In the past few years, a surge of Next-Generation Firewall (NGFW) products have been growing in popularity and market share in the enterprise IT security arena. Just what is NGFW, and how does it benefit your business? This article will explore the challenges faced by modern enterprises with regard to effectively firewalling network traffic, and reveal how NGFW solutions can address those challenges.
For many years, traditional firewall products (often called packet-filtering firewalls or stateful-inspection firewalls) centered their application identification around the transport-layer port number, such as TCP port 80 (for HTTP/Web servers) or UDP port 161 (for SNMP polling). This was primarily for two reasons. First, the application landscape was much simpler — most environments used the well-known port numbers for common applications, and only one application ran on a certain port. Port-based identification was accurate the vast majority of the time. Secondly, firewalls rarely had the computational horsepower to look deeper into every single packet going by. A related issue arose as well from the fact that, until recently, firewalls ran in their own little world, not usually connecting to the Internet for their own real-time updates or queries, which made highly dynamic application identification difficult as applications changed. Applications were rarely understood by the firewall; Instead, the focus was on port numbers and acting on lower-level characteristics like network-layer protocol options or transport-layer protocol rules.
Traditional firewalls also focused primarily on IP address or subnet to identify hosts, also due to the usual lack of connected-ness to other IT infrastructure. This usually meant either large swaths of the network had to have similar policy applied, or else tedious static IP addressing was required (even for clients) to ensure consistent policy application.
The world has changed a lot in the past 5-10 years, and these traditional methods of identifying applications and hosts just aren’t as effective as they used to be. Today, it’s not uncommon to see a single service, such as HTTP web servers, running on many ports (common values beyond the standard port 80 include other ports often used for testing and development purposes such as 81, 8000, 8080, 8081, etc.). With the rise of Agile software development, it’s quite common to see numerous instances of an application running on one set of server infrastructure, or multiple copies of a virtual environment, and increasingly, these ports need to be accessed from across a firewall for functions such as User Acceptance Test (UAT) environments that must be exposed for customers to engage with. The constant flux of these environments presents challenges to the IT team in terms of getting new access opened in a timely manner, as well as closing off access that is no longer needed.
Multi-faceted, web-based applications and Software as a Service (SaaS) applications cause further challenges to simple, port-based application identification. Some web-based applications and tools such as Dropbox or Google Apps, and even social media platforms like Facebook, have functions that may be permissible by a company’s security policy as well as other functions which present a risk to security or productivity. With so many applications using HTTP or HTTPS as a transport, simply allowing these protocols outbound from your enterprise network may not be acceptable. However, outbound whitelisting is extremely tedious, and even general category-based URL filtering may not be sufficient to control specific application access.
The last big challenge is not just identifying the apps, but identifying the users. As enterprise use of the Internet has grown increasingly complex, it’s no longer feasible to just permit or deny certain applications across the entire user base.
What is NGFW?
Essentially, Next-Generation Firewall simply means a firewall that is not bound to these static concepts of a port-number identifying an application, or an IP address identifying a user. NGFW is more dynamic — just as dynamic as the modern enterprise IT environment.
How does NGFW accomplish this dynamic approach differently than traditional packet-filter firewalls? Really, it’s just the right time in history for it to happen. CPU capability has reached a point where deep inspection of every packet is feasible in an affordable and power-efficient CPU package. Additionally, NGFW usually depends on frequent or real-time access to other repositories of data — online, rapidly updated databases of application signatures, enterprise directory servers, and even vendor-provided infrastructure for quickly analyzing unknown patterns. The Internet of Things era makes this sort of behavior much more common and feasible. The firewall has become part of a greater web of data collection and policy application capabilities by aggregating many data sources to characterize applications and users.
How Does NGFW Help?
Next-Generation Firewalls take a different approach to application identification and policy enforcement. Rather than look just at protocol and port number, NGFW uses these values as scoring inputs and also looks deep into the actual packet to identify the application in use, sometimes as far down as to the “micro-application” such as a specific Facebook function (games vs. status updates vs. photos) or component of Google Apps (Calendar vs. Docs). This capability means that a firewall rule allowing the HTTP protocol inbound to some web servers doesn’t just allow whatever is on TCP port 80, but rather any HTTP (and only HTTP) on any port it may arrive on. This addresses the challenge described above, wherein the application port numbers may not be well communicated by the application owners or may be constantly changing. This deep packet inspection is also critical to applications that use many different unpredictable ports such as peer-to-peer file sharing.
NGFW also takes a different approach to websites and SaaS applications, identifying and treating them just like any other application. With NGFW, a security administrator can easily permit, or deny, access to necessary web-based applications without having to look at specific URLs, and also get more granular ability to apply policy to individual actions or micro-applications in those web apps.
Lastly, NGFW bridges the gap between IP-based host identification, and user identification by integrating with enterprise directory services (such as Microsoft Active Directory or OpenLDAP) to identify specific users (and the directory groups to which they belong) in real time. With NGFW, policy can be applied on a per-user basis, or to specific user groups such as Marketing (who may need broader access to social media platforms) or Executives (who often have less strict controls placed on their Internet activity focusing more on reducing security risk and less on productivity concerns).
Next Generation firewalls are a critical piece of IT infrastructure for modern businesses to be able to exert necessary control over network traffic based on valuable attributes such as the application, application category, and users involved in the connection, rather than arbitrary, static values such as port numbers. The key takeaway is that NGFW is dynamic and real-time, and that’s what businesses need to keep up with their dynamic enterprise IT environments.
H.A. Storage Systems has extensive experience with several NGFW product lines, including the Cisco ASA5500X with FirePOWER Services. Contact H.A. Storage Systems today to discuss your business’ NGFW needs.