Upload
alejandro-aguilar
View
232
Download
0
Embed Size (px)
Citation preview
8/16/2019 Module 2 -NSE1---NGFW
1/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
i
Study Guide
for NSE 1:
Next
Generation
Firewall
(NGFW)
February 1
2016
This Study Guide is designed to provide information for the Fortinet
Network Security Expert Program – Level 1 curriculum. The study
guide presents discussions on concepts and equipment necessary as a
foundational understanding for modern network security prior to
taking more advanced and focused NSE program levels.
Fortinet
Network
Security
Solutions
8/16/2019 Module 2 -NSE1---NGFW
2/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
ii
Contents
Figures ..................................................................................................................................................... iii
Tables ...................................................................................................................................................... iv
Next Generation Firewall (NGFW) ................................................................................................................ 1
Technology Trends .................................................................................................................................. 1
NGFW Characteristics: Fundamental Changes ...................................................................................... 2
NGFW Evolution .................................................................................................................................... 4
Traditional NGFW Capabilities ............................................................................................................... 4
NGFW Functions ................................................................................................................................. 10
Extended NGFW Capabilities ................................................................................................................ 10Sandboxes and APT ............................................................................................................................. 15
Advanced Persistent Threats (APT) ..................................................................................................... 16
Advanced Threat Protection (ATP)...................................................................................................... 17
NGFW Deployment ................................................................................................................................ 18
Edge vs. Core ....................................................................................................................................... 18
NGFW vs. Extended NGFW ................................................................................................................. 18
Summary ................................................................................................................................................ 20
Key Acronyms .............................................................................................................................................. 21
Glossary ....................................................................................................................................................... 23
References .................................................................................................................................................. 26
8/16/2019 Module 2 -NSE1---NGFW
3/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
iii
Figures
Figure 1. Bring Your Own Device (BYOD) practices in 2011. ......................................................................... 2
Figure 2. Edge firewall vs. NGFW traffic visibility. ........................................................................................ 2
Figure 3. Traditional port configuration example. ........................................................................................ 3
Figure 4. NGFW configuration example by application, user ID. .................................................................. 3
Figure 5. NGFW evolution timeline. .............................................................................................................. 4
Figure 6. Intrusion Prevention System (IPS). ................................................................................................ 5
Figure 7. Deep Packet Inspection (DPI). ........................................................................................................ 5
Figure 8. Network application identification and control. ............................................................................ 6
Figure 9. Access enforcement (User identity). .............................................................................................. 6
Figure 10. NGFW distributed enterprise-level capability. ............................................................................ 7
Figure 11. Extra-firewall intelligence IP list assignment. .............................................................................. 8
Figure 12. Notional network with managed security (MSSP). ...................................................................... 8
Figure 13. Application awareness: The NGFW application monitoring feature. .......................................... 9
Figure 14. Extending NGFW with Advanced Threat Protection (ATP). ....................................................... 11
Figure 15. Authentication functions integrated into NGFW. ...................................................................... 12
Figure 16. Web filtering profile control. ..................................................................................................... 13
Figure 17. Antivirus/malware. .................................................................................................................... 14Figure 18. Anti-botnet protection. .............................................................................................................. 14
Figure 19. Web filtering capability. ............................................................................................................. 15
Figure 20. Sandbox deployed with NGFW Solution. ................................................................................... 16
Figure 21. The NGFW three-step approach to APT..................................................................................... 17
Figure 22. Advanced Threat Protection (ATP) model. ................................................................................ 17
Figure 23. NGFW deployment to edge network ......................................................................................... 18
Figure 24. Current NGFW vs. Extended NGFW capabilities. ....................................................................... 19
8/16/2019 Module 2 -NSE1---NGFW
4/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
iv
Tables
Table 1. Comparative security features of edge firewalls vs. NGFW. ........................................................... 3
Table 2. Comparison between flow-based and proxy-based inspections .................................................. 19
8/16/2019 Module 2 -NSE1---NGFW
5/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
1
Next Generation Firewall (NGFW)Just because you’re paranoid that hackers are trying to steal your data…
…doesn’t mean they’re not really out to get you!
Early firewalls acted much like a fire door in a building—if something bad was happening in the hallway,
it protected what was in your room and other parts of the building. As personal computers became
more affordable and digital portable devices became more widespread, system and network threats
evolved as well, creating a need for protection technology able to evolve along with—or ahead of —
advanced threats. Legacy firewalls operated on the basis of port access, using source/destination IP
addresses or TCP/UDP port data to discern whether packets should be allowed to pass between
networks or be blocked or rejected. Most firewall configurations allowed all traffic from trusted
networks to pass through to untrusted networks, unless policy exceptions were implemented. In closed
networks and the early days of the Internet, this was a viable option—this predominantly static firewall
configuration model no longer provides adequate protection against advanced and emerging system
and network threats to large, distributed enterprise businesses and organizations having to serve
customers, clients, and employees in an ever-evolving mobile environment.
Technology Trends
Trends in information technology development and employment over the last 15 years have led to a
need to rethink the methodology behind modern network security. To further exacerbate this challenge,
these trends occurred simultaneously across major industry, all levels of business, and personal
consumer environments.
Consumerization of IT has resulted in IT-enabled devices—such
as smartphones, digital music and video players, recorders,
cameras, and others—becoming so commonplace in the market
that their lower pricing resulted in an explosion of individual
consumers acquiring technology-enabled devices for personal
use. This extends beyond the obvious devices listed above. IT-
enabled devices now include such appliances as
refrigerator/freezers, home security systems, personal home networks that include WiFi-enabled
televisions, stereos, and even the automated “smart house.” In other words, what we have t o be
mindful of today is the Internet of Things (IoT) when we acquire devices and appliances.
Because consumers have embraced technology devices for both communication and information
sharing, Social Media enterprise has been embraced at the business level as a way to reach consumer
markets and supplement Web and traditional marketing and communication pathways. With so many
applications—especially social media—being cloud based, the challenge of network security expands
beneath the surface of traffic and into substance.
8/16/2019 Module 2 -NSE1---NGFW
6/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
2
With the proliferation of inexpensive, technology-enabled devices interacting with business networks—
including both external users and those using personal devices for work purposes (Bring Your Own
Device – BYOD), the question becomes one of how to provide security, network visibility, control, and
user visibility simultaneously without an exponential increase in required resources (Figure 1).
Figure 1. Bring Your Own Device (BYOD) practices in 2011.
NGFW Characteristics: Fundamental Changes
The primary benefits of NGFW is visibility and control of traffic entering the firewall ports. In legacy
firewalls, ports were opened and closed, or protocols allowed or disallowed without consideration
beyond basic characteristics.
Figure 2. Edge firewall vs. NGFW traffic visibility.
With NGFW, administrators are provided finer granularity that provides deeper insight into the traffic
attempting to access the network (Figure 2). This includes deeper visibility of users and devices, as well
as the ability to allow or limit access based on specific applications and content rather than accepting or
rejecting any traffic using a particular transmission protocol. This is the primary difference that
separates traditional and next generation firewalls (NGFW).
8/16/2019 Module 2 -NSE1---NGFW
7/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
3
With a traditional firewall, traffic is accepted based on identification criteria of designated port and IP
address. Conversely, traffic is accepted with NGFW based on user ID (not port) and both the IP address
and traffic content. The diagrams in Figures 3 and 4 illustrate better the visibility and control capability
provided when NGFW is integrated into the network security architecture, supplanting the legacy edge
firewall.
When comparing the granularity in how
traditional and legacy firewalls assess data,
note that in NGFW the ports are identified with
traffic flowing through them as well as specific
information about the user sending the traffic,
traffic origin, and the type (content) of traffic
being received. This information goes beyond
the basic link level and brings security into OSIlevels 3 & 4 (application security capability).
Figure 3. Traditional port configuration example.
Figure 4. NGFW configuration example by application, user ID.
In addition to enhanced visibility over traffic, NGFW provides enhancements in both complex security
protection and administrator control simplicity over traditional firewalls, as compared in Table 1.
Table 1. Comparative security features of edge firewalls vs. NGFW.
Edge Firewall NGFW
Gatekeeper Gatekeeper
ISO/OSI L4 Port Protocol Application-Centric (Content Flow) Protocol
Basic Security + Add-ons Integrated Security Solutions
Complex Architecture Integrated Architecture
Complex Control Simplified Control
Simple – Moderate Security Integrated Complex Security
8/16/2019 Module 2 -NSE1---NGFW
8/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
4
NGFW Evolution
Referring to an evolving technology offering high-performance protection, Next Generation Firewalls
(NGFW) provide solutions against a wide range of advanced threats against applications, data, and
users. Going beyond standard firewall protections, NGFW integrates multiple capabilities to combat
advanced and emerging threats. These capabilities include intrusion prevention system (IPS), deep
packet scanning, network application identification and control, and access enforcement based on user
identity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector,
persistent network or system attacks against large and distributed enterprise networks.
The concept of NGFW (Figure 5) was first coined by Gartner in 2004 in their paper discussing the need
for integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities
into firewalls [1]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level
firewall with integrating IPS or Deep Packet inspection, Application Identification, and “extra-firewall”
intelligence (such as Web Content Filter), but allowing for interoperability with third-party rulemanagement technology [2]. In 2009, Gartner published a new definition of NGFW, defining the
characteristics as including VPN, integrated IPS interoperability with firewall components, application
awareness, and “extra-firewall” intelligence [3].
Figure 5. NGFW evolution timeline.
Traditional NGFW CapabilitiesTraditional NGFW provides solutions against a wide range of advanced threats against applications,
data, and users. Traditional enterprise network security solutions such as legacy firewalls and stand-
alone intrusion detection/prevention systems (IPS) are no longer adequate to protect against today’s
sophisticated attacks. In order to defend networks against the latest threats, NGFWs should include, at a
minimum, the ability to identify and control applications running over a network, an integrated intrusion
prevention system (IPS) with deep packet scanning capabilities, and the ability to verify a user or
device’s identity and enforce access policies accordingly.
However, advanced threats require advanced protection. Some NGFW devices—such as the FortiGate
line—include additional technologies that provides you with a real-time ranking of the security risk of
devices on your network and cloud-based threat detection and prevention. Traditional NGFW integrates
multiple capabilities to combat emerging threats.
8/16/2019 Module 2 -NSE1---NGFW
9/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
5
Figure 6. Intrusion Prevention System (IPS).
Intrusion Prevention System (IPS). Sometimes called integrated IDS/IPS. Monitors network and directs
firewall to allow or block traffic. Intrusion Detection System (IDS) detects threats but does not alert the
firewall to take action against identified threats or unknown traffic. IDS is integrated into IPS technology.
IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more
effective to tie it into network segregation, enabling protection against both internal and external
attacks against critical servers(Figure 6) [4].
Figure 7. Deep Packet Inspection (DPI).
Deep Packet Inspection (DPI). Examining the payload or data portion of a network packet as it passes
through a firewall or other security device (Figure 7). DPI identifies and classifies network traffic based
on signatures in the payload [5]. Examines packets for protocol errors, viruses, spam, intrusions, or policy
violations.
8/16/2019 Module 2 -NSE1---NGFW
10/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
6
Figure 8. Network application identification and control.
Network Application Identification & Control. Traditional firewall protection detects and restricts
applications by port, protocol and server IP address, and cannot detect malicious content or abnormal
behavior in many web-based applications (Figure 8). Next Generation Firewall (NGFW) technology with
Application Control allows you to identify and control applications on networks and endpoints
regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over
application traffic, even unknown applications from unknown sources and inspects encrypted
application traffic. Protocol decoders normalize and discover traffic from applications attempting to
evade detection via obfuscation techniques. Following identification and decryption, application traffic
is either blocked, or allowed and scanned for malicious payloads. In addition, application controlprotocol decoders detect and decrypt tunneled IPsec VPN and SSL VPN traffic prior to inspection,
ensuring total network visibility. Application control even decrypts and inspects traffic using encrypted
communications protocols, such as HTTPS, POP3S, SMTPS and IMAPS.
Figure 9. Access enforcement (User identity).
8/16/2019 Module 2 -NSE1---NGFW
11/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
7
Access Enforcement (User Identity). When a user attempts to access network resources, Next
Generation Firewalls (NGFW) allow identification of the user from a list of names, IP addresses and
Active Directory (AD) group memberships that it maintains locally. The connection request will be
allowed only if the user belongs to one of the permitted user groups, and the assigned firewall policy
will be applied to all traffic to and from that user (Figure 9).
Figure 10. NGFW distributed enterprise-level capability.
Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks.
The foundation of the enterprise campus offering is a high performance next generation firewall (NGFW)
that adds intrusion prevention, application control and antimalware to the traditional firewall/VPN
combination (Figure 10). In particular, Fortinet NGFWs:
Provide fine-grained, user- or device-based visibility and control over more than 3000 discrete
applications to establish/enforce appropriate policies.
Include powerful intrusion prevention, looking beyond port and protocol to actual content of
your network traffic to identify and stop threats.
Leverage top rated antimalware to proactively detect malicious code seeking entry to the
network.
Deliver actionable application and risk dashboards/reports for real-time views into network
activity.
Run on purpose-built appliances with Custom ASICs for superior, multi-function performance,
even over encrypted traffic.
8/16/2019 Module 2 -NSE1---NGFW
12/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
8
Figure 11. Extra-firewall intelligence IP list assignment.
“Extra-firewall” Intelligence. This provides the ability to create lists for access or denial of external
traffic to the network. These lists may be designated by IP address List types include:
White List. Designated sources considered trusted and will be allowed access to the network.
Black List. Designated sources considered not trusted and will be denied access to the network.
A key point to this function is that the source is based on an address, therefore, access does not relate
to any specific type of information that may be carried on traffic from that source. This is a surface
screening rather than a content screening function.
Figure 12. Notional network with managed security (MSSP).
8/16/2019 Module 2 -NSE1---NGFW
13/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
9
Interoperable with Third-Party Management. Enterprise-class appliances deliver the comprehensive
security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full
suite of ASIC-accelerated security modules for customizable value-added features for specific customers.
NGFW appliances include the ability to create multi-tenant virtual security networks, supporting up to5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated management
applications—including granular reporting features—offer unprecedented visibility into the security
posture of customers while identifying their highest risks (Figure 12).
VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications
and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN
protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and
decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections—
including antivirus, intrusion prevention, application control, email filtering and web filtering—can be
applied and enforced for all content traversing the VPN tunnel.
Figure 13. Application awareness: The NGFW application monitoring feature.
Application Awareness. While establishing port and protocol are important first steps in identifying
traffic, positive identification of application traffic is an important capability added by NGFW, requiring a
multi-factor approach independent of port, protocol, encryption, or evasive measures (Figure 13).
Application awareness includes protocol detection and decryption, protocol decoding, signature
identification, and heuristics (behavioral analyses). [6]
8/16/2019 Module 2 -NSE1---NGFW
14/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
10
NGFW Functions
Two important functions of NGFW is to detect threats and prevent them from exploiting system or
network vulnerabilities. The best way to detect threats is to deploy an Intrusion Detection System (IDS)
as part of the network architecture. In order to prevent identified threats from exploiting existing
vulnerabilities, an Intrusion Prevention System (IPS) should be deployed. The purpose of IPS is to react to
detected threats to a network in order to block intrusion by traffic attempting to take advantage of
system vulnerabilities, deviations from standard protocols, or attacks generated by trusted sources [4].
NGFW appliances provide integrated capability for IDS and IPS to both detect and prevent intrusion and
exploitation of protected networks.
Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type
of inspection protects endpoint clients as well as Web and application servers from potentially hidden
threats. SSL Inspection intercepts and inspects encrypted traffic for threats before routing it to its
destination and can be applied to client-oriented traffic, such as users connected through a cloud-basedsite, or to Web and application server traffic. Using SSL inspection allows policy enforcement on
encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. Like
other inspection protocols, however, the tradeoff to enabling SSL inspection is a decrease in throughput
speed.
Extended NGFW Capabilities
Beyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced and
emerging threats are clearly needed. Particularly within enterprise network security infrastructure, the
need to protect against new and evolving classes of highly targeted and tailored attacks designed to
bypass common defenses is needed. Because of these advanced and evolving threats, additional
defenses—referred to by Fortinet as Advanced Threat Protection (ATP)—include anti-virus/malware,
anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional capabilities
appear in Figure 14.
8/16/2019 Module 2 -NSE1---NGFW
15/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
11
Figure 14. Extending NGFW with Advanced Threat Protection (ATP).
When integrated with NGFW, capabilities of ATP enhance security by providing additional protections
against evolving threats, including:
Dual-level sandboxing, allowing code activity examination in simulated and virtual environments
to detect previously unidentified threats.
Detailed reporting on system, process, file, and network behavior, including risk assessments.
Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing
communications with malicious sites and IPs.
Option to share identified threat information and receive updated in-line protections.
Option to integrate with other systems to simplify network security deployment.
8/16/2019 Module 2 -NSE1---NGFW
16/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
12
With continued shift toward mobile and BYOD practices, integrated user authentication takes on
increased importance in visibility and control of applications being employed by network users. With the
sophistication of advanced and evolving threats, use of two-factor—or “strong”—authentication has
become more prevalent. In addition to the capabilities discussed previously as additive measures to the
NGFW, a number of strong authentication factors may also be enabled:
Hardware, software, email, and SMS tokens
Integration with LDAP, AD, and RADIUS
End user self-service
Certificate Authority
Single sign on throughout the network
Illustration of authentication functions integrated into NGFW appear in Figure 15.
Figure 15. Authentication functions integrated into NGFW.
While the Application Control feature of the extended NGFW serves to identify network users, monitor
applications employed by those users, and block applications representing a risk to the organization, this
feature differs from how the Web Filtering function of ATP operates. Unlike Application Control that
focuses on the actual content of the accessed site, Web Filtering focuses on the Internet Sites (URLs)
based on a categorization of the site, or type of content [4]. This allows the NGFW to block web sites
known to host malicious content. An example of how Web Filtering categorizes site appears in Figure 16.
8/16/2019 Module 2 -NSE1---NGFW
17/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
13
Figure 16. Web filtering profile control.
Antivirus/malware. Responsible for detecting, removing, and reporting on malicious code. By
intercepting and inspecting application-based traffic and content, antivirus protection ensures that
malicious threats hidden within legitimate application content are identified and removed from data
streams before they can cause damage. Using AV/AM protection at client servers/devices adds an
additional layer of security.
8/16/2019 Module 2 -NSE1---NGFW
18/30
8/16/2019 Module 2 -NSE1---NGFW
19/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
15
Web filtering. Function that allows or blocks Web traffic based on type of content, commonly defined
by categories. Web filtering protects endpoints, networks and sensitive information against Web-based
threats by preventing users from accessing known phishing sites and sources of malware.
Figure 19. Web filtering capability.
Code emulation. Allows testing of unknown or potentially malicious traffic in
a virtual environment by emulating the actual environment to which the
traffic was addressed.
Sandboxing. Isolating unknown or potentially malicious codes to fully execute all functions before
allowing the traffic to download into the network. Sandboxing has a unique capability to detect zero-day
exploits that other security solutions cannot identify. If malicious activity is discovered, Advanced Threat
Protection (ATP) can block it.
Sandboxes and APT
You might be thinking whether this is Back to the Future? After all, sandbox technology is old, having
long been a standard safety isolation to analyze code. So why would sandboxes be important when
examining the implications of Advanced Persistent Threats (APT)?
8/16/2019 Module 2 -NSE1---NGFW
20/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
16
Sandboxes were initially developed for executable files. Now they run application data that may contain
malicious code, like Adobe Reader or JavaScript, which sandbox identified malicious code before it can
infect your operating system. Modern sandbox technology can help detect and identify new threats—
such as old legacy threats in new veneers, by emulating endpoint device environments to analyze howthe potential threat behaves. In this way, relatively unknown malware—constantly being developed at
all levels of complexity—and APTs may be detected, identified, cataloged, and blocked by the NGFW
(Figure 20). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic is
forwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.
Figure 20. Sandbox deployed with NGFW Solution.
Advanced Persistent Threats (APT)
Since widespread availability of computer technology—especially since introduction of affordable
personal computing platforms and open availability of computer training—people have used software to
target systems and networks to damage, steal, or deny access to data. Modern and future challenges—
or Advanced Persistent Threats—present a more daunting sophistication of malware, attack vectors, and
perseverance by which they mount offensives against their targets. Just as APT uses multiple attacklayers and vectors to enhance chances of success, network security administrators must also design and
implement a multi-layered defense to protect against these threats. It is critical to understand that no
single network security feature will stop an APT. Simplified, a three-step approach to how NGFW
addresses APTs appears in Figure 21.
8/16/2019 Module 2 -NSE1---NGFW
21/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
17
Figure 21. The NGFW three-step approach to APT.
Advanced Threat Protection (ATP)
In order to protect against modern and emerging future threats, adaptive defense tools like ATP are
being incorporated into network security infrastructures at an increasing pace. This level of protection
provides increased security across all network sizes from SMB to large enterprises. Critical capabilities
brought to bear by ATP include:
Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.
Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,
antimalware.
Threat Detection. “Sandboxing,” botnet detection, client reputation, network behavior analysis.
Incident Response. Consolidated logs & reports, professional services, user/device quarantine,
threat prevention updates.
Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.
The continuous nature of ATP protection is illustrated in Figure 22, below:
Figure 22. Advanced Threat Protection (ATP) model.
8/16/2019 Module 2 -NSE1---NGFW
22/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
18
NGFW Deployment
Edge vs. Core
When deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFWbrings a unique combination of hardware- and software-related segmentation capabilities that allow
isolation of critical network sections, such as data centers. Deploying NGFW into an Edge Network
accomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 23).
Figure 23. NGFW deployment to edge network
NGFW vs. Extended NGFW
Another consideration that must be made is what NGFW capabilities are needed—or desired—for the
network being protected. A consideration whether to deploy extended NGFW capabilities depends on
the nature of what functions will be accomplished both internally and external to the network. In
particular, with movement to more cloud-based and web applications, the benefits of extended NGFW
may be best suited. As illustrated in Figure 24, Extended NGFW incorporates the capabilities of current
NGFW plus enhanced features that make it more capable against modern and emerging threats.
8/16/2019 Module 2 -NSE1---NGFW
23/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
19
Figure 24. Current NGFW vs. Extended NGFW capabilities.
One of the characteristics of most technologies is that with added capabilities comes concomitant trade-
offs. In the case of NGFW, the addition of inspection functions such as web filtering—or anti-malware—
presents options that balance capabilities and protection levels versus traffic processing speed. The two
methods used to inspect traffic are Flow-based and Proxy-based inspections. In flow-based inspection,
the NGFW performs a “string comparison” to examine patterns in the traffic without breaking the
connection, resulting in a small portion of the traffic stream being inspected but with a trade-off of
faster throughput. In proxy-based inspection, the entire traffic stream is analyzed, breaking theconnection and reestablishing it after analysis, resulting in slower throughput.
Table 2. Comparison between flow-based and proxy-based inspections
Type of Inspection Flow-based Proxy-based
Speed/Performance Resources Faster Slower
Security Analysis MethodComparing traffic to database of
known bad situations
Conducting specific analysis on
relevant information
TCP TransparencyTCP flow not broken. Only packet
headers changed if necessary.
TCP convention broken, TCP sequence
numbers changed.
Protocol Awareness Not required Understands protocol being analyzed
File size limits Only during scanningYes, when buffering, based on available
NGFW memory
Features supportedAntivirus, IPS, Application Control, Web
Content Filtering
Antivirus, DLP, Web Content Filtering,
AntiSpam
Because Flow Mode does not unpack compressed files or email/FTP attachments, deploying anti-
malware in Flow Mode may result in decreased detection rate.
8/16/2019 Module 2 -NSE1---NGFW
24/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
20
SummaryThe concept of Next Generation Firewalls developed to address evolving threats as technology itself
evolved. With the rapid rise of technology integration, portability and BYOD models in business,
education, and other environments, combined with more widespread ability for hackers from novices to
experts to develop malicious code, a system deriving from the initial premise of NGFW needed to
develop for the future.
Because of these capabilities and the flexibility to proactively address modern and developing threat
environments across networks of varying sizes, NGFW will be the standard in network firewall
protection at least through 2020…
8/16/2019 Module 2 -NSE1---NGFW
25/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
21
Key AcronymsAAA Authentication, Authorization, and
Accounting
AD Active Directory
ADC Application Delivery Controller
ADN Application Delivery Network
ADOM Administrative Domain
AM Antimalware
API Application Programming Interface
APT Advanced Persistent Threat
ASIC Application-Specific Integrated Circuit
ASP Analog Signal Processing
ATP Advanced Threat Protection
AV Antivirus
AV/AM Antivirus/Antimalware
BYOD Bring Your Own Device
CPU Central Processing Unit
DDoS Distributed Denial of Service
DLP Data Leak Prevention
DNS Domain Name System
DoS Denial of Service
DPI Deep Packet Inspection
DSL Digital Subscriber Line
FTP File Transfer Protocol
FW Firewall
Gb Gigabyte
GbE Gigabit Ethernet
Gbps Gigabits per second
GSLB Global Server Load Balancing
GUI Graphical User Interface
HTML Hypertext Markup LanguageHTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IaaS Infrastructure as a Service
ICMP Internet Control Message Protocol
ICSA International Computer Security
Association
ID Identification
IDC International Data Corporation
IDS Intrusion Detection System
IM Instant Messaging
IMAP Internet Message Access Protocol
IMAPS Internet Message Access Protocol
Secure
IoT Internet of Things
IP Internet Protocol
IPS Intrusion Prevention System
IPSec Internet Protocol Security
IPTV Internet Protocol Television
IT Information Technology
J2EE Java Platform Enterprise Edition
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
LLB Link Load Balancing
LOIC Low Orbit Ion Cannon
MSP Managed Service Provider
MSSP Managed Security Service Provider
NGFW Next Generation Firewall
8/16/2019 Module 2 -NSE1---NGFW
26/30
8/16/2019 Module 2 -NSE1---NGFW
27/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
23
GlossaryAnti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access to
a network and stays there undetected for a long period of time. The intention of an APT attack is to steal
data rather than to cause damage to the network or organization. APT attacks target organizations in
sectors with high-value information, such as national defense, manufacturing and the financial industry.
ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular
use, as opposed to a general-purpose device.
ATP. Advanced Threat Protection relies on multiple types of security technologies, products, and
research -- each performing a different role, but still working seamlessly together -- to combat these
attacks from network core through the end user device. The 3-part framework is conceptually simple—
prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for
network, application and endpoint security, threat detection, and mitigation.
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of
malware attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and
reporting on malicious code. By intercepting and inspecting application-based traffic and content,
antivirus protection ensures that malicious threats hidden within legitimate application content are
identified and removed from data streams before they can cause damage. Using AV/AM protection at
client servers/devices adds an additional layer of security.
Botnet. A botnet (also known as a zombie army) is a number of Internet computers that, although their
owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to
other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer
"robot" or "bot" that serves the wishes of some master spam or virus originator.
BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,
whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a
Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were
owned by the employee.
Code Emulation. A virtual machine is implemented to simulate the CPU and memory management
systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the
scanner, and no actual virus code is executed by the real processor.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.
8/16/2019 Module 2 -NSE1---NGFW
28/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
24
Data Center Firewall. In addition to being a gatekeeper , data center firewalls serve a number of
functions, including:
IP Security (IPSec)
Firewall
Intrusion Detection System/Intrusion
Prevention System (IDS/IPS)
Antivirus/Antispyware
Web Filtering
Antispam
Traffic Shaping [7]
Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall—
the gatekeeper.
Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to
the Internet & identify themselves to other devices. IoT is significant because an object that can
represent itself digitally becomes something greater that the object by itself.
IDS. Intrusion Detection System (IDS) detects threats but does not alert the firewall to take any action
against identified threats or unknown traffic.
IPS. Intrusion Prevention System protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including: predefined
and custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode, similar to IDS),
packet logging, and IPS sensors. IPS can be installed at the edge of your network or within the network
core to protect critical business applications from both external and internal attacks.
NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall
appliance instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities
of a traditional firewall with advanced features including:
Intrusion Prevention (IPS) Deep Packet Inspection
(DPI)
Network App ID & Control
Access Enforcement Distributed Enterprise
Capability
“Extra Firewall” Intelligence
Third Party Management
Compatibility
VPN Application Awareness
Sandbox. A sandbox is a security mechanism for separating running programs. It is typically used toexecute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users,
and untrusted websites, in an area segmented off from the device/network operating system and
applications.
8/16/2019 Module 2 -NSE1---NGFW
29/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
25
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
Web Filtering. Web Filtering technology gives you the option to explicitly allow web sites, or to pass web
traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most
advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control
perimeter web traffic at a granular level. Using web content filtering technology, these appliances can
classify and filter web traffic using multiple pre-defined and custom categories.
http://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/N/network.html
8/16/2019 Module 2 -NSE1---NGFW
30/30
Study Guide for NSE 1: Next Generation Firewall
(NGFW)
2016
References1. Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.
2. Gartner, Magic Quadrant for Enterprise Network Firewalls. 2008.
3. Gartner, Defining the Next Generation Firewall . 2009.
4. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
5. Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
6. Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.
7. UAB, M., Fortinet Secure Gateways, Firewalls. 2013.