Next Generation FireWalls
March 25, 2015
Firewall technology has become a key part of each and every company’s security defence strategy. As the pace of technological change continues to move quickly, firewall technology has become much more sophisticated. The latest trend in firewall naming conventions is “NextGen Firewall” (NGFw).
The most important features of a NGFw are:
to be able to create username based policy
to analyze user traffic inside the SSL/HTTPs tunnel
The key differentiators between traditional and next generation firewalls include:
Application control (App Control): NGFw should be application aware, regardless of the port that the application is using.
Intrusion Prevention System (IPS): NGFw should be able to act as full IPS and monitor/block malicious network activity.
URL Filtering: NGFw should be compatible replacement to traditional URL Filtering Proxy devices with multiple categories and frequent updates on the categories.
Antivirus/Malware: NGFw should be able to scan, compare with their database or perform sandboxing for files going thru the firewall to determine if the files can harm the company environment.
Reporting: NGFw should be able to create reports based on the mentioned features to provide better visibility on firewall activity.
While these NGFw features provide great value, they are crippled without understanding the identity of the user and having the ability to enforce policy inside of the SSL/HTTPS tunnel.
Why User Based Policy is Necessary
- Users are mobile and they can move from floor to floor or office to office
- WIFI hotspots have short DHCP lease and the information in the NGFw logs will not be accurate
- Troubleshooting becomes easier when the firewall analysts can see the username and the machine name in the logs instead of IP
- Firewall User Based rules will allow granular access by department or AD groups
- The company will be able to create different policy for URL Filtering, Application Control and DLP based on the departments and required user access
- Firewall admin will be able to exclude certain users from a policy without knowing the exact IP of the user
- Firewall rules can be created for Terminal Server/Shared workstation
Considerations When Implementing User Based Policy
- Devices with static IP such as servers
- Devices that are not part of the domain
- Multiple AD Domains on the network
- Domain controllers over the WAN
Why Decryption of HTTPS Traffic is Important
- According to NSS Labs 25%-35% of enterprise web traffic is running HTTPS (2013)
- Malware is becoming more sophisticated and is starting to use HTTPS /SSL
- Most visited sites on the internet use native HTTPS (examples include Google, Facebook, LinkedIn)
- Users are becoming more sophisticated and starting to use browser add-ons such as HTTPS Everywhere to browse using HTTPS everywhere is possible
- Google will offer better rating for HTTPS sites 1
- Firewalls logs and SIEM products will show a tag with the name “SSL traffic” instead of the true protocols running inside the SSL tunnels
- Malware detection and Security Analytics devices will have poor visibility on HTTPS traffic
Consideration when implementing HTTPS Decryption
- Most countries will not allow a company to decrypt privacy information such as Banking and Health data
- A company must have a solid deployment of the SSL across all the inspected end point machines before HTTPS decryption is enabled
- NGFW or the Device that is performing the SSL Decryption must be able to recognize invalid and expired SSL certificates
- SSL Decryption is CPU intensive
Implementing user identification and HTTPS decryption can be complicated task, depending on the customer’s environment. It is important to create a step-by-step integration plan with clear, concise goals.
For more information on NGFw, contact Herjavec Group’s consulting services team.