Ten Must-Haves for a
Next Generation Firewall
In 2009, the first next generation firewall (NGFW) was developed to cope with increasing application
threats to enterprise networks. The NGFW provides visibility into and control over applications and has
become a buzzword in the network security industry. More and more organizations are considering buying
next generation firewalls as security gateways. Attracted by increasing demand, vendors hop on the NGFW
bandwagon and launch what are claimed to be NGFW products in compliance with Gartner's definition.
However, the NGFWs of some vendors are only subsets of traditional firewalls or UTMs and fail to defend
against application threats that enterprises are experiencing. Most vendors take either of the following
architectural approaches to implement NGFW functions:
•• Base the NGFW engine on application identification implemented before access control.
•• Empower IPS to identify applications after port-based access control.
Both approaches can identify and control applications, but with varying degrees of real-world performance.
The second approach is only enhanced UTM, which is essentially port-based protection. So what problem is
the NGFW supposed to resolve, how should NGFW be applied, and what capabilities should NGFW have?
This paper may offer a glimpse into these issues.
1
Ten Must-Haves for a Next Generation Firewall
1
The NGFW must protect networks based
on applications and implement minimum
authorization using whitelist.
As is widely known, traditional firewalls cannot identify applications that use the same port. This is why the NGFW
was developed. The NGFW applies application-based security policies instead of port-based policies for higher
security. Security management can work in either whitelist or blacklist mode, depending on security devices.
•• Whitelist mode: Security devices deny all packets by default, except those of whitelisted applications. Traditional
firewalls work in whitelist mode to allow only necessary service traffic in accordance with the minimum
authorization principle. This is no doubt a more secure protection mode.
•• Blacklist mode: Security devices permit all packets by default except those of blacklisted applications. Intrusion
prevention system (IPS) and online behavior management (SWG) devices usually work in blacklist mode. In
blacklist mode, security devices must identify illegitimate traffic and take action.
The NGFW is still a firewall and should work in whitelist mode. In whitelist mode, NGFWs discard unknown traffic
by default. In contrast, unknown traffic is permitted in blacklist mode. The unknown traffic may contain undesired
content, viruses, Trojan horses, or worms, which may compromise information security.
Where do you feel more secure? A military installation or a supermarket? The answer is definitely the military
installation, because only authorized persons are allowed. This is the minimum authorization principle. In a network
environment full of unknown threats, the best choice is to comply with the minimum authorization principle for the
NGFW to permit only the traffic of necessary applications.
Access control based on applications, whitelist, and minimum authorization is the basic principle for NGFWs of all
vendors. In the real world, some enterprises deploy port-based security policies on the NGFWs at Internet egresses
or enable the NGFWs to allow unnecessary applications due to the lack of application identification capability.
The security holes may have been exploited. Therefore, NGFWs must have capabilities to implement minimum
authorization. The following sections will describe these NGFW capabilities in detail.
Ten Must-Haves for a Next Generation Firewall
2
2
The NGFW must accurately identify
applications on any port.
Background
In the Web 2.0 era, a large number of HTTP and HTTPS applications, such as Twitter, LinkedIn, Facebook, and Gmail,
share the same ports (such as port 80 and 443). Some applications, such as P2P applications (BT and eMule), use
negotiated ephemeral ports. In addition, many enterprises change the default ports to prevent targeted attacks.
For example, many enterprise networks do not use port 22 for SSH. Identifying applications by port number is
increasingly unreliable. Therefore, the NGFW must accurately identify different applications on each port and
implement security policies accordingly.
Requirements
The NGFW must work in whitelist mode and permit only necessary applications.
•• Firstly, the NGFW must be capable of accurately identifying diversified applications. If the NGFW identifies a
limited number of applications or the identification is inaccurate, it cannot ensure proper service running. In
this case, the enterprise must use the less secure blacklist mode. In addition, the NGFW must identify different
versions of the same application as one application instead of multiple ones to identify upgraded applications.
•• Secondly, the NGFW must be capable of identifying enterprise developed applications.
•• Last but not least: The NGFW must update its application identification capability to keep up with application
upgrades.
When selecting NGFWs, enterprises focus on the number of identifiable applications, identification accuracy,
capability of identifying user-defined applications, and update frequency of the application signature database.
3
Ten Must-Haves for a Next Generation Firewall
3
The NGFW must control application
functions.
Background
Many applications have multiple functions. For example, some instant messaging (IM) applications integrate text
and voice communication, file transfer, email, and game. File transfer can be further broken down into upload and
download for separate control. An enterprise may need to allow only instant messaging, incoming email, and filter
file uploads and outgoing email content.
Requirements
The NGFW must identify traffic specific to functions based on enterprise requirements, detect security risks of each
function, and implement control and defense policies. Some existing NGFWs can only identify the applications, not
specific to functions.
Ten Must-Haves for a Next Generation Firewall
4
4
The NGFW must comprehensively protect
the permitted application traffic.
Background
Some applications are crucial for improving enterprise efficiency. Therefore, these applications must be permitted,
even with potential risks, but with strict protection. The protection methods vary with security risk. For example,
the hotmail application may introduce malicious code and cause data leaks. Enterprises can require antivirus, data
filtering, and content filtering for this application. Oracle database application vulnerabilities are easily exploited by
attackers and require IPS for protection. The NGFW must comprehensively protect the permitted application traffic.
Requirements
As an integrated security gateway, the NGFW must be capable of comprehensive protection besides basic access
control. Identifying threats and risk is the basis for protection. The NGFW must be able to identify not only the
applications but also the security risk to take protection measures. The predefined knowledge base of the NGFW
must contain application signatures, potential security risks of applications, and actions to mitigate these risks.
5
The NGFW must provide user-specific
access control.
Background
Mobile business has become a trend. Employees no longer stay in offices and use fixed IP addresses to access
enterprise networks, which means that users are no longer tied to IP addresses and network borders become
increasingly blurred. An employee should have the same permissions and be subject to the same security policies,
regardless of whether they are using a PC or smartphone. In this new environment, IP address-based access control and
security protection no longer meet enterprise requirements. The NGFW must define security policies based on users.
Requirements
The NGFW must be capable of identifying users whenever, wherever, on whatever devices. This requires the NGFW
to support as many user authentication modes as possible, and the authentication modes must be consistent with
the existing network access authentication system on the live enterprise network. Ideally, the NGFW can interwork
with existing access authentication system to avoid repeated user information synchronization.
5
Ten Must-Haves for a Next Generation Firewall
6
The NGFW must prevent information leaks.
Background
Most enterprises store information on electronic media. A small USB drive may contain core confidential technical
information or years of research results. As the value of information assets increases, illegal information trade has
become industrialized. Hackers can steal and employees can leak information. In the mobile Internet era, information
leaks are easier with mobile apps and social networks. As the information transmission media, networks are the key
in data leak prevention. To prevent network-layer data leaks, the NGFW must be capable of keyword filtering and
anti-evasion. Common evasion behaviors include:
•• Out-of-order fragments to disable security devices from identifying the traffic to be scanned.
•• File type disguise, such as changing file name extensions, to evade file scanning.
•• Repeated file to evade inspection.
The NGFW must be able to prevent these evasion behaviors to prevent network-layer information leaks.
Requirements
To prevent network-layer information leaks, the NGFW must inspect and filter the traffic that may contain sensitive
information. To do so, the NGFW must identify traffic based on flows instead of packets to prevent evasion by
fragmenting packets, identify the actual file types to filter file contents, and identify real file types of and implement
content filtering on files that have been compressed multiple times. The firewall must support as many file types and
protocols as possible for data filtering. In addition, the NGFW must be able to filter Word, Excel, PPT, and PDF files
transferred using email, HTTP, FTP, IM, and SNS.
Ten Must-Haves for a Next Generation Firewall
6
7
The NGFW must provide location-specific
access control.
Background
The rapid development of smart devices makes mobile business a new trend and blurs network borders. Employees
may access enterprise networks from the office, airport, hotel, cafe, or home. The accessible resources of employees
may differ from the locations where they access the network. For example, a product manager can access core
information from the research center network in the headquarters, but not after leaving the research center network.
Requirements
The NGFW must identify access locations. Location awareness allows you to have a thorough view of the
geographical distribution of traffic and threats to fine-tune security policies. For example, if a local enterprise
has a significant amount of traffic from a foreign country, the enterprise should be cautious. By analyzing traffic
information from the traffic map, the NGFW can determine the applications of the abnormal traffic and determine
whether these applications will cause security risks. Administrators can configure fine-grained and accurate access
control policies and enable location-specific in-depth protection on the NGFW based on the information. In addition,
the NGFW must support user-defined locations to meet location control requirements.
7
Ten Must-Haves for a Next Generation Firewall
8
The NGFW must migrate traditional firewall
policies to application defense policies easily.
Background
Traditional firewalls and UTMs use port-based policies. If an enterprise purchases an NGFW and uses port-based
policies, these policies are insecure and must be migrated to application-based policies. The migration is a challenge
for NGFW users. First, application traffic must be analyzed before migration, although this cannot guarantee that all
migrated policies are accurate. Second, migrated policies must pass enterprise compliance check. Legacy port-based
policies have been proven and it is impossible to completely abandon them and configure NGFW policies from scratch.
Requirements
An NGFW must have extra-firewall intelligence to help users migrate port-based policies to application-based policies easily.
The migrated policies must be accurate and consistent with original port-based policies without an extra compliance check.
9
The NGFW must assist the enterprise
security team in fine-tuning security policies.
Background
Managing thousands of applications in accordance with the minimum authorization principle is not easy for any
administrator. It is impractical to rely completely on human knowledge and skills to control so many applications. Therefore,
NGFW must have the intelligence to automatically provide suggestions for administrators to fine-tune security policies.
Requirements
The NGFW must assist users in creating more secure policies in accordance with the minimum authorization principle
to allow only necessary applications, estimate application and policy risk, and provide defense measures and policy
tuning suggestions.
Ten Must-Haves for a Next Generation Firewall
8
10
The performance drop of the NGFW
must be lower than 50% with all security
functions enabled.
Background
The disadvantage of UTM is that only basic firewall functions can be enabled in practice. If other security functions
are enabled, the performance deteriorates substantially. Teams using the UTM must compromise between security
and performance, and most customers enable only access control to avoid performance loss. Application threats
are pervasive, and defense functions, such as Intrusion Prevention System (IPS) and antivirus (AV), are a must, not an
option. The NGFW must have security defense capabilities and high performance at the same time. In the Gartner
definition, NGFWs should meet large enterprise requirements. In a 10G level network, even if all security functions
are enabled, the NGFW must be able to provide high performance.
Requirements
The access control must be based on applications. The basic performance indicator is access control on the
application layer, not on the network layer. However, application-layer access control has severe impact on
performance, and the performance loss will be more severe if other resource-consuming functions, such as pattern
matching and content parsing, are enabled. To avoid severe performance loss, an optimal architecture design is
critical. An NGFW with good design should ensure that performance loss is less than 50% with all security functions
enabled. To do so, the NGFW must use integrated architecture, parallel processing, and dedicated hardware.
Some NGFW products are just hype. Full-featured threat prevention is not as good as some vendors claim, and some
NGFW products have no performance figures when application identification is enabled. Such NGFW products are in
fact enhanced UTM products and their real-world performance remains in question.
9
Ten Must-Haves for a Next Generation Firewall
Application-specific defense has just started.
Applications are important productivity tools for enterprises. Although applications may be insecure, we cannot
simply block them. We must instead securely enable them. Therefore, NGFW products should be able to efficiently
and effectively control applications simply using well-designed security policies.
Ten Must-Haves for a Next Generation Firewall
10
Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademark Notice
, HUAWEI, and
are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.
General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-032102-20131014-C-1.0
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.
www.huawei.com