icon
Network Security
Solutions
icon
Network Security
Solutions

Next Generation Firewall

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol.

              

DTS Solution works with multiple network security vendors that manufacturers enterprise-grade and commercial-grade NGFWs that include Juniper Networks (AppSecure Suite) and Fortinet (FortiGate) NGFW.

Group 81
Lorem ipsum dolor

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce auctor diam in est ullamcorper, sit amet tempus metus egestas. Fusce dignissim, sem at maximus tempus, sapien arcu

Group 82
Lorem ipsum dolor

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce auctor diam in est ullamcorper, sit amet tempus metus egestas. Fusce dignissim, sem at maximus tempus, sapien arcu

Group 83 (1)
Lorem ipsum dolor

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce auctor diam in est ullamcorper, sit amet tempus metus egestas. Fusce dignissim, sem at maximus tempus, sapien arcu

Group 84
Lorem ipsum dolor

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce auctor diam in est ullamcorper, sit amet tempus metus egestas. Fusce dignissim, sem at maximus tempus, sapien arcu

What is a Next Generation Firewall (NGFW) ?

A class of firewalls designed to filter network and Internet traffic based upon the applications or traffic types using specific ports. The application-specific granular security policies provided by Next Generation Firewalls help them detect application-specific attacks, giving them the potential to catch more malicious activity than more traditional firewalls.
Next Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of service (QoS) functionalities, application identification that is agnostic to the TCP/UDP port used, integration with Active Directory for User Identification in order to provide smarter and deeper inspection that is actionable and measurable. In many ways a Next Generation Firewall combines the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), user identity based security by enforcing role based access control (RBAC) while also offering additional features such as SSL and SSH inspection, reputation-based malware filtering and Active Directory integration support.
NGFW
What is a Next Generation Firewall (NGFW) ?
A class of firewalls designed to filter network and Internet traffic based upon the applications or traffic types using specific ports. The application-specific granular security policies provided by Next Generation Firewalls help them detect application-specific attacks, giving them the potential to catch more malicious activity than more traditional firewalls.

Next Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of service (QoS) functionalities, application identification that is agnostic to the TCP/UDP port used, integration with Active Directory for User Identification in order to provide smarter and deeper inspection that is actionable and measurable. In many ways a Next Generation Firewall combines the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), user identity based security by enforcing role based access control (RBAC) while also offering additional features such as SSL and SSH inspection, reputation-based malware filtering and Active Directory integration support.

Application Control

Application Control makes it possible to recognize applications independent from their communication TCP/UDP port values. Having a stateful firewall does not necessarily protect from threats which are hidden inside applications or from threats using the same communication ports as well known protocols like HTTP.
Malicious applications are embedded into known ports such as HTTP that can bypass traditional stateful-inspection firewalls. Modern Application Control solutions also referred to as Next Generation Firewalls are able to recognize more than 1000+ different applications; blocking P2P traffic, identifying Facebook applications or streaming applications like Youtube, providing granular security context and application awareness features.
Application Control solutions also increase network visibility, giving your security operations team understanding of the most common used application within your organization. With such visibility and awareness, security risks can be identified where unauthorized applications are being utilized such as BitTorrnet or eMule, whilst enhancing user experience by implementing QoS for certain critical applications.

DTS Professional Service has a high level expertise in Application Control Solutions, through successful design, delivery and support of key projects.

Contact our sales team for more information on Application Control security solutions and how it can help your organization with detailed application, user and content based awareness.

Application Control
Application Control makes it possible to recognize applications independent from their communication TCP/UDP port values. Having a stateful firewall does not necessarily protect from threats which are hidden inside applications or from threats using the same communication ports as well known protocols like HTTP.
Malicious applications are embedded into known ports such as HTTP that can bypass traditional stateful-inspection firewalls. Modern Application Control solutions also referred to as Next Generation Firewalls are able to recognize more than 1000+ different applications; blocking P2P traffic, identifying Facebook applications or streaming applications like Youtube, providing granular security context and application awareness features.
Application Control solutions also increase network visibility, giving your security operations team understanding of the most common used application within your organization. With such visibility and awareness, security risks can be identified where unauthorized applications are being utilized such as BitTorrnet or eMule, whilst enhancing user experience by implementing QoS for certain critical applications.

DTS Professional Service has a high level expertise in Application Control Solutions, through successful design, delivery and support of key projects.

Contact our sales team for more information on Application Control security solutions and how it can help your organization with detailed application, user and content based awareness.

Application Traffic Classification
Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-Control and App-ID a patent-pending traffic classification mechanism that is unique to NGFWs, addresses the traffic classification limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network.
Classify traffic based on applications, not ports.
App-ID uses multiple identification mechanisms to determine the exact identity of applications traversing the network. The identification mechanisms are applied in the following manner:
As the applications are identified by the successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.
Always on, always the first action taken across all ports.
Classifying traffic with App-ID is always the first action taken when traffic hits the firewall, which means that all App-IDs are always enabled, by default. There is no need to enable a series of signatures to look for an application that is thought to be on the network; App-ID is always classifying all of the traffic, across all ports – not just a subset of the traffic (e.g., HTTP). All App-IDs are looking at all of the traffic passing through the device; business applications, consumer applications, network protocols, and everything in between. App-ID continually monitors the state of the application to determine if the application changes midstream, providing the updated information to the administrator in ACC, applies the appropriate policy and logs the information accordingly. Like all firewalls, next-generation firewalls use positive control, default deny all traffic, then allow only those applications that are within the policy. All else is blocked.
All classification mechanisms, all application versions, all OS's.
App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent OS and client signatures that need to be enabled to try and control this application in other offerings.
Full visibility and control of custom and internal applications.

Internally developed or custom applications can be managed using either an application override or custom App-IDs. An applications override effectively renames the traffic stream to that of the internal application. The other mechanism would be to use the customizable App-IDs based on context-based signatures for HTTP, HTTPs, FTP, IMAP, SMTP, RTSP, Telnet, and unknown TCP /UDP traffic. Organizations can use either of these mechanisms to exert the same level of control over their internal or custom applications that may be applied to SharePoint, Salesforce.com, or FaceBook.

Application Traffic Classification

Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-Control and App-ID a patent-pending traffic classification mechanism that is unique to NGFWs, addresses the traffic classification limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network.

Classify traffic based on applications, not ports.

App-ID uses multiple identification mechanisms to determine the exact identity of applications traversing the network. The identification mechanisms are applied in the following manner:

As the applications are identified by the successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.

Always on, always the first action taken across all ports.

Classifying traffic with App-ID is always the first action taken when traffic hits the firewall, which means that all App-IDs are always enabled, by default. There is no need to enable a series of signatures to look for an application that is thought to be on the network; App-ID is always classifying all of the traffic, across all ports – not just a subset of the traffic (e.g., HTTP). All App-IDs are looking at all of the traffic passing through the device; business applications, consumer applications, network protocols, and everything in between. App-ID continually monitors the state of the application to determine if the application changes midstream, providing the updated information to the administrator in ACC, applies the appropriate policy and logs the information accordingly. Like all firewalls, next-generation firewalls use positive control, default deny all traffic, then allow only those applications that are within the policy. All else is blocked.
 

All classification mechanisms, all application versions, all OS's.

App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent OS and client signatures that need to be enabled to try and control this application in other offerings.

Full visibility and control of custom and internal applications.

Internally developed or custom applications can be managed using either an application override or custom App-IDs. An applications override effectively renames the traffic stream to that of the internal application. The other mechanism would be to use the customizable App-IDs based on context-based signatures for HTTP, HTTPs, FTP, IMAP, SMTP, RTSP, Telnet, and unknown TCP /UDP traffic. Organizations can use either of these mechanisms to exert the same level of control over their internal or custom applications that may be applied to SharePoint, Salesforce.com, or FaceBook.

Securely Enabling Applications Based on Users & Groups
Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications mean that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. Next-generation firewalls integrate with the widest range of user repositories on the firewall market, enabling organizations to incorporate user and group information into their security policies. Through User-ID, organizations also get full visibility into user activity on the network as well as user based.
Transparent use of users and groups for secure application enablement
User-ID seamlessly integrates with next-generation firewalls with the widest range of enterprise directories on the market; Active Directory, eDirectory, Open LDAP, Citrix Terminal Server, Microsoft Terminal Server, and XenWorks. A network-based User-ID agent communicates with the domain controller, mapping the user information to the firewall, making the policy tie-in completely transparent to the end-user.
Integrating users and groups via an explicit, challenge / response mechanism
In cases where user repository information may be ineffective, a captive portal challenge/response mechanism can be used to tie users into the security policy. In addition to an explicit username and password prompt, Captive Portal can also be configured to send a NTLM authentication request to the web browser in order to make the authentication process transparent to the user.
Integrate user information from other user repositories

In cases where organizations have a user repository or application that already has knowledge of users and their current IP address, a standards-based XML API can be used to tie the repository to the next-generation firewall.

Securely Enabling Applications Based on Users & Groups

Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications mean that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. Next-generation firewalls integrate with the widest range of user repositories on the firewall market, enabling organizations to incorporate user and group information into their security policies. Through User-ID, organizations also get full visibility into user activity on the network as well as user based.

Transparent use of users and groups for secure application enablement

User-ID seamlessly integrates with next-generation firewalls with the widest range of enterprise directories on the market; Active Directory, eDirectory, Open LDAP, Citrix Terminal Server, Microsoft Terminal Server, and XenWorks. A network-based User-ID agent communicates with the domain controller, mapping the user information to the firewall, making the policy tie-in completely transparent to the end-user.

Integrating users and groups via an explicit, challenge / response mechanism

In cases where user repository information may be ineffective, a captive portal challenge/response mechanism can be used to tie users into the security policy. In addition to an explicit username and password prompt, Captive Portal can also be configured to send a NTLM authentication request to the web browser in order to make the authentication process transparent to the user.

Integrate user information from other user repositories

In cases where organizations have a user repository or application that already has knowledge of users and their current IP address, a standards-based XML API can be used to tie the repository to the next-generation firewall.
Protect the network from threats, control web surfing and limit file/data transfer.
Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers, detect and block a wide range of threats and control non-work related web surfing. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means that IT departments can regain control over application traffic and the related content.
NSS-rated IPS
The NSS-rated IPS blocks known and unknown vulnerability exploits, buffer overflows, DoS attacks and port scans from compromising and damaging enterprise information resources. IPS mechanisms include:
Traffic is normalized to eliminate invalid and malformed packets, while TCP reassembly and IP de-fragmentation is performed to ensure the utmost accuracy and protection despite any attack evasion techniques.
URL Filtering
Complementing the threat prevention and application control capabilities is a fully integrated, URL filtering database consisting of 20 million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities. The on-box URL database can be augmented to suit the traffic patterns of the local user community with a custom, 1 million URL database. URLs that are not categorized by the local URL database can be pulled into cache from a hosted, 180 million URL database. In addition to database customization, administrators can create custom URL categories to further tailor the URL controls to suit their specific needs. URL filtering visibility and policy controls can be tied to specific users through the transparent integration with enterprise directory services (Active Directory, LDAP, eDirectory) with additional insight provided through customizable reporting and logging.
File and Data Filtering
Data filtering features enable administrators to implement policies that will reduce the risks associated with the transfer of unauthorized files and data.

Protect the network from threats, control web surfing and limit file/data transfer.

Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers, detect and block a wide range of threats and control non-work related web surfing. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means that IT departments can regain control over application traffic and the related content.

NSS-rated IPS

The NSS-rated IPS blocks known and unknown vulnerability exploits, buffer overflows, DoS attacks and port scans from compromising and damaging enterprise information resources. IPS mechanisms include:
Traffic is normalized to eliminate invalid and malformed packets, while TCP reassembly and IP de-fragmentation is performed to ensure the utmost accuracy and protection despite any attack evasion techniques.

URL Filtering

Complementing the threat prevention and application control capabilities is a fully integrated, URL filtering database consisting of 20 million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities. The on-box URL database can be augmented to suit the traffic patterns of the local user community with a custom, 1 million URL database. URLs that are not categorized by the local URL database can be pulled into cache from a hosted, 180 million URL database. In addition to database customization, administrators can create custom URL categories to further tailor the URL controls to suit their specific needs. URL filtering visibility and policy controls can be tied to specific users through the transparent integration with enterprise directory services (Active Directory, LDAP, eDirectory) with additional insight provided through customizable reporting and logging.

File and Data Filtering

Data filtering features enable administrators to implement policies that will reduce the risks associated with the transfer of unauthorized files and data.
Rectangle 51
Application Traffic Classification

Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports.