1.3. Next-generation firewalls and IPS
Next-generation firewalls: A traditional firewall provides stateful inspection of network traffic. It allows or blocks traffic based on state, port, and protocol, and filters traffic based on administrator-defined rules. In addition to access control, NGFWs can block modern threats such as advanced malware and application-layer attacks. According to Gartner's definition, a next-generation firewall must include:
Standard firewall capabilities like stateful inspection
Integrated intrusion prevention
Application awareness and control to see and block risky apps
Threat intelligence sources
Upgrade paths to include future information feeds
Techniques to address evolving security threats
In summary, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.
Here are the common features of most NGFWs:
Standard firewall features: These include the traditional (first-generation) firewall functionalities such as stateful port/protocol inspection, Network Address Translation (NAT), and Virtual Private Network (VPN).
Application identification and filtering: This is the chief characteristic of NGFWs. This feature identifies and filters traffic based upon the specific applications, rather than just opening ports for all kinds of traffic. This prevents malicious applications and activity from using non-standard ports to avoid the firewall.
SSL and SSH inspection: NGFWs can even inspect SSL and SSH encrypted traffic. This feature decrypts traffic, makes sure the applications are allowed, checks other policies, and then re-encrypts the traffic. This provides additional protection from malicious applications and activity that tries to hide itself by using encryption to avoid the firewall.
Intrusion prevention: These are more intelligent capabilities and provide deeper traffic inspection to perform intrusion detection and prevention. Some of the NGFWs have built-in IPS functionality so that a stand-alone IPS might not be needed.
Directory integration: Most NGFWs include directory support (such as, Active Directory). For instance, they manage authorized applications based upon users and user groups.
Malware filtering: NGFWs can also provide reputation-based filtering to block applications that have a bad reputation. This functionality can check for phishing, viruses, and other malware sites and applications
Intrusion Prevention System (IPS): Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks. IPS analyses network traffic, can report and take corrective action on traffic that it deems malicious or harmful. This can be implemented as an appliance, as a blade, or as a module in an ASA or IOS router. The primary method for identifying problem traffic is through signature matching.
The following are true about IPS (Intruder Prevention System):
It adds some amount of delay to the network traffic, as it scans each packet for any malicious content.
Because the IPS is inline, it can normalize (manipulate or modify) traffic inline based on a current set of rules.
Unlike IDS (Intruder Detection System), an IPS works inline. So, every packet goes through IPS before being forwarded.
IPS/IDS sensors send out alerts if any suspicious event occurs. There are three main ways that are used widely for this purpose. These are:
Security device event exchange (SDEE)
IPS Manager Express (IME) and Cisco Security Manager (CSM) are two methods where you get alerts via SDEE. IME can support up to 10 sensors, where as CSM can support up to 25 sensors.
Intruder Prevention System (IPS): IPS analyses network traffic, can report and take corrective action on traffic that it deems malicious or harmful. This can be implemented as an appliance, as a blade, or as a module in an ASA or IOS router. The primary method for identifying problem traffic is through signature matching.
Cisco Security Manager (CSM): This is an enterprise-level configuration tool that you can use to manage most security devices.
Cisco Security Intelligence Operations (SIO) Service: The SIO researches and analyses threats and provides real-time updates on these threats. There is also an application for smart phones.