supported?  How is SSL-encrypted traffic identified, inspected, and controlled?  How many applications are identified and what is the process for updating the application database (software, dynamic update)?  Can user submit an application for identification and analysis or define custom app? Application policy control  Can policy controls be implemented for all applications identified and/or users and, groups ?  Can port-based controls be implemented for all applications in the application database?  Can the solution perform traditional firewall-based access controls?  Can policy controls be implemented from a single management interface?  Are users warned when they attempt to access a URL or application that violates policy?
ImplementingNextgenerationfirewalls Defining your Requirements and developing RFP Threat prevention.  List the types of threats that can be blocked. List the file typed that can be blocked.  Is data filtering supported?  Can threat prevention engine scan inside SSL-encrypted traffic? Management  Does device management require a separate server or device?  Are application policy control, firewall policy controls, and threat prevention features all enabled from the same policy editor?  CLI support?  Logging capabilities of solution?  Log visualization tools? Networking  Layer 2 and Layer 3 capabilities  802.1q Vlans supported, capacity?  Is dynamic routing supported (OSPF, BGP)  QoS and shaping features  Is IPv6 supported?  IPSec VPN, SSL VPN?  Implementation options? (inline, tap, transparent)  High availability capabilities? Hardware
ImplementingNextgenerationfirewalls Things you need to consider 1. Identify Applications, Not Ports 2. Identify Users, Not IP Addresses 3. Identify Content, Not Packets 4. Visibility 5. Control 6. Performance 7. Flexibility 8. Reliability 9. Scalability 10.Manageability
Questions? Ali Kapucu Network Design Engineer akapucu@kent.edu May 23, 2014

Recommended

Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall美兰 曾
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudAmazon Web Services
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAFAravindan A
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private NetworkRajendra Dangwal
 
Security Onion
Security OnionSecurity Onion
Security Onionn|u - The Open Security Community
 
What is network architecture
What is network architecture What is network architecture
What is network architecture Sorcia D'Arceuil
 

Recommended

Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall美兰 曾
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudAmazon Web Services
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAFAravindan A
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private NetworkRajendra Dangwal
 
Security Onion
Security OnionSecurity Onion
Security Onionn|u - The Open Security Community
 
What is network architecture
What is network architecture What is network architecture
What is network architecture Sorcia D'Arceuil
 
Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...
Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...
Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...confluent
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
MSTP High Level Overview
MSTP High Level OverviewMSTP High Level Overview
MSTP High Level OverviewGary Jan
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationyogendrasinghchahar
 
Log analysis using Logstash,ElasticSearch and Kibana
Log analysis using Logstash,ElasticSearch and KibanaLog analysis using Logstash,ElasticSearch and Kibana
Log analysis using Logstash,ElasticSearch and KibanaAvinash Ramineni
 
Forti web
Forti webForti web
Forti webLan & Wan Solutions
 
Firewalls
FirewallsFirewalls
FirewallsShreya Singireddy
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
storm at twitter
storm at twitterstorm at twitter
storm at twitterKrishna Gade
 
Deep Packet Inspection (DPI) Test Methodology
Deep Packet Inspection (DPI) Test MethodologyDeep Packet Inspection (DPI) Test Methodology
Deep Packet Inspection (DPI) Test MethodologyIxia
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.pptssuser530a07
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadCisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadMehtabRohela
 
Apache Kafka
Apache KafkaApache Kafka
Apache KafkaSaroj Panyasrivanit
 
Firewall
FirewallFirewall
FirewallMudasser Afzal
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 
Intercept X - Sophos Endpoint
Intercept X - Sophos EndpointIntercept X - Sophos Endpoint
Intercept X - Sophos EndpointDeServ - Tecnologia e Servços
 
Analyst report for Next Generation Firewalls
Analyst report for Next Generation FirewallsAnalyst report for Next Generation Firewalls
Analyst report for Next Generation FirewallsIla Group
 
Institucional proofpoint
Institucional proofpointInstitucional proofpoint
Institucional proofpointvoliverio
 

More Related Content

What's hot

Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...
Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...
Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...confluent
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
MSTP High Level Overview
MSTP High Level OverviewMSTP High Level Overview
MSTP High Level OverviewGary Jan
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 
Log analysis using Logstash,ElasticSearch and Kibana
Log analysis using Logstash,ElasticSearch and KibanaLog analysis using Logstash,ElasticSearch and Kibana
Log analysis using Logstash,ElasticSearch and KibanaAvinash Ramineni
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Deep Packet Inspection (DPI) Test Methodology
Deep Packet Inspection (DPI) Test MethodologyDeep Packet Inspection (DPI) Test Methodology
Deep Packet Inspection (DPI) Test MethodologyIxia
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadCisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadMehtabRohela
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 

What's hot (20)

Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...
Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...
Ingesting and Processing IoT Data Using MQTT, Kafka Connect and Kafka Streams...
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developments
 
MSTP High Level Overview
MSTP High Level OverviewMSTP High Level Overview
MSTP High Level Overview
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security Definition
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Log analysis using Logstash,ElasticSearch and Kibana
Log analysis using Logstash,ElasticSearch and KibanaLog analysis using Logstash,ElasticSearch and Kibana
Log analysis using Logstash,ElasticSearch and Kibana
 
Forti web
Forti webForti web
Forti web
 
Firewalls
FirewallsFirewalls
Firewalls
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
storm at twitter
storm at twitterstorm at twitter
storm at twitter
 
Deep Packet Inspection (DPI) Test Methodology
Deep Packet Inspection (DPI) Test MethodologyDeep Packet Inspection (DPI) Test Methodology
Deep Packet Inspection (DPI) Test Methodology
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadCisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
 
Apache Kafka
Apache KafkaApache Kafka
Apache Kafka
 
Firewall
FirewallFirewall
Firewall
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Intercept X - Sophos Endpoint
Intercept X - Sophos EndpointIntercept X - Sophos Endpoint
Intercept X - Sophos Endpoint
 

Viewers also liked

Analyst report for Next Generation Firewalls
Analyst report for Next Generation FirewallsAnalyst report for Next Generation Firewalls
Analyst report for Next Generation FirewallsIla Group
 
Institucional proofpoint
Institucional proofpointInstitucional proofpoint
Institucional proofpointvoliverio
 
Why is email security important?
Why is email security important?Why is email security important?
Why is email security important?NeoCertified
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking Salman Memon
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systemssamis
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)Prafull Johri
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and AwarenessSanjiv Arora
 

Viewers also liked (13)

Analyst report for Next Generation Firewalls
Analyst report for Next Generation FirewallsAnalyst report for Next Generation Firewalls
Analyst report for Next Generation Firewalls
 
Institucional proofpoint
Institucional proofpointInstitucional proofpoint
Institucional proofpoint
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
 
Why is email security important?
Why is email security important?Why is email security important?
Why is email security important?
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systems
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
 
Email Security Overview
Email Security OverviewEmail Security Overview
Email Security Overview
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and Awareness
 
IPS Best Practices
IPS Best PracticesIPS Best Practices
IPS Best Practices
 

Similar to Why Its time to Upgrade a Next-Generation Firewall

Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Srinivasa Addepalli
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1PROIDEA
 
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!PROIDEA
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012Jimmy Saigon
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewallsDivya Jyoti
 
firewall as a security measure (1)-1.pptx
firewall as a security measure (1)-1.pptxfirewall as a security measure (1)-1.pptx
firewall as a security measure (1)-1.pptxShreyaBanerjee52
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraRogerChaucaZea
 
NUVX Technologies general solutions
NUVX Technologies general solutionsNUVX Technologies general solutions
NUVX Technologies general solutionsNUVX
 
Sangfor's Presentation.pdf
Sangfor's Presentation.pdfSangfor's Presentation.pdf
Sangfor's Presentation.pdfssusera76ea9
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsTom Kopko
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013juliankanarek
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...NetworkCollaborators
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics NetworkCollaborators
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012Jimmy Saigon
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 

Similar to Why Its time to Upgrade a Next-Generation Firewall (20)

Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
 
Design of network
Design of networkDesign of network
Design of network
 
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Sophos XG Firewall
Sophos XG FirewallSophos XG Firewall
Sophos XG Firewall
 
firewall as a security measure (1)-1.pptx
firewall as a security measure (1)-1.pptxfirewall as a security measure (1)-1.pptx
firewall as a security measure (1)-1.pptx
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion segura
 
NUVX Technologies general solutions
NUVX Technologies general solutionsNUVX Technologies general solutions
NUVX Technologies general solutions
 
Sangfor's Presentation.pdf
Sangfor's Presentation.pdfSangfor's Presentation.pdf
Sangfor's Presentation.pdf
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013
 
Fore scout nac-datasheet
Fore scout nac-datasheetFore scout nac-datasheet
Fore scout nac-datasheet
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Why Its time to Upgrade a Next-Generation Firewall

  • 1. Why It's Time to Upgrade to a Next-Generation Firewall Ali Kapucu Network Design Engineer akapucu@kent.edu May 23, 2014
  • 2. Ali Kapucu (akapucu@kent.edu) (linkedin.com/in/alikapucu) • Network Design Engineer @ Kent State University • Routing • Switching • Wireless • Firewall Admin • Linux Server Admin • Security Engineer & Instructor • Penetration Tester • Researcher & Blogger (alikapucu.com) Speaker Speaker
  • 3. • Evaluation of Network Security • Challenges of Legacy Security Infrastructure • Enterprise - Web 2.0 • What do you want to do? • Old School firewalls are pointless!!! • Firewall Helpers • Unified Threat Management • Next Generation Firewalls • What is it? • Why next-generation? • What NGFW’s can do? • Features of NGFW • Good fit for Enterprise Networks (SP3) • UTM vs NGFW • Benefits of Next-Generation Firewalls • Implementing Next generation firewalls • Defining your Requirements and developing RFP • Things you need to consider • Questions Outline Outline
  • 6. EvaluationofNetworkSecurity Legacy Firewalls Port 443 Port 80 443 80 443 80 21 What does firewalls do?
  • 7. EvaluationofNetworkSecurity Legacy Firewalls •Rule matching criteria - Source address - Destination address - Service (port) - Schedule •Action - Accept - NAT - Drop - Reject
  • 8. Challenges of Legacy Security Infrastructure
  • 10. Old School firewalls are pointless!!! ChallengesofLegacySecurityInfrastructure
  • 12. Firewall Helper VPN IDS IPS AV Anti-Spam URL-Filter Traffic Shaper IPS DLP Proxy Anti-Malware ChallengesofLegacySecurityInfrastructure
  • 13. Firewall Helper • Stand-alone, non- integrated security • Created gaps in security strategy • Mix of off-the-shelf systems and applications • Difficult to deploy / manage / use • High cost of ownership ChallengesofLegacySecurityInfrastructure
  • 15. UTM ChallengesofLegacySecurityInfrastructure Advantages • Reduced complexity: Single security solution. Single Vendor. • Simplicity: Avoidance of multiple software installation and maintenance • Easy Management: Plug & Play Architecture, Web-based GUI for easy management • Reduced technical training requirements, one product to learn. Internet
  • 16. UTM Disadvantages • Single point of failure for network traffic, unless HA (High-Availability) is used • Single point of compromise if the UTM has vulnerabilities • Potential impact on latency and bandwidth when the UTM cannot keep up with the traffic ChallengesofLegacySecurityInfrastructure
  • 19. NextGenerationFirewalls What is it? Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
  • 21. NextGenerationFirewalls What NGFW’s can do? CRMERP Student work You Tube IM ApplicationWeb mail Casual Traffic
  • 22. What NGFW’s can do? CRM ERP Student works You Tube IM Application Web mail Casual Traffic
  • 23. NextGenerationFirewalls Features of NGFW • Standard capabilities of the first-generation firewall such as packet filtering, stateful protocol inspection, NAT, VPN connectivity, etc. • Truly integrated intrusion prevention includes support for both vulnerability facing and threat facing signatures, and suggesting action based on IPS activity. • Full stack visibility and application identification: ability to enforce policy at the application layer independently from port and protocol. • Extra firewall intelligence: Ability to create blacklists or whitelists and being able to map traffic to users and groups using active directory. • Adaptability to the modern threat landscape which support upgrade paths for integration of new information feeds and new techniques to address future threats. • SSL decryption to enable identifying undesirable encrypted application • Non-disruptive in-line bump-in-the-wire configuration
  • 24. NextGenerationFirewalls Good fit for Enterprise Networks (Single-Pass Parallel Processing (SP3)) • Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on network-specific hardware • User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration for encryption, decryption, and decompression. • Content-ID content analysis uses dedicated, specialized content scanning engine • On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging, and reporting without touching data processing hardware.
  • 25. Cavium Multi-Core Security Processors • App-ID/Decoders • IPv6 • DOS Protection Profiles • Session setup and tear-down • Session table • Segment reassembly, normalization • 100k URL filtering cache • Disabled fast-path flows: ‘set session offload no’ 20Gbps Network Processor (FPGA) • 20 Gpbs front-end network processing • Hardware accelerated per- packet route lookup, MAC lookup and NAT • App-Override flows • PBF 10Gbps Data PlaneSwitch Fabric 10Gbps ... ...... QoS Flow control Route, ARP, MAC lookup NAT Switch Fabric FPGA (Security Profiles) FPGA (Security Profiles) SSL IPSec De- Compress. SSL IPSec De- Compress. SSL IPSec De- Compress. CPU 12 CPU 1 CPU 2 CPU 12 CPU 1 CPU 2 CPU 12 CPU 1 CPU 2 RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM RAM Control Plane Core 1 RAM RAM SSD SSD Core 2 Core 3 Core 4 Signature Match HW Engine • AV, Anti Spyware, and Vulnerability protection signatures • File and data filtering signatures Device Server • Quad-core mgmt • High speed logging and route update • Dual Hard-drive • Web Portals/Response pages • 80 Gbps switch fabric interconnect • 20 Gpbs QoS engine Architecture
  • 26. • Multiple security services are rather collocated than integrated; a separate engine is used for every service. • Performance can drastically drop when all security services are enabled. • Capable of scanning encrypted traffic like SSL. • Rather controls access “old school” style: per port, protocol plus URL/content filtering. Some form of application control can be achieved using the combination of the web proxy and IPS. • The main functions of an UTM are allow, block and log. Some form of QoS or bandwidth control is present; only specific applications can be optimized or limited. • Partial real-time visibility into the network traffic; e.g. threats detected, URLs accessed by users or protocol used on the network. • Controlling access per users is possible for web traffic with the help of the web proxy. NextGenerationFirewalls UTM vs NGFW • Multiple security services are integrated; a single engine is used for all services.. • Due to the single-pass architecture, performance is maintained at an acceptable level even when all security services are activated. • Capable of scanning encrypted traffic like SSL. • In addition to the old school way of controlling access, a NGFW natively controls access to applications and their features meaningless of port and protocol. Includes a growing database of application signatures. • The NGFW’s functions include allow, block, log, monitor and bandwidth control; the last one is also integrated to offer application bandwidth management. • Great real-time visibility into the network traffic; the admin can view/monitor what applications the users access and how much bandwidth they consume along with the threats detected or protocols used from a single console. • Controlling access per users is possible for all network traffic. Furthermore access to applications and their features is also controlled per users.
  • 27. NextGenerationFirewalls Benefits of Next-Generation Firewalls  Visibility and control The enhanced visibility and control provided by NGFWs enable enterprises to focus on business relevant elements such as applications, users, and content for policy controls, instead of having to rely on nebulous and misleading attributes like ports and protocols, and to better and more thoroughly manage risks and achieve compliance, while providing threat prevention for allowed applications.  Safe enablement Achieve comprehensive coverage by providing a consistent set of protection and enablement capabilities for all users, regardless of their location.  Simplification Reduce complexity of the network security and its administration by removing the need for numerous stand-alone products. This consolidation reduces hard capital costs, as well as ongoing “hard” operational expenses, such as support, maintenance, and software subscriptions.  IT and business alignment Enable IT to confidently say “yes” to the applications needed to best support the Business by giving them the ability to identify and granularly control applications while protecting against a broad array of threats.
  • 28.
  • 29.
  • 31. ImplementingNextgenerationfirewalls Defining your Requirements and developing RFP Application identification  Is identification based on IPS or DPI technology? If so, how are accuracy, completeness, and performance issues addressed when scanning network traffic?  How are unknown applications handled?  Are custom application signatures supported?  How is SSL-encrypted traffic identified, inspected, and controlled?  How many applications are identified and what is the process for updating the application database (software, dynamic update)?  Can user submit an application for identification and analysis or define custom app? Application policy control  Can policy controls be implemented for all applications identified and/or users and, groups ?  Can port-based controls be implemented for all applications in the application database?  Can the solution perform traditional firewall-based access controls?  Can policy controls be implemented from a single management interface?  Are users warned when they attempt to access a URL or application that violates policy?
  • 32. ImplementingNextgenerationfirewalls Defining your Requirements and developing RFP Threat prevention.  List the types of threats that can be blocked. List the file typed that can be blocked.  Is data filtering supported?  Can threat prevention engine scan inside SSL-encrypted traffic? Management  Does device management require a separate server or device?  Are application policy control, firewall policy controls, and threat prevention features all enabled from the same policy editor?  CLI support?  Logging capabilities of solution?  Log visualization tools? Networking  Layer 2 and Layer 3 capabilities  802.1q Vlans supported, capacity?  Is dynamic routing supported (OSPF, BGP)  QoS and shaping features  Is IPv6 supported?  IPSec VPN, SSL VPN?  Implementation options? (inline, tap, transparent)  High availability capabilities? Hardware
  • 33. ImplementingNextgenerationfirewalls Things you need to consider 1. Identify Applications, Not Ports 2. Identify Users, Not IP Addresses 3. Identify Content, Not Packets 4. Visibility 5. Control 6. Performance 7. Flexibility 8. Reliability 9. Scalability 10.Manageability
  • 34. Questions? Ali Kapucu Network Design Engineer akapucu@kent.edu May 23, 2014

Editor's Notes

  1. As we said for Firewall role is “controlling data flow” why next generation because it is much finer and more granular level than was possible with stateful firewalls and UTM. Since these firewalls perform application level inspection and truly integrated intrusion prevention system and the way doing this. It deserve to get Next generation name tag because I believe it’s a revolution on network security
  2. As we said for Firewall role is “controlling data flow” why next generation because it is much finer and more granular level than was possible with stateful firewalls and UTM. Since these firewalls perform application level inspection and truly integrated intrusion prevention system and the way doing this. It deserve to get Next generation name tag because I believe it’s a revolution on network security IPS botlardan bahset