![Page 2: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/2.jpg)
Agenda
• The Changing Landscape • NGFWs• Juniper AppSec• How to Choose
![Page 3: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/3.jpg)
Changing Landscapes…
…of applications and threats
![Page 4: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/4.jpg)
Applications/Threats Changed; Firewalls Not
BUT…applications have changed• Ports ≠ Applications• IP Addresses ≠ Users• Packets ≠ Content
The gateway at the trust border is the right place to enforce policy control• Sees all traffic• Defines trust boundary
Need visibility and control !!!
![Page 5: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/5.jpg)
Web 2.0, Enterprise 2.0Headaches for CISOs
1. Driven by new generation of addicted Internet users – smarter than you?
2. Full, unrestricted access to everything on the Internet is a right
3. They’re creating a giant social system - collaboration, group knowledge
4. Mobile device use exacerbates the problem – how to control them?
5. Large enterprises need new architectural solutions – suite for huge
6. Not waiting around for IT support or confirmation – IT is irrelevant
7. Result - a Social Enterprise full of potential risks … and rewards
![Page 6: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/6.jpg)
Real-Life Reasons
Source: Academic Freedom or Application Chaos (2nd Edition, March 2011) Palo Alto Networks
• 67% of the apps use port 80, port 443, or hop ports
![Page 7: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/7.jpg)
Consensus among Analysts
Move to next-generation firewalls at the next refresh opportunity –
whether for firewall, IPS, or the combination of the two. -Gartner
Forrester’s Forrsights Security Survey indicates that the standalone IPS market is a relatively mature space but that the next-generation firewall markets are expanding …we anticipate a consolidation of firewalls and IPS to create an even more advanced multifunction security gateway.
-Forrester
DigiNotar, Google, Playstation Network, RSA, Comodo, Epsilon, Lockheed Martin, Many more…
![Page 8: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/8.jpg)
Make the FW Useful Again!
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats embedded across applications
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no performance degradation
![Page 9: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/9.jpg)
Why it has to be the firewall?
1. Path of least resistance - build it with legacy security boxes
2. Applications = threats3. Can only see what you expressly look for4. Can’t “allow, but…”
IPS
Applications
Firewall
1. Most difficult path - can’t be built with legacy security boxes
2. Applications = applications, threats = threats
3. Can see everything4. Can “allow, but…”
IPSFirewall
Applications
Traffic decision is made at the firewallNo application knowledge means bad decisions…
![Page 10: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/10.jpg)
NGFWs
![Page 11: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/11.jpg)
What is what?!
• Stateful Firewall• IPS• UTM• Application Firewall / Application Proxy• Next Generation Firewall (NGFW)
![Page 12: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/12.jpg)
Stateful Firewall: blind, packet filters only
![Page 13: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/13.jpg)
IPS: evasions, decryption issues
• Permissive rule base• Inspect encrypted traffic• Circumvention possible
Source: NSS Labs - Q4 2009 Network Intrusion Prevention System Test Executive Summary
![Page 14: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/14.jpg)
UTM: adding more stuff doesn’t solve the problem
• “More stuff” doesn’t solve the problem• Firewall “helpers” have limited view of traffic• Complex and costly to buy and maintain• Putting all of this in the same box is just slow• Still no visibility or control of enterprise 2.0
Internet
![Page 15: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/15.jpg)
Application Proxy: slow + focused on few apps only
• Proxy sits between the application source and destination
• Intercepting traffic (terminating and re-initiating)• Limited set of applications• Low performance• Deep knowledge of protocols
![Page 16: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/16.jpg)
Next Generation Firewalls
• New Modules• New Architectures
• User identification• Application Identification• Content identification• Rulebase consolidation• Analyse encrypted traffic• Both CTS and STC directions
![Page 17: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/17.jpg)
And the Nominees are…
• NFGW = FW + IPS in the same box• NGFW = FW + IPS integrated + Security Modul• NGFW = Brand new architectures
![Page 18: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/18.jpg)
FW & IPS issues
• Positive control – firewall like– Define what is allowed, block everything else
• Negative control – IPS like– Find it and block it– Great for blocking attacks – Bad for controlling applications– Ergo > Adding a bunch of application signatures to an IPS does not make it a firewall
• Application become evasive
![Page 19: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/19.jpg)
FW & IPS issues, cont’d
• Model– Keep the FW + add an IPS style
helper• Problem
– FW still allows traffic on unusual ports
– Not smart enough to recognize applications
– Must run all signatures on all ports– Performance issue– Management issue– Only blocking is possible
![Page 20: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/20.jpg)
Real NGFWs Provide a Better Approach to IPS
• Integrating IPS into the firewall is NOT simply about convenience…it’s a necessity
• True integration of IPS with the NGFW solves problems that traditional IPS can’t1. Controls threats on non-standard ports 2. Proactively reduces the attack surface 3. Controls the methods attackers use to hide4. Integrates multiple threat prevention disciplines5. Provides visibility and control of unknown threats
![Page 21: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/21.jpg)
How to choose
…Buyers Guide
![Page 22: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/22.jpg)
Things to consider before buying NGFW
1. Identify and control applications on any port2. Identify and control circumventors3. Decrypt outbound SSL4. Identify and control applications sharing the same connection5. Provide application function control6. Deal with unknown traffic by policy7. Scan for viruses and malware in allowed collaborative applications8. Enable the same application visibility and control for remote users9. Make network security simpler, not more complex with the
addition of application control10. Deliver the same throughput and performance with application
control active
![Page 23: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/23.jpg)
Juniper AppSec
![Page 24: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/24.jpg)
Customer Priorities
Juniper Security Solutions
Addressing the Evolving Threat Landscape
Visibility into Web 2.0 Threats
Scalable Policy Enforcement & Management
Control of Application Usage
Rapid Response to New Threats
AppSecure Software Security Research TeamsSRX Security Service Gateways
![Page 25: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/25.jpg)
AppSecure direction
Understand security risks
Address new user behaviors
Application Intelligence from User to Data Center
• Subscription service includes all modules and updates• Juniper Security Lab provides 800+ application signatures
AppTrack AppDoS IPS
Block access to risky apps
Allows user tailored policies
Prioritize important apps
Rate limit less important apps
Protect apps from bot attacks
Allow legitimate user traffic
Remediate security threats
Stay current with daily signatures
AppFW AppQoS
![Page 26: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/26.jpg)
INTEGRATED APPLICATION INTELLIGENCE: AppSecure
![Page 27: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/27.jpg)
APPLICATION VISIBILITY
![Page 28: NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs? Imre.Balazs@euroone.hu](https://reader036.vdocument.in/reader036/viewer/2022062314/56649e875503460f94b8a56d/html5/thumbnails/28.jpg)
Thank you!
Resources & Further readings
Enterprise Strategy Group: The Network Application Security Architecture RequirementNSS Labs: Q2 2009 IPS Group TestJuniper Networks: ESG - The Network Application Security Architecture RequirementPalo Alto Networks: Academic Freedom or Application Chaos?