Which way for the next generation of enterprise firewalls?
The history of firewalling technology is one of a gradual movement, in technological terms, from passivity to activity.
The first iterations of hardware and software firewalls were merely port filters — disallowing incoming packets based on the requirements of the apps hosted inside a network. Stateful packet inspection followed, ensuring that only returning packets were allowed ingress, allowing larger internal networks via NAT (network address translation) or PAT (port address translation).
Over time, further abilities were bolted-on as faster, and cheaper microprocessors made firewalls into basic computing devices themselves: DoS and DDos (distributed denial of service) attack awareness, and active packet inspection creating intrusion prevention or detection systems (IDS, IPS).
However, even the most active barrier mechanism can fail to detect or be able to mitigate against some of the latest generations of hacking attempts or malware outbreaks.
Firewall vendors offer devices and software which extend from merely being a barrier, into becoming proactive examiners of internal LAN traffic, examining east-west data movements to comb it for illicit or malicious activity that the barrier mechanisms have missed.
A significant threat to any organization’s cyber defenses remains the human element. While YARA-type scripts or signature-based scans can detect instances of malware sent by email to individual users, it’s user activity which poses potentially the highest risk to networks.
Locking down users’ activity is not a very practical solution, in the same way that locking down business applications entirely prevents, well, business. SQL injection attacks can bring down entire server arrays, but the enterprise and its customers & partners rely every day on access to those self-same SQL services for commerce to take place.
As well as outside actors, security problems can stem from suspect activity by staff. Downloads from dubious sources, BitTorrenting, and even cryptocurrency mining all pose problems, and creators BitTorrent/mining clients and so on work hard to mask their users’ activities. Use of common ports and Stratum-type protocols are difficult to detect and therefore represent moving targets to even the most proactive cybersecurity teams.
The latest firewalls therefore need to be so much more than the mere barriers that legacy name suggests. Next-generation devices wield considerable compute, and can act as all-around security hubs rather than the passive preventative devices of 30 years ago.
The latest shift in business practice, that is, moving to cloud-based services, has raised a new generation of attack methods and vectors to which many firewall vendors have to respond.
As business functions flocked to XaaS (just-about-anything as a service), those without dedicated security teams are struggling to keep pace. Using purely public cloud services, for instance, means IT is essentially entrusting security to a third party; one whose motives are more likely to be more balanced towards profit optimization than individual clients’ security.
Private, or closed cloud deployments are therefore used in addition to, or instead of public provision, but even private cloud-based services require a substantial shift in security stance.
Web application firewalls (WAFs) aim to protect these new deployments, but taken in isolation, do not offer the overarching protection across all an organization’s services and functions.
While the larger cloud providers would have us believe that every service from every organization is transitioning to the cloud, the reality is that most businesses are using a mixture of bare-metal, in-house technology, private cloud services, and public XaaS instances. Clearly, an old-style passive barrier-type firewall and a smattering of free desktop anti-virus installations provide wholly inadequate levels of protection. Unfortunately, this is the situation under which even medium-sized enterprises find themselves.
The latest cybersecurity providers, therefore, offer cybersecurity solutions which address new computing paradigms: endpoints ranging from legacy Android devices to the latest server OS iterations, east-west data center traffic inspection, web application firewalling, cloud-based security hubs, and even high bandwidth encrypted tunnels over virtualized network topologies.
Here at Tech Wire Asia, there are three providers of enterprise-level firewalling in which we feel merit your attention. And, as discussed, the term firewall doesn’t sufficiently summarize both what’s on offer, and what modern organizations need.
Sangfor is the largest network security company in China by market share and has recently stepped up its international operations, particularly in the Middle East, South East Asia and Europe. The company believes that traditional network and endpoint security are not sufficient to counter the threat landscape – and customers agree, with over 17,000 NGFWs shipped globally in 2017.
While signature or YARA-based methods and even sandboxing have some success in identifying malware, all have significant failure rates when confronted with new strains of threats. Sandboxing, in particular, can be slow – “clever” malware has long dwell-times for a reason.
One of the features offered by Sangfor which differentiates it is its use of Engine Zero, whose deep-learning algorithmic capabilities increase detection rates of zero-day threats to 98 percent – way in advance of the company’s nearest competitors. It is also lightweight and fast. Read more here.
In tests, Engine Zero was found to be as fast as traditional AV hashing, whereby MD5s are compared to known signatures. However, unlike signature-based mitigation methods, there’s no need for the download of hefty virus definition databases – often 500 or 600 MB.
Sangfor’s next generation WAF engine uses machine learning and semantic analysis technology, recognizing web-based attacks like web shell, struts injection, and deserialization flaws. The detection rate of the NGWAF is much higher than the traditional SNORT-based WAF engines.
Sangfor’s solutions suit today’s businesses, relying as many do on a mix of in-house and cloud provisions. Sangfor’s firewalls are hybrid devices and can protect both web-based applications and those services deployed in-house. Read more on Sangfor here.
No overview of firewall systems would be complete without at least a mention of Cisco. From its roots as industry-standard network hardware provider, the company has now spread its solution offering into many verticals such as data center hyperconvergance, business networking, network virtualization, collaboration and unified communications. It even dabbled in consumer devices with its purchase (and eventual sale to Belkin) of Linksys.
Its firewall offerings range from the ASA 5500-X range, designed for small or home offices (the successor to the highly successful ASA range) right up to the 9000 series of hardware, with its gigabytes per second throughputs and packet examination rates.
Additionally, the company offers virtual appliances destined for virtualized servers in cloud and data center deployments. The underpinning technology set is called Firepower, derived from the company’s 2013 acquisition of Source Fire.
The firewalls are based on the well-known ASA-OS and the SFR software module, which takes care of the range’s “next-gen” features, such as intrusion detection, URL filtering, application control and URL filtering.
Cisco was something of a groundbreaker with the introduction of its accreditation system: to this day, network engineers sporting one of the individually-numbered CCIE certificates command the highest salaries.
Palo Alto Networks’ next-generation firewalls come from the stance of letting the business’s needs dictate the security response, not security measures limiting the business.
By identifying network traffic as belonging to a particular application, a classification map becomes apparent. With this defining the ideal, security policies can then be intelligently deployed, allowing necessary traffic and preventing all else.
The NGFW (next-generation firewall) range also lets systems teams track every packet to an individual endpoint, thus identifying every aspect of network activity to assess its validity.
From a single iOS user to globally virtualized networks, Palo Alto Networks’ extensive range of hardware allows protection of both physical and virtual machines.
Suspicious activity can be sandboxed and payloads allowed to deploy safely, to learn their methods. This keeps potentially harmful traffic away from the organization’s network and creates an intelligent picture of acceptable or suspect activities.
The company also operates a broad network of its customers’ devices, so a malicious event taking place to one customer will, in time, inform the whole Palo Alto Networks’ customer base.
Sharing of intelligence is, of course, something which has always underpinned the cybersecurity community, but by letting its entire customer base pool data, greater reliance is developed for all who deploy the company’s solutions.
*Some of the companies featured in this article are commercial partners of Tech Wire Asia