10 mandatory features of the new generation firewall

Firewall selection criteria are usually divided into three main areas:

• safety features
• ease of operation
• performance.

The functional elements of a security system affect the effectiveness of the security system and the ability of your team to manage the risks associated with the operation of various applications on the network. From the point of view of ease of management, the biggest question is where the application management policy should be located, how complicated is it, and how difficult is it to manage your specialists? In terms of performance, everything is simple: is the firewall able to perform the functions assigned to it, providing the necessary bandwidth for the enterprise?
Each organization will put forward its own requirements and priorities among the criteria for choosing a firewall. To help with this, we decided to clearly formulate the 10 mandatory functions of the new generation firewall:

1. Identification and control of applications on any port
2. Identification and control of security bypass attempts
3. Decrypt outbound SSL and control SSH traffic
4. Control of application functions and their sub-applications
5. Unknown Traffic Management
6. Scan for viruses and malware in all applications, on all ports
7. Ensuring the same level of visualization and application control for all users and devices
8. Simplify, not complicate, network security by adding application control
9. Providing the same bandwidth and performance with full application security enabled
10. Support for exactly the same firewall features in both hardware and virtual form factor

1. Your new firewall should provide constant identification and management of applications on all ports.

Real example. Application developers no longer follow the methodology for developing applications based on the use of standard ports and protocols. An increasing number of applications can work through non-standard ports or switch between ports (for example, instant messaging applications, peer-to-peer file exchanges or VoIP: Skype, Bittorent, H.248, Lync, Aim, etc.). In addition, an increasing number of users are able to direct the work of applications through non-standard ports (for example, RDP, SSH). To implement firewall policies for specific applications that are increasingly working without being tied to ports, your new firewall must be prepared so that each application can work with any port. The concept of supporting any application running on any port is one of the fundamental changes in the operation of applications, which forces you to switch from firewalls that control traffic through certain ports to new-generation firewalls. The principle of supporting any application running on any port once again shows that a negative management model (default resolution) does not solve the problem. If an application can switch to any port, then in the case of using a product based on negative management, it must either obtain the necessary information in advance, or constantly monitor all signatures on all ports. Otherwise, he misses and does not see the attack, because by default he misses everything he does not know. A positive model (blocking by default) implies the classification of all traffic, whereas a negative model (default resolution) implies the classification of only certain traffic and the omission of unknown traffic.

Requirements. The requirement is simple - you need to assume that each application can work on any port, so your new default firewall should constantly classify traffic by application on all ports. This requirement must be presented to all modern means of protection. The problem of classifying traffic across all ports will again arise when discussing all remaining requirements. Otherwise, we will still observe a port-based monitoring bypass using the same techniques that have existed for many years: the hacker moves the application to another port and the network protector stops seeing it. It’s time to sort out your network.

Life commentary: in real products, identification and application management are three different operations: identify applications, block applications, and safely allow applications. It happens that the manufacturer may correctly identify a specific application, but may not be able to block it. Modern applications are set to work, in order to bypass the blocking, that is, if you blocked it in one way, then the application begins to use the second, third, and so on, as long as there is at least one option - modern applications are very invasive. This suggests that application blocking should be carefully monitored during testing. Application definition is just the beginning of the journey. If you have allowed the application, but have not checked its content, then this is again unsafe, so for secure permission you also need to check the content, for example, with IPS, anti-virus, ant-spyware, DLP and other signatures. Browser traffic is also often checked against URL categories that are visited by employees and automated applications.

Manage applications on the same IP and port. With the advent of cloud technologies, more and more applications began to work on the same server, that is, the traffic of different applications is sent to and from the same IP address and port 80 or 443. There are hundreds of different applications on the same server, they receive and send files and the information security staff need to manage these files and applications. What to do? After all, a simple firewall can not distinguish these applications from each other, it does not have such a criterion in the rule: an application? Firewalls of the new generation come to the rescue, which already have such a criterion, since they distinguish applications by the transmitted content or by HTTP request headers and can see and manage files within the session: block various types of files again by its contents, for example, check for viruses there, exploits, leakage of confidential data.

Check the application management mechanism. If you want to check if your firewall can work with applications, take a simple test: configure two rules to manage two applications on this portal: http://basic.ngfw-test.com/ In the traffic of the first application, you only need to block the transfer of PDF files , in the second, only the transfer of viruses, that is, two different operations of two two applications on the same server, but not at the same time.

2. Your new generation firewall should identify and control the tools that bypass the security features.

Real example. Today, programmers specifically write applications to bypass firewalls. They need this for the so-called User Experience.

Programmers want you to be comfortable! So that you put skype and it immediately "lit up green." You will enjoy the fact that you did not need to persuade the administrator to register the rules on the firewall, since such applications find and use already open pots for other applications. Such ports are often ports 80, 53, 123, 25, 110. Or, the program takes and uses the proxy server settings from the browser.
Modern remedies are not perfect. They are also written by programmers. 20 years ago, when creating the Internet, we agreed that ports will be used to identify applications. 80 - HTTP, 25 - SMTP, 21 - FTP and so on. The situation has changed: within these ports any applications can walk. Have the protections changed? Can they determine that the standard port for HTTP (port 80) is now another application other than HTTP?

Now there is a sufficient set of applications on your network that can be used to bypass the security policies that protect your organization. How do you control this?
Bypass security tools include applications of two classes — applications that were originally developed to bypass security features (for example, external proxies and encrypted tunnel applications (not VPN)), and applications that can be adapted to perform this task (for example, remote server management tools). / desk).

• External proxies and encrypted tunnel applications (not VPN), equipped with a number of masking techniques, are specifically used to bypass security features. Since these applications are originally designed to circumvent security and therefore contribute to business risks and protection, they do not have any business value for your network.

  
  
• Remote server / desktop management tools, such as RDP and Teamviewer, are commonly used by support staff and IT professionals to improve work efficiency. They are also often used by employees of organizations to connect to home and other computers outside the corporate network, bypassing the firewall. The attackers are well aware of the use of such applications, and in the official reports published by the Verizon Data Breach Report (DBIR) it was reported that these remote access tools were used at one or several stages of network attacks. And still used.

Do standard network applications incur any risk? After all, applications for remote access, and many encrypted tunnel applications can be used by administrators and employees. However, these same tools are increasingly being used by attackers at different stages in their complex attacks. An example of such a tool in 2017 is the Cobalt Strike. If organizations cannot control the use of these security tools bypass tools, they will not be able to successfully implement security policies and will expose themselves to all the risks that they are designed to protect against.

There are various types of circumvention applications, and the techniques with which the applications of each of these types are equipped differ slightly. There are public and private external proxies that can use both HTTP and HTTPS. For example, a large public proxy database is presented on proxy.org (banned on the territory of the Russian Federation and should be banned on your corporate network). Private proxies are often configured based on unclassified IP addresses (for example, home computers) with applications such as PHProxy or CGIProxy. Remote access applications such as RDP, Teamviewer or GoToMyPC have legitimate uses, but due to the additional risk they introduce, they must be strictly controlled. Most other security bypass applications (for example, Ultrasurf, Tor, Hamachi) have no business value for your network. Regardless of the state of your security policy, your new generation firewall must be equipped with special techniques that allow you to identify and control all of the listed applications without being tied to a specific port, protocol, encryption method, or other bypass tactics.
And one more important point: the applications that bypass the protection means are regularly updated, which further complicates their detection and control. Therefore, it is very important to know how often the update and maintenance of the control functions of the applications with which your firewall is installed.

Real example. Are standard protocols used on non-standard ports on your network? Can an administrator move RDP from standard port 3389 to another port? Can. Can HTTP go on a different port to a great 80? Not only can, but also walks. Can an FTP server on the Internet work on another port other than 21 — yes, such a huge amount. Do these see your remedies. If not, then for a company employee or a hacker, this is a standard move for evading policy checks. Just move FTP on port 25 - it turns out that your protector thinks it is SMTP. Do your IPS or antivirus signatures work only on port 80 or 110 (POP3)? The attacker will transfer traffic to any other port. For example 10,000.

Requirements. Your new firewall should check the type of traffic on the real content that is transmitted inside the packets. The world has changed: even at the entrance to the theater there are now frames of metal detectors: it is no longer enough to show your row number and chairs. The same is true in corporate networks: you need to check the contents of network packets, not their headers. Your new firewall should be able to identify applications by the contents of the data field, and on any ports.

3. Your new generation firewall should provide decryption and verification of SSL, as well as control the management of SSH.

Real example. Real example. Currently, 30% of applications in modern corporate networks in one way or another, in one form or another, use the SSL protocol. Taking into account the fact that end users are increasingly using HTTPS for many popular high-risk applications (such as Gmail, Facebook), and can also use SSL on many websites, your security professionals are faced with the fact that More and more network traffic is becoming unaffected, and they are losing the ability to decrypt, classify, control, and scan SSL-encrypted traffic. Naturally, a new generation firewall must be flexible enough to leave certain types of traffic encrypted using SSL (for example, web traffic from financial services or healthcare organizations), and decrypt other types of traffic (for example, SSL on non-standard ports, HTTPS from unclassified websites), resorting according to the established policy. The use of SSH is almost universal, and end users can easily configure this protocol for their personal purposes, like any other tool for managing a remote desktop. The fact that the data transmitted over SSH is encrypted makes this protocol an effective means to hide non-working actions.

Requirements. The ability to decrypt SSL is a fundamental factor in choosing a network security solution. And not only because we are talking about a significant part of corporate traffic, but also because this feature improves the efficiency of other key functions that are incomplete or incomplete without SSL decryption. Other key factors include SSL detection and decryption on any port, both at the entrance to the network and at the output; management of decrypted traffic policies, as well as a set of hardware and software necessary to re-encrypt SSL within tens of thousands of simultaneous SSL connections with predictable performance. Another important requirement is the ability to identify and control the use of SSH. Specifically, SSH control implies the ability to determine what the SSH protocol is used for: port forwarding tunneling traffic (local, remote, X11) or intended use (SCP, SFTP and shell access). Information about the purpose and nature of the use of SSH can then be converted to security policy rules.

Presentation "We look at HTTPS traffic" https://www.slideshare.net/ksiva/https-75840362

4. Secure application resolution. Your firewall should monitor application performance.

Real example. Platform application developers, such as Google, Facebook, Salesforce.com, or Microsoft, offer users a rich set of components and functions that increase user loyalty, but at the same time present complex risk profiles. Take, for example, the Webex application, which is an efficient business tool. However, the desktop sharing feature (Webex Desktop Sharing), which allows you to access your desktops from an external source, contributes to the violation of internal policies or regulatory requirements. Another example is Google Mail (Gmail) and Google Talk (Gtalk) applications. Once a user logs on to Gmail, which may be allowed by the policy, he can easily switch the context to Gtalk, which can be prohibited by the same policy. Your new generation firewall should be able to recognize and distinguish between individual components and functions - only in this case, it will be possible to implement appropriate policies.

Requirements. Your new generation firewall should constantly classify each application, tracking all changes that may indicate the use of a particular function of this application. The concept of a “one-off” traffic classification is not a way out, since it ignores the fact that different applications can use the same network session or perform several functions. If another function or application is identified in this session, the firewall should capture this fact in the session state tables and perform a policy-based check. Continuous monitoring of the state in order to identify the various functions that each application can support, as well as the risks associated with them, is the most important requirement for your new generation firewall.

Check. Traditional ways to control applications suggest blocking all application traffic using an ever-growing list of point technologies used in addition to firewalls, which can complicate an enterprise’s operation, or allow access to all applications, which is equally unacceptable in light of the growing threats to business and security. . The problem is that the traditional port-based firewall, even with the optional application blocking feature, cannot be used as an alternative to any of the noted approaches. In order to find a balance between “resolution of everything” and “prohibition of everything”, it is necessary to provide secure permission for applications to access, using as the main criteria of the firewall security policy elements such as application identity, application user and content type, depending on the needs of the enterprise. As more and more applications are running on the same hardware and servers, it is required that the new firewall be able to distinguish between them. Try setting up your new generation firewall to distinguish between two different applications running on the same IP address and port on the same server. And see if different policies work for different applications in your firewall.
In this example, you want to separate scan profiles to download PDF files and virus scan.
http://basic.ngfw-test.com/

Secure application resolution. To ensure the safe operation of applications and technologies, as well as to ensure business processes based on them, network security specialists need to implement not only appropriate policies, but also means to monitor their observance. These tools are new generation firewalls.

5. Your new generation firewall should systematically manage unknown traffic.

Real example. There is traffic on the network that cannot be identified by its content. We will call it unknown traffic. In small quantities, unknown traffic is present on every network, with even minor unknown traffic presenting a significant risk to your organization. We need to understand who this traffic creates and why! There are a number of important factors related to unknown traffic, which should be taken into account: can it be classified somehow, can it be reduced to a minimum using security policies, can your firewall easily define self-written user applications so that they can be moved into the category of known applications and could be specified in your security policy, and is your firewall able to determine whether unknown traffic poses a threat? Unknown traffic is closely related to network threats. Attackers often modify data streams to take advantage of the shortcomings of the desired application.
For example, to attack a web server, an attacker may need to change the HTTP header, as a result of which traffic will no longer be identified as web traffic. Such an anomaly can serve as an early evidence of an attack. Malicious software also often uses its own or modified protocols to communicate with the command center, which allows security specialists to eliminate any intrusions of unknown malware.

Requirements. Your new generation firewall should, by default, classify all traffic on all ports - this is the criterion that must be taken into account when developing an architecture and security management model.
There are two behaviors when writing firewall rules.
A positive model (blocking all unknowns by default) means classifying all traffic so that we block only unknowns, whereas a negative model (default resolution of all unknowns) means classifying only specific traffic, because if we don’t know any protocol or application, then we just skip it.
Classifying all traffic and identifying the unknown is only the first task for your firewall. Your new generation firewall should ensure that all unknown traffic is visible on all ports. He should be able to quickly analyze this traffic and determine its nature -

1. internal or self-written application
2. commercial application without a ready signature or
3. threat.

In addition, the firewall should be able to:

• create a custom signature for traffic,
• collect and send PCAP traffic from a commercial application to a laboratory for further analysis or an analytical study that will determine whether traffic is not a threat.

6. Your new generation firewall should check for threats in files on all ports, identifying all applications.

Real example. Organizations are constantly introducing new and new applications that improve business efficiency. These applications can be located both inside the network and beyond its perimeter. Whether it is SharePoint, Box.net, Google Docs, Microsoft Office365, or even an application hosted by your partner. Many organizations need to use applications that can work through non-standard ports, use SSL, or have file sharing. In other words, these applications can improve business efficiency, but at the same time serve as a concealment vector for cyber threats. Moreover, some of these applications (for example, SharePoint) depend on the support of technologies that are a regular target for computer attacks (for example, IIS, SQL Server). In this case, blocking the application does not eliminate the threat. However, the full resolution of all applications carries with it business risks and is a beneficial environment for attacks by cybercriminals. There is a growing trend in the transfer of malware through non-standard ports, which is an acute problem for information security officers. Since the malware connects to its control center from within the network, an attacker can use any combination of ports and protocols, since for internal employees, all connections outside to any ports are usually allowed. During the analysis of one of the networks in three months, 97% of all unknown malware penetrated via FTP, only non-standard ports were used. Do your security tools define a protocol like FTP on ports other than the standard 21? For example, we see FTP connections on port 25, which is also often open to the outside.

Requirements. The process of securely allowing applications to any ports includes the policy of defining the application and scanning the files transmitted by the application for various known and unknown threats. These applications can communicate using a different combination of protocols (for example, a SharePoint application uses CIFS, HTTP, and HTTPS protocols and requires a more complex firewall policy than just “application blocking”). The first step is to identify the application (regardless of the port or encryption type), determine the functions that will be allowed or denied, and then scan the allowed components for threats — exploits, viruses / malware or spyware ... or even confidential or secret information. For example, a firewall may determine that a confidential presentation has been posted to the SlideShare service.

7. Your new generation firewall should provide continuous control over all users, regardless of their location or device type.

Real example. Your users are increasingly working outside the office, gaining access to the corporate network from their smartphones or tablets via VPN. A significant part of your staff has the ability to work remotely. While working at a table in a cafe, at home or at meetings with customers - your employees take it for granted that they can connect to their work applications via WIFI or LTE / 3G. Regardless of the location of the user or even the application itself, the firewall must use the same access control standard. , , , .

. NGFW , . , . , Skype, . , salesforce.com, . , .

8. , .

. , , , . , , , , , . (, 80, / , - URL-), . WebEx ? ? , , , . - , .

. , , , -. – . , IP-, , , , . .

: researchcenter.paloaltonetworks.com/app-usage-risk-report-visualization-2014

9. , .

. . , , . , .

. , . c TCP UDP , , . . , , ( SSL, , ) , , .

10. , -.

. , , , , .

, WEB 80 IP . ? , - basic.ngfw-test.com.

, , -.

. . : IP-.
, , : , . , , , .
— , , , PCI DSS .

—