Journey from Legacy to Next Generation Firewalls - NGFW

Corporate networks are encountering the highest levels of change in the recent history. Users require anywhere, anytime access to the network from a variety of company-owned and personal mobile devices. In addition, software applications have evolved to be highly dynamic and multi-faceted, blurring the line between business applications and personal ones that may increase the company's exposure to Internet-based threats. 

As a result, most organizations are facing difficulty in achieving an optimum balance between the productivity gains and the security implications poised by the productivity tools & apps.

The scenario warrants that the smarter organizations must adopt a new approach of IT security that unifies the network's streamlined security operations, without abandoning any time-tested method such as Secure Sockets Layer (SSL), Anti-Viruses, Intrusion-Prevention Systems (IPS), Virtual Private Networks (VPN), and firewalls, etc.

Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted, and untrusted outside networks such as the Internet.

Development Phases of Firewall

A firewall is a system or device or group of systems that manages the access between two or more networks. A firewall filters the incoming and outgoing traffic against the predefined security rules. It can be hardware, software, or both which can be place between the networks or on the specific host. Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for security were the routers used in the late 1980s.

Evolutions in the Internet and their usage, also provided the opportunities to the growth of the cybercrime. These evolutions forced the IT security vendors to make continuous changes and evolve in their approach to security overall.

Even modern firewalls have retained all the key functions of threat detection and prevention till date. Let us discuss those in brief.

Packet Filtering

A firewall can use packet filtering to limit information that enters a network and information moving from one segment of a network to another. Packet filtering uses access control lists (ACLs), which allow a firewall to accept or deny access based on packet types and other variables.

Stateful Inspection Firewall

A stateful inspection firewall allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. Filtering decisions are made based on both administrator-defined rules as well as context, which refers to using information from previous connections and packets belonging to the same connection. Limits information that is allowed into a network based not only on the destination and source addresses, but also on the contents of the state table.

Application-Aware Inspection

The security appliance inspects packets above the network layer. The security appliance securely opens and closes negotiated ports for legitimate client-server connections through the firewall. Protocols such as FTP, H.323, SQL, etc. need to negotiate connections to dynamically assigned source or destination ports through the firewall.

Proxy Firewall

An early type of firewall device, a proxy firewall serves as the gateway from one network to another for a specific application. Proxy servers can provide additional functionality such as content caching and security by preventing direct connections from outside the network. However, this also may impact throughput capabilities and the applications they can support.

Unified Threat Management (UTM) Firewall

A UTM device typically combines, in a loosely coupled way, the functions of a stateful inspection firewall with intrusion prevention and antivirus. It may also include additional services and often cloud management. UTMs focus on simplicity and ease of use.

***********

Before the development of the Next-Generation firewalls, all of the previous legacy security models, essentially operated with the following four steps:

1. Picking up a large sample of potential malwares at frequent intervals
2. Prioritizing and processing these samples based on some algorithms and feedback
3. Creation of Anti-Malware Signatures for effective detection
4. Distribution of these Signatures to the end-points

**************

Next-Generation Firewall (NGFW)

Modern firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks.

The biggest difference between a traditional firewall and a NGFW is the fact that these newer devices are application aware. Traditional firewalls rely on common application ports to determine the applications that were running and the types of attacks to monitor. In an NGFW device, it is not assumed that a specific application is running on a specific port. The firewall itself must be able to monitor the traffic from layers 2 through 7 and make a determination as to what type of traffic is being sent and received.

The most common example is the current use of HTTP, port 80. Traditionally this port is used for only HTTP traffic, but this is no longer the case and a large number of different applications use this port to transport traffic between an end-device and a central server. There are a number of different ways that common ports can be used for these different types of traffic with one of the most common ones being tunneling. With tunneling, traffic is tunneled within the traditional HTTP data field and is de-encapsulated at the destination. From a traditional firewall's perspective, this looks like simple HTTP web traffic, but to a NGFW its true purpose is found at the firewall before it is able to reach the destination. If it is something that is allowed by the NGFW's policy, then the firewall will be allowed to pass traffic. If it isn't, then the firewall will block the traffic.

According to Gartner, Inc.'s definition, a next-generation firewall must include:

• Standard firewall capabilities like stateful inspection
• Integrated intrusion prevention
• Application awareness and control to see and block risky apps
• Upgrade paths to include future information feeds
• Techniques to address evolving security threats

While these capabilities are increasingly becoming the standard for most companies, NGFWs can do much more.

Introduction to ASA : Cisco’s Next-Gen Firewalls

Like most other next-generation firewalls, Cisco's ASA Next-Generation Firewalls deliver application awareness and user identity capabilities, for enhanced visibility and control of network traffic.

Cisco ASA is a comprehensive management solution that:

• delivers increased visibility into the network;
• provides detailed application, user, behavior, policy, and device control;
• employs a flexible architecture that enables significant advances to be introduced in security management.

ASA provides security administrators with end-to-end visibility across the security network, including top-level traffic patterns, detailed logs, and the health and performance of Cisco ASA devices. Users can simplify cost and complexity with Cisco Prime Security Manager, which manages ASA’s Next-Gen Firewall Services, to unify core Cisco ASA functions (including firewall and NAT) and Cisco Next-Generation Firewall Services for distributed deployments.

In addition, Cisco ASA Next-Generation Firewall Services enable administrators to:

• Control specific behaviors within allowed micro applications
• Restrict web and web application use based on the reputation of the site
• Proactively protect against Internet threats
• Enforce differentiated policies based on the user, device, role, application type, and threat profile

ASA-X is well beyond Typical Next Generation Firewall

Cisco® ASA Next-Generation Firewall Services is a suite of modular security services that run on the Cisco ASA 5500-X Series Next-Generation Firewalls (5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X with Security Services Processor SSP-10, SSP-20, SSP-40, and SSP-60). Cisco ASA Next-Generation Firewall Services include Cisco Application Visibility and Control (AVC), Web Security Essentials (WSE), and Intrusion Prevention System (IPS). They blend a proven stateful inspection firewall with next-generation firewall capabilities and network-based security controls for end-to-end network intelligence and streamlined security operations.

In general, ASA with Next Generation Firewall Services delivers unprecedented benefits to the organization:

Unprecedented Network Visibility

Cisco ASA Next-Generation Firewall Services gives security administrators greater visibility into the traffic flowing through the network, including the users connecting to the network, the devices used, and the applications and websites that are accessed.

Cisco ASA Next-Generation Firewall Services use Cisco security technologies to provide actionable intelligence to security administrators. For example, Cisco AnyConnect9 clients provide information on the type and location of a mobile device before it can access the network Cisco ASA Next-Generation Firewall Services also use global threat intelligence from Cisco Security Intelligence Operations Centers (SOCs) to provide zero-day threat protection.

Along with Cisco security technologies throughout the network, Cisco ASA Next-Generation Firewall Services deliver end-to-end network visibility for superior security control. These services include:

• Robust authentication. In addition to passive authentication methods using Windows Active Directory agent and Lightweight Directory Access Protocol (LDAP), Kerberos and Windows NT LAN Manager are used to provide active authentication.
• Device information. Cisco AnyConnect clients provide information on the specific types of user devices attempting to gain access to the network, as well as whether the device is located locally or remotely, enabling administrators to confidently allow devices while maintaining high levels of network protection and control.
• Reputation-based threat defense. Threat intelligence feeds from Cisco SIO use the global footprint of Cisco security deployments (more than 2 million devices now) to analyze approximately one-third of the world's Internet traffic from email and web threat vectors. Reputation feeds are used by Cisco WSE and IPS to help reduce risk and threat exposure with near-real-time protection from known and zero-day threats.

• Precise Application, user, Device, and Threat Control. Cisco ASA Next-Generation Firewall Services with Cisco AVC block port- and protocol-hopping applications such as Skype and other peer-to-peer applications, providing more effective security while requiring fewer policies.
  It enables policies to be written based on a wide range of contextual elements, including application, user, device, and location Cisco AVC also employs deep social networking controls. It recognizes more than 1200 applications and 150,000 micro applications, enabling organizations to provide individual or group-based access to specific components of an application (such as Facebook for business use) while disabling other components (such as Facebook games). Specific behaviors can also be blocked within allowed micro applications for an additional layer of control.

Cisco ASA Next-Generation Firewall Services with Cisco Cisco Web Security Essentials (WSE)

It is a next-generation web security service that addresses these needs. Cisco WSE provides enterprise-class, context-aware web security capabilities to the industry's most proven stateful inspection firewall for end-to-end network intelligence and streamlined security operations. Cisco WSE blends robust content-based URL filtering with the near-real-time global threat and web reputation analysis from Cisco SIO. Cisco WSE enables organizations to enforce reputation-based web security policies and robust content-based URL filtering to enable differentiated access policies based on user, group, device, and role.

Cisco ASA Next-Generation Firewalls with IPS

It provides context-driven threat detection and mitigation. The simplified operation puts focus on threat prevention rather than on detection parameters. Inputs from the Cisco AVC and WSE security services optimize the Cisco IPS's operation and efficacy to provide holistic threat prevention.

Comprehensive Security Architecture

Cisco ASA Next-Generation Firewall Services extend the Cisco ASA platform to provide unprecedented visibility and control. Support for Layer 3 and Layer 4 stateful firewall features, including access control, network address translation, and stateful inspection, enables organizations to keep existing stateful inspection firewall policies that are essential for a host of compliance regulations, while adding Layer 7 context-aware rules that can act intelligently on contextual information Cisco ASA Next-Generation Firewall Services pull in local intelligence from the Cisco AnyConnect Secure Mobility Client and near-real-time global threat intelligence from Cisco SIO.

A proven firewall platform, combined with the power of local and global threat intelligence, provides a comprehensive, dynamic security architecture that is capable of addressing an organization's evolving security needs to enable growth, extensibility, and ongoing innovation.

Threat-focused NGFW

Last but not the least, these firewalls include all the capabilities of a traditional NGFW and also provide advanced threat detection and remediation. With a threat-focused NGFW you can:

• Know which assets are most at risk with complete context awareness
• Quickly react to attacks with intelligent security automation that sets policies and hardens your defenses dynamically
• Better detect evasive or suspicious activity with network and endpoint event correlation
• Greatly decrease the time from detection to cleanup with retrospective security that continuously monitors for suspicious activity and behavior even after initial inspection
• Ease administration and reduce complexity with unified policies that protect across the entire attack continuum

Cisco Systems has a long history in network security that spans multiple changes to firewall technology, including packet filtering, stateful inspection, deep packet inspection (DPI), and next-generation firewalls. Cisco is now moving further forward with its new Firepower NGFW.

This newest addition of FirePOWER services makes the greatest enhancement to this portfolio of Next-Gen Firewall Services from Cisco.

We would present Cisco FirePOWER next-gen solutuions in our next article.  

In the meantime, please share what do you think about NGFWs as well as ASA-X?

Thanks.