The document discusses the transition to next-generation firewalls (NGFWs), emphasizing their enhanced capabilities over traditional firewalls by integrating deep packet inspection, application-level control, and unified threat management. It outlines the limitations of legacy security infrastructure and highlights the benefits of NGFWs, including improved visibility, control, and simplified management. The author provides guidance on implementing NGFWs and key considerations for defining requirements, application identification, and policy controls.

1. Why It's Time to Upgrade to a
Next-Generation Firewall
Ali Kapucu
Network Design Engineer
akapucu@kent.edu
May 23, 2014

2. Ali Kapucu (akapucu@kent.edu) (linkedin.com/in/alikapucu)
• Network Design Engineer @ Kent State University
• Routing
• Switching
• Wireless
• Firewall Admin
• Linux Server Admin
• Security Engineer & Instructor
• Penetration Tester
• Researcher & Blogger (alikapucu.com)
Speaker
Speaker

3. • Evaluation of Network Security
• Challenges of Legacy Security Infrastructure
• Enterprise - Web 2.0
• What do you want to do?
• Old School firewalls are pointless!!!
• Firewall Helpers
• Unified Threat Management
• Next Generation Firewalls
• What is it?
• Why next-generation?
• What NGFW’s can do?
• Features of NGFW
• Good fit for Enterprise Networks (SP3)
• UTM vs NGFW
• Benefits of Next-Generation Firewalls
• Implementing Next generation firewalls
• Defining your Requirements and developing RFP
• Things you need to consider
• Questions
Outline
Outline

4. Evaluation of Network Security

5. EvaluationofNetworkSecurity
Evaluation of Network Security

6. EvaluationofNetworkSecurity
Legacy Firewalls
Port 443
Port 80
443
80
443
80
21
What does firewalls do?

7. EvaluationofNetworkSecurity
Legacy Firewalls
•Rule matching criteria
- Source address
- Destination address
- Service (port)
- Schedule
•Action
- Accept
- NAT
- Drop
- Reject

8. Challenges of Legacy Security Infrastructure

9. ChallengesofLegacySecurityInfrastructure
Enterprise - Web 2.0

10. Old School firewalls are pointless!!!
ChallengesofLegacySecurityInfrastructure

11. ChallengesofLegacySecurityInfrastructure
What do you want to do?

12. Firewall Helper
VPN
IDS
IPS
AV Anti-Spam
URL-Filter
Traffic Shaper
IPS
DLP
Proxy
Anti-Malware
ChallengesofLegacySecurityInfrastructure

13. Firewall Helper
• Stand-alone, non-
integrated security
• Created gaps in
security strategy
• Mix of off-the-shelf
systems and
applications
• Difficult to deploy /
manage / use
• High cost of
ownership
ChallengesofLegacySecurityInfrastructure

14. Unified Threat Management
ChallengesofLegacySecurityInfrastructure

15. UTM
ChallengesofLegacySecurityInfrastructure
Advantages
• Reduced complexity: Single security solution. Single Vendor.
• Simplicity: Avoidance of multiple software installation and
maintenance
• Easy Management: Plug & Play Architecture, Web-based GUI for
easy management
• Reduced technical training requirements, one product to learn.
Internet

16. UTM
Disadvantages
• Single point of failure for network traffic, unless HA (High-Availability)
is used
• Single point of compromise if the UTM has vulnerabilities
• Potential impact on latency and bandwidth when the UTM cannot
keep up with the traffic
ChallengesofLegacySecurityInfrastructure

17. Next Generation Firewalls

18. NextGenerationFirewalls
Next Generation Firewalls

19. NextGenerationFirewalls
What is it?
Next-generation firewalls (NGFWs) are deep-packet inspection firewalls
that move beyond port/protocol inspection and blocking to add
application-level inspection, intrusion prevention, and bringing intelligence
from outside the firewall.

20. NextGenerationFirewalls
Why next-generation?
Deep Packet Inspection

21. NextGenerationFirewalls
What NGFW’s can do?
CRMERP
Student
work
You
Tube
IM
ApplicationWeb
mail
Casual
Traffic

22. What NGFW’s can do?
CRM
ERP
Student
works
You
Tube
IM
Application
Web
mail
Casual
Traffic

23. NextGenerationFirewalls
Features of NGFW
• Standard capabilities of the first-generation firewall such as packet filtering,
stateful protocol inspection, NAT, VPN connectivity, etc.
• Truly integrated intrusion prevention includes support for both vulnerability
facing and threat facing signatures, and suggesting action based on IPS
activity.
• Full stack visibility and application identification: ability to enforce policy at
the application layer independently from port and protocol.
• Extra firewall intelligence: Ability to create blacklists or whitelists and being
able to map traffic to users and groups using active directory.
• Adaptability to the modern threat landscape which support upgrade paths
for integration of new information feeds and new techniques to address
future threats.
• SSL decryption to enable identifying undesirable encrypted application
• Non-disruptive in-line bump-in-the-wire configuration

24. NextGenerationFirewalls
Good fit for Enterprise Networks (Single-Pass Parallel Processing
(SP3))
• Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on
network-specific hardware
• User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration
for encryption, decryption, and decompression.
• Content-ID content analysis uses dedicated, specialized content scanning engine
• On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives
the configuration management, logging, and reporting without touching data processing
hardware.

25. Cavium Multi-Core Security
Processors
• App-ID/Decoders
• IPv6
• DOS Protection Profiles
• Session setup and tear-down
• Session table
• Segment reassembly, normalization
• 100k URL filtering cache
• Disabled fast-path flows: ‘set
session offload no’
20Gbps
Network Processor (FPGA)
• 20 Gpbs front-end network
processing
• Hardware accelerated per-
packet route lookup, MAC
lookup and NAT
• App-Override flows
• PBF
10Gbps
Data PlaneSwitch Fabric
10Gbps
... ......
QoS
Flow
control
Route,
ARP,
MAC
lookup
NAT
Switch
Fabric
FPGA (Security
Profiles)
FPGA (Security
Profiles)
SSL IPSec
De-
Compress.
SSL IPSec
De-
Compress.
SSL IPSec
De-
Compress.
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
Control Plane
Core 1
RAM
RAM
SSD
SSD
Core 2
Core 3 Core 4
Signature Match HW Engine
• AV, Anti Spyware, and Vulnerability
protection signatures
• File and data filtering signatures
Device Server
• Quad-core mgmt
• High speed logging and route
update
• Dual Hard-drive
• Web Portals/Response pages
• 80 Gbps switch fabric
interconnect
• 20 Gpbs QoS engine
Architecture

26. • Multiple security services are rather collocated
than integrated; a separate engine is used for
every service.
• Performance can drastically drop when all
security services are enabled.
• Capable of scanning encrypted traffic like SSL.
• Rather controls access “old school” style: per
port, protocol plus URL/content filtering. Some
form of application control can be achieved using
the combination of the web proxy and IPS.
• The main functions of an UTM are allow, block
and log. Some form of QoS or bandwidth control
is present; only specific applications can be
optimized or limited.
• Partial real-time visibility into the network
traffic; e.g. threats detected, URLs accessed by
users or protocol used on the network.
• Controlling access per users is possible for web
traffic with the help of the web proxy.
NextGenerationFirewalls
UTM vs NGFW
• Multiple security services are integrated; a single
engine is used for all services..
• Due to the single-pass architecture, performance
is maintained at an acceptable level even when
all security services are activated.
• Capable of scanning encrypted traffic like SSL.
• In addition to the old school way of controlling
access, a NGFW natively controls access to
applications and their features meaningless of
port and protocol. Includes a growing database
of application signatures.
• The NGFW’s functions include allow, block, log,
monitor and bandwidth control; the last one is
also integrated to offer application bandwidth
management.
• Great real-time visibility into the network traffic;
the admin can view/monitor what applications
the users access and how much bandwidth they
consume along with the threats detected or
protocols used from a single console.
• Controlling access per users is possible for all
network traffic. Furthermore access to
applications and their features is also controlled
per users.

27. NextGenerationFirewalls
Benefits of Next-Generation Firewalls
 Visibility and control
The enhanced visibility and control provided by NGFWs enable enterprises to
focus on business relevant elements such as applications, users, and content for
policy controls, instead of having to rely on nebulous and misleading attributes
like ports and protocols, and to better and more thoroughly manage risks and
achieve compliance, while providing threat prevention for allowed applications.
 Safe enablement
Achieve comprehensive coverage by providing a consistent set of protection and
enablement capabilities for all users, regardless of their location.
 Simplification
Reduce complexity of the network security and its administration by removing
the need for numerous stand-alone products. This consolidation reduces hard
capital costs, as well as ongoing “hard” operational expenses, such as support,
maintenance, and software subscriptions.
 IT and business alignment
Enable IT to confidently say “yes” to the applications needed to best support the
Business by giving them the ability to identify and granularly control applications
while protecting against a broad array of threats.

30. Implementing Next generation firewalls

31. ImplementingNextgenerationfirewalls
Defining your Requirements and developing RFP
Application identification
 Is identification based on IPS or DPI technology? If so, how are accuracy,
completeness, and performance issues addressed when scanning network traffic?
 How are unknown applications handled?
 Are custom application signatures supported?
 How is SSL-encrypted traffic identified, inspected, and controlled?
 How many applications are identified and what is the process for updating the
application database (software, dynamic update)?
 Can user submit an application for identification and analysis or define custom app?
Application policy control
 Can policy controls be implemented for all applications identified and/or users and,
groups ?
 Can port-based controls be implemented for all applications in the application
database?
 Can the solution perform traditional firewall-based access controls?
 Can policy controls be implemented from a single management interface?
 Are users warned when they attempt to access a URL or application that violates
policy?

32. ImplementingNextgenerationfirewalls
Defining your Requirements and developing RFP
Threat prevention.
 List the types of threats that can be blocked. List the file typed that can be blocked.
 Is data filtering supported?
 Can threat prevention engine scan inside SSL-encrypted traffic?
Management
 Does device management require a separate server or device?
 Are application policy control, firewall policy controls, and threat prevention features
all enabled from the same policy editor?
 CLI support?
 Logging capabilities of solution?
 Log visualization tools?
Networking
 Layer 2 and Layer 3 capabilities
 802.1q Vlans supported, capacity?
 Is dynamic routing supported (OSPF, BGP)
 QoS and shaping features
 Is IPv6 supported?
 IPSec VPN, SSL VPN?
 Implementation options? (inline, tap, transparent)
 High availability capabilities?
Hardware

33. ImplementingNextgenerationfirewalls
Things you need to consider
1. Identify Applications, Not Ports
2. Identify Users, Not IP Addresses
3. Identify Content, Not Packets
4. Visibility
5. Control
6. Performance
7. Flexibility
8. Reliability
9. Scalability
10.Manageability

34. Questions?
Ali Kapucu
Network Design Engineer
akapucu@kent.edu
May 23, 2014