What is a Next Generation Firewall (NGFW) ?

A class of firewalls designed to filter network and Internet traffic based upon the applications or traffic types using specific ports. The application-specific granular security policies provided by Next Generation Firewalls help them detect application-specific attacks, giving them the potential to catch more malicious activity than more traditional firewalls.

Next Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of service (QoS) functionalities, application identification that is agnostic to the TCP/UDP port used, integration with Active Directory for User Identification in order to provide smarter and deeper inspection that is actionable and measurable. In many ways a Next Generation Firewall combines the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), user identity based security by enforcing role based access control (RBAC) while also offering additional features such as SSL and SSH inspection, reputation-based malware filtering and Active Directory integration support.

DTS Solution works with multiple network security vendors that manufacturers enterprise-grade and commercial-grade NGFWs that include Juniper Networks (AppSecure Suite) and Fortinet (FortiGate) NGFW.

Next Generation Firewall Solutions

Application Control

Application Control makes it possible to recognize applications independent from their communication TCP/UDP port values. Having a stateful firewall does not necessarily protect from threats which are hidden inside applications or from threats using the same communication ports as well known protocols like HTTP.

Malicious applications are embedded into known ports such as HTTP that can bypass traditional stateful-inspection firewalls. Modern Application Control solutions also referred to as Next Generation Firewalls are able to recognize more than 1000+ different applications; blocking P2P traffic, identifying Facebook applications or streaming applications like Youtube, providing granular security context and application awareness features.

Application Control solutions also increase network visibility, giving your security operations team understanding of the most common used application within your organization. With such visibility and awareness, security risks can be identified where unauthorized applications are being utilized such as BitTorrnet or eMule, whilst enhancing user experience by implementing QoS for certain critical applications.

Application Control Solutions can leverage and integrate with User Identity solutions providing the possibility to control the application usage behaviour for specific users or groups. By integration with a User Identity, Application Control feature extends visibility by providing your organization with awareness on individual users or groups that utilize particular set of applications.

DTS Professional Service has a high level expertise in Application Control Solutions, through successful design, delivery and support of key projects.

Contact our sales team for more information on Application Control security solutions and how it can help your organization with detailed application, user and content based awareness.

Application Control

Application Traffic Classification

Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-Control and App-ID a patent-pending traffic classification mechanism that is unique to NGFWs, addresses the traffic classification limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network.

Classify traffic based on applications, not ports.

App-ID uses multiple identification mechanisms to determine the exact identity of applications traversing the network. The identification mechanisms are applied in the following manner:

  • Traffic is first classified based on the IP address and port.
  • Signatures are then applied to the allowed traffic to identify the application based on unique application properties and related transaction characteristics.
  • If App-ID determines that encryption (SSL or SSH) is in use and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow.
  • Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP).
  • For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.

As the applications are identified by the successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.

Always on, always the first action taken across all ports.

Classifying traffic with App-ID is always the first action taken when traffic hits the firewall, which means that all App-IDs are always enabled, by default. There is no need to enable a series of signatures to look for an application that is thought to be on the network; App-ID is always classifying all of the traffic, across all ports - not just a subset of the traffic (e.g., HTTP). All App-IDs are looking at all of the traffic passing through the device; business applications, consumer applications, network protocols, and everything in between. App-ID continually monitors the state of the application to determine if the application changes midstream, providing the updated information to the administrator in ACC, applies the appropriate policy and logs the information accordingly. Like all firewalls, next-generation firewalls use positive control, default deny all traffic, then allow only those applications that are within the policy. All else is blocked.

All classification mechanisms, all application versions, all OS's.

App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent OS and client signatures that need to be enabled to try and control this application in other offerings.

Full visibility and control of custom and internal applications.

Internally developed or custom applications can be managed using either an application override or custom App-IDs. An applications override effectively renames the traffic stream to that of the internal application. The other mechanism would be to use the customizable App-IDs based on context-based signatures for HTTP, HTTPs, FTP, IMAP, SMTP, RTSP, Telnet, and unknown TCP /UDP traffic. Organizations can use either of these mechanisms to exert the same level of control over their internal or custom applications that may be applied to SharePoint, Salesforce.com, or FaceBook.

Securely Enabling Applications Based on Users & Groups

Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications mean that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. Next-generation firewalls integrate with the widest range of user repositories on the firewall market, enabling organizations to incorporate user and group information into their security policies. Through User-ID, organizations also get full visibility into user activity on the network as well as user based.

Transparent use of users and groups for secure application enablement.

User-ID seamlessly integrates with next-generation firewalls with the widest range of enterprise directories on the market; Active Directory, eDirectory, Open LDAP, Citrix Terminal Server, Microsoft Terminal Server, and XenWorks. A network-based User-ID agent communicates with the domain controller, mapping the user information to the firewall, making the policy tie-in completely transparent to the end-user.

Integrating users and groups via an explicit, challenge / response mechanism.

In cases where user repository information may be ineffective, a captive portal challenge/response mechanism can be used to tie users into the security policy. In addition to an explicit username and password prompt, Captive Portal can also be configured to send a NTLM authentication request to the web browser in order to make the authentication process transparent to the user.

Integrate user information from other user repositories.

In cases where organizations have a user repository or application that already has knowledge of users and their current IP address, a standards-based XML API can be used to tie the repository to the next-generation firewall.

User Identification

Protect the network from threats, control web surfing and limit file/data transfer.

Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers, detect and block a wide range of threats and control non-work related web surfing. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means that IT departments can regain control over application traffic and the related content.

NSS-rated IPS

The NSS-rated IPS blocks known and unknown vulnerability exploits, buffer overflows, DoS attacks and port scans from compromising and damaging enterprise information resources. IPS mechanisms include:
  • Protocol decoder-based analysis statefully decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.
  • Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.
  • Stateful pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.
  • Statistical anomaly detection prevents rate-based DoS flooding attacks.
  • Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
  • Custom vulnerability or spyware phone home signatures that can be used in the either the anti-spyware or vulnerability protection profiles.
  • Other attack protection capabilities such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly are utilized for protection against evasion and obfuscation methods employed by attackers.
Traffic is normalized to eliminate invalid and malformed packets, while TCP reassembly and IP de-fragmentation is performed to ensure the utmost accuracy and protection despite any attack evasion techniques.

URL Filtering

Complementing the threat prevention and application control capabilities is a fully integrated, URL filtering database consisting of 20 million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities. The on-box URL database can be augmented to suit the traffic patterns of the local user community with a custom, 1 million URL database. URLs that are not categorized by the local URL database can be pulled into cache from a hosted, 180 million URL database. In addition to database customization, administrators can create custom URL categories to further tailor the URL controls to suit their specific needs. URL filtering visibility and policy controls can be tied to specific users through the transparent integration with enterprise directory services (Active Directory, LDAP, eDirectory) with additional insight provided through customizable reporting and logging.

File and Data Filtering

Data filtering features enable administrators to implement policies that will reduce the risks associated with the transfer of unauthorized files and data.

  • File blocking by type: Control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension).
  • Data filtering: Control the transfer of sensitive data patterns such as credit card and social security numbers in application content or attachments.
  • File transfer function control: Control the file transfer functionality within an individual application, allowing application use yet preventing undesired inbound or outbound file transfer.