Next gen firewalls

[rpm]

Next generation firewalls

Network security gateways are under siege. New threats are being launched faster than ever and are increasingly targeting application-layer vulnerabilities.

 

[stricken]

good article, yet, inevitably TCP/IP is flawed, irrespective of techniques employed to wall it off. ; )

 

[dabbler]

The year of the Linux desktop upon us?

 

[rwenzori]

Indeed, why not avoid the need for "helpers" of any type by delivering a solution that natively addresses the essential functional requirements for a truly effective, modern firewall:

1. The ability to identify applications regardless of port, protocol, evasive tactics or SSL encryption.
2. The ability to provide granular visibility of and policy control over applications, including individual functions.
3. The ability to accurately identify users and subsequently use identity information as an attribute for policy control.
4. The ability to provide real-time protection against a wide array of threats, including those operating at the application layer.
5. The ability to support multi-gigabit, in-line deployment with negligible performance degradation.

This emphasis on applications won't solve the problems, though it might help with common, known ones for a while. New applications and work-arounds come out all the time. How hard could it be to make a torrent protocol that looks just like HTTP, if it has not been done already? Hell, I'll write a new app based on a new protocol in a day or two.

 

[waynetalb]

This emphasis on applications won't solve the problems, though it might help with common, known ones for a while. New applications and work-arounds come out all the time. How hard could it be to make a torrent protocol that looks just like HTTP, if it has not been done already? Hell, I'll write a new app based on a new protocol in a day or two.

+1

 

[snobee]

Actually I think this article is rather average... good from a "I didn't know point of view", but behind the times. Security companies are trying to address these issues, and have been doing so for a long time. Gigabit high-throughput application layer (including user level) UTM"s have been out for ages. SonicWall, Cisco, Cyberoam, and Astaro are ones that I have come across, and have been getting better and better. This article is like saying, "viruses are a major problem, and antivirus companies need to do something about them". Duh! They are, and some vendors are very good, others are crap. My personal best is Cyberoam. I am curious what the Smoothwall & IPCop people have to say, though they maybe found wanting on the application level.

I certainly don't think the solutions are perfect, but this chop in the article is coming across as if solutions do not exist.

 

[snobee]

This emphasis on applications won't solve the problems, though it might help with common, known ones for a while. New applications and work-arounds come out all the time. How hard could it be to make a torrent protocol that looks just like HTTP, if it has not been done already? Hell, I'll write a new app based on a new protocol in a day or two.

True, though that is the whole point of application layer UTM's. They are Universal or Unified Threat Management appliances. Like antivirus programs, you have to update them, otherwise they become less effective. Application layer UTM's is there to determine whether the http traffic is from streaming, surfing the web, or torrents. They UTM is then also looking at source/destination, and running that through filters, and saying to the guy who is disguising his torrents as email, sorry, this is not email traffic. Even deploying a proxy server is a big step making sure unwanted applications don't access the web if they become infected with a virus, or you don't want people using certain apps.

Having said that, again I think it doesn't solve the problem completely. Even using my own example of viruses, they have been around a long time and the problem has not been solved, but using an antivirus does solve the problem of viruses to a huge degree. Which is my problem with the article. "Next Generation" firewalls have been here for ages, hence, the article is behind the times. Let me bring out an article about IPv4 not being adequite... you would laugh at me and tell me to get with the times.

So, a solution... change to linux as someone suggested? That is misunderstanding what application layer vulnerabilities are out there. Personally I think a UTM and some knowlegde/understanding of what is good for you on the web will go a long way.

 

[MarvMart]

So, There are differences between UTM's ad NGFW's ... And unfortunately the term is used interchangeably

The great thing about the PAN Stuff is that it is not looking for an Application on a port, but rather an Application regardless of port, so change HTTP to a difference Port or change BT to a different Port, it does not matter. So the point above if actually invalid to a degree.
Also, remember that this is supposed to be an Enterprise Firewall, and currently (if I remember correctly) the categorize more than 950 Applications. This is the way Firewalls are going in general ... PAN was the 1st but the others are not far behind.

 

[Roman4604]

"Next Generation" firewalls have been here for ages

Well, if you look closely, this article is actually an advetorial for Palo Alto Networks.

According to them the design of current firewall/security offerings is becoming inefficient/ineffective as they are built on the layered integration of various different security mechanisms/software over time. Their 'next gen' pitch is based on what should a firewall look like if it were designed today using a 'clean slate' approach.

Check out their website http://www.paloaltonetworks.com, in the Info Centre > TECH BRIEFS section they compare themselves to current offerings like UTMs.

 

[RVQ]

Palo Alto has definitely shook up the market but Check Point R75 is due for release. They are going to add to their already existing feature list (DLP, AV, Mail and IPS) AD integration to provide application/user specific based access. Their desktop solutions are also beginning to tie into Smart Management so I believe next year is going to be interesting one for Security Gateways in general, curious to see what the other players have planned...

 

[snobee]

Well, if you look closely, this article is actually an advetorial for Palo Alto Networks.

According to them the design of current firewall/security offerings is becoming inefficient/ineffective as they are built on the layered integration of various different security mechanisms/software over time. Their 'next gen' pitch is based on what should a firewall look like if it were designed today using a 'clean slate' approach.

Check out their website http://www.paloaltonetworks.com, in the Info Centre > TECH BRIEFS section they compare themselves to current offerings like UTMs.

Agreed. I believe you have a point there. Then I don't think the article made that clear. The six points, and then the last three that were made, are general points that any good UTM does across all ports. Once you go to PaloAlto's site and read their information and examples, I think it is quite clear the level of granularity and performance they are actually refering to. Great, I think their site deserves a good read, and possibly I need to explore their options. Thanks for the correction.

 

[snobee]

@Roman4604. Here is an interesting article from Cyberoam. They compare Palo Alto products with their own. As I have not compared any Palo Alto products myself, I don't want to take it as fact, but the article is interesting and on face value one would think the Palo Alto products are crap compared to cyberoam. They seem very limited as to what they can do, though possibly are extemely good at what they are limited to? The article is also probably a year old at least.
http://www.secureone.my/download/cyberoam/saleskit/Comparison/CR_UTM_comparison/CR-vs-paloalto.pdf

 

[warchylde]

The year of the Linux desktop upon us?

We could only dream eh dabbler?

 

[Roman4604]

@Roman4604. Here is an interesting article from Cyberoam. They compare Palo Alto products with their own.

Yeah, if you dig deep enough you'll probably find each vendor will have their own 'pitch' justifying why their offering is superior to the competition. I too have no practical experience with PAN's products, but thought their approach was fresh/innovate.

As always there's no subsitute to physically evaluating the solutions yourself to determine what real value/benefit each will offer one's own environment & requirements.

 

[Mercury]

Well, if you look closely, this article is actually an advertorial for Palo Alto Networks.

That much was clear as you got the end of the article. Pity it wasn't clear up front.

 

[Barge]

Well, if you look closely, this article is actually an advertorial for Palo Alto Networks.

That much was clear as you got the end of the article. Pity it wasn't clear up front.

+1

I'm a bit blown away by the jargon, but when it comes down to the nuts and bolts, are any of these "next generation firewalls" aimed at the home user? Are we as vulnerable or do we just have less to lose than the corporates?

 

[snobee]

+1

I'm a bit blown away by the jargon, but when it comes down to the nuts and bolts, are any of these "next generation firewalls" aimed at the home user? Are we as vulnerable or do we just have less to lose than the corporates?

Some are, some are not. Not certain from Palo Alto, but they don't have that many devices... so possibly no. You CAN use them at home, but cost is generally a major problem for the average joe. Proper content filtering, and/or antivirus, and/or anti malware, 99.9% of the time comes with a hefty annual subscription. Also remember:
1. The needs that these hefty price tagged appliances fulfil, are not really needed at home as such. For example, knowing how many people are going to facebook is already known at home... mum, dad, sister, etc. Allowing some on at certain times, or blocking all social networking or just the chat option, or giving quota's, is not really a must for all home users.
2. Having a separate appliance and being able to setup the appliance is beyond many home users... even the simple devices.

Home users in general want protection from the usual crap. The most easiest way to get it to them is to pop a good security software application onto your computer, and keep it updated. Not perfect, and this is what the article is about. BUT, it still is a very good option for now. Education is probably the single biggest thing that would stop so much crap from coming in. If you really want to dabble in one of the easiest appliance-like UTM's out there, then try Untangle. "Easy" to install, and pretty easy to maintain. Some of the plugins are not free... but you shouldn't need those for home use. Untangle can also be used for corporate level, so it is not a home user only option.

 

[Paul_S]

I really don't agree with:

To begin with, user-centric applications have become pervasive. Internet-oriented and originally intended primarily for personal communications, this class of applications includes instant messaging, peer-to-peer file sharing, web mail, and the plethora of social networking sites that have emerged in recent years. The issue is that their presence on enterprise networks is practically guaranteed, even if an organisation’s policies indicate otherwise.

If you can't block instant messaging, peer-to-peer file sharing or webmail with a simple firewall or proxy server then you shouldn't be in the network security business.
If your corporate firewall or proxy server allows users to access any web site on the Internet then you're looking for trouble. That's akin to having a firewall with a default policy that forwards all traffic and then trying to lock down usage afterwards. Epic fail ...

Make the default policy BLOCK/DROP and then open access as required.
If you lock down usage to only business related applications and web sites the majority of the battle is over.