Pavel Korostelev, "Security Code": Russian NGFW market is experiencing a boom in development

Pavel Korostelev: If we are talking about security mechanisms, then this is a system for preventing intrusions in network traffic, streaming antivirus, monitoring user access to the Internet by category and by their own "black" and "white" lists. In addition, a user identification mechanism should be implemented to filter traffic not only by IP addresses, but also by user identifiers.

Also in NGFW, Site-to-Site VPN should be organized, that is, communication channel protection, and Remote Access VPN, which provides secure remote access. At the same time, it is necessary that NGFW supports domestic encryption algorithms, that is, GOST algorithms. Thus, the vendor will be able to cover the tasks related to both the protection of communication channels and the protection of remote access in government organizations.

Pavel Korostelev: In this matter, everything depends on the use case, of which there are five:

• perimeter NGFW;
• NGFW level; DPC
• NGFW to protect process networks;
• NGFW for Medium and Small Businesses;
• geographically distributed NGFW.

In the first four, much depends on the ability to provide a firewall, so there can be both relatively small devices and high-performance ones. For example, in the context of a data center-level firewall, a high level of fault tolerance and, of course, high bandwidth is required.

If we talk about the protection of APCS, then in this version it is necessary to ensure the protection of the hardware from additional loads: vibration, dust, moisture, low or high temperatures - depending on what conditions the devices will be used. There should also be specialized rack mounts.

As for the requirements for basic software, this is primarily high optimization, because NGFW has a lot of different mechanisms that consume hardware resources, and they are always lacking. High stability is also required, because the firewall is thrown into a gap, and the incorrect operation of NGFW, which leads to its freezing or disconnection, will negatively affect the health of the entire network. Advanced fault tolerance mechanisms are added to this, so firewalls, as a rule, work in a cluster - Active/Standby. And if one fails, then its functions are quickly "selected" by the other, and users do not even see the switching process.

Also, within the framework of basic software, a high level of security is extremely important, which implies the absence of vulnerabilities. The fact is that the firewall looks outside, into the "wild" Internet, and from there something will definitely come, so the developer must thoughtfully and carefully test the Bware for vulnerabilities.

Separately, it should be noted that for state organizations belonging to the subjects of critical information infrastructure (CII), equipment must necessarily be included in the RAP and, accordingly, have the status of TORP. That is, it is necessary that the product be developed and assembled in Russia, and the vendor has all the design documentation and source codes. Thus, a higher level of logistical predictability is provided, and the solution can be sold in those sectors of the economy where there are strict localization requirements. In this regard, the Security Code was the first company on the market to have the entire line of equipment with THORP status.

Pavel Korostelev: The question is quite complex, because, on the one hand, NGFW in the form of a cloud service is a frequent story, but you need to understand that protection, as a rule, is implemented only for those loads that are located in the same cloud. In addition, operators tend to use the built-in firewall provided by the cloud operator, and not the vendor firewall that protects the main network. This is due to the fact that usually "clouds" are used by individual teams of the company, and these infrastructures are often not integrated into a common infrastructure.

In general, NGFW in the form of cloud services can be considered a promising direction, but it depends on the level of development of cloud services, and not network infrastructure and firewalls. So we will see a surge of interest in this story not now, but, in the medium term, in about five years.

Pavel Korostelev: First, there should be technical support, since the firewall is a critical device, and disconnecting it can put the entire network. Secondly, service support is needed. 95% of firewalls are hardware, and if something goes wrong with any of its components, then this will again lead to serious consequences.

The third point is the presence of support related to updating signatures, that is, the vendor must be able to independently create signatures for security mechanisms that are implemented in NGFW. In addition to this, the vendor must provide an open API for interacting with external entities: these are providers of knowledge about threats, such as indicators of compromise; These are technology partners that provide additional value relative to the implemented firewall, for example, multifactor authentication mechanism, additional layer of traffic verification in the sandbox, load balancing using an external broker, SOAR system (orchestration and automatic response to an incident). By and large, this is an open ecosystem, and it is extremely important for the firewall to be considered full-fledged.

Given the criticality of NGFW, the vendor should also provide a monitoring service. As a rule, all NGFW manufacturers have their own SOPKA services, where information about incidents is sent, and then goes to NCCCA. In addition to this mechanism, the Security Code implements monitoring of device stability. That is, we monitor the performance of NGFW, and if we notice that something may go wrong with it, then proactively notify the customer about it and respond in a timely manner. This feature is free if the client has advanced technical support.

Pavel Korostelev: The Russian NGFW market is experiencing a boom in development. In two years, it has grown about three times, while the vacuum that arose after the departure of the Big Four is practically closed. There are only about one and a half billion "extra" money left.

The process of forming the market was also completed, which has now stratified into several echelons.

The first is two leaders, one of whom is the "Security Code," whose solutions customers are actively implementing in their infrastructures. These customers include those organizations that must switch to domestic solutions before the beginning of 2025, while they often prefer to buy products from both tops at once.

The second echelon is vendors that offer more niche solutions: APCS protection, protection of small and medium-sized businesses, and so on. Their products have already been developed and certified, but they are "shipped" many times less than the leaders.

The third tier is players who have either not released a solution or have released some beta versions at the moment. At best, they will be certified by the end of the year, and most likely only next. In fact, they do not have working solutions, but they exist in the info field.

The fourth echelon includes foreign products that have not left the Russian market. This applies to Chinese, Israeli and a number of other vendors.

Naturally, the main trend of our market is the active phase of the transition of infrastructures of domestic organizations from foreign products, even friendly countries, to Russian ones. At the same time, customers prefer to buy solutions from several vendors at once, and then choose who fulfills their promises better, how efficiently the products work, what is the level of technical support.

Pavel Korostelev: In general, NGFW is a fairly independent segment of the industry, and state organizations, IT and telecom, financial organizations, power and manufacturing are most active here. Companies in these industries are in the intensive stage of import substitution - someone has already switched to Russian products, someone plans and at the same time works with vendors, sharing their needs. Of course, the law on CII affects all these companies directly, because the requirements for the subjects of CII are critical, firstly, for protection, and secondly, for import substitution, which must be reached by January 1, 2025.

Pavel Korostelev: Since NGFW is not some fundamentally new product category, there are enough personnel experienced in network technologies on the market.

To provide [personnel], first of all, it is worth highlighting network infrastructure specialists, because most often they are the operators of NGFW. Then you need information security specialists who must understand the security mechanisms, know how to correctly create security policies, including which user and where to go, what traffic you need to block or pass, and so on. The third demanded category is the analysts cyber security of the Support Center, aka SOC. They should be able to understand the context of network threats, respond to them correctly, and make the necessary changes to the NGFW settings.

Pavel Korostelev: First of all, this is an increase in the requirements for the throughput of equipment, because this segment of the market is less than the rest filled with domestic solutions. Although it is not very large in volume, it is critical. The next trend is the development and implementation of machine learning and artificial intelligence protection mechanisms, as well as the integration of security tools among themselves to exchange information and gain more context, which will allow for joint response at the network and endpoint levels.

At the same time, Russian trends are very different from global ones, because, for example, a phase transition has already occurred in the west, and the center of attraction has shifted from the customer's own infrastructure to the cloud. Therefore, cloud firewalls, control systems, and so on have become very widespread. This is not yet visible in our market, but if customers have such needs, vendors will quickly come to this.

At the same time, we are likely to see the implementation of the hybrid firewall concept. Since the customer's infrastructure is in different environments - physical, virtual, distributed - then firewalls for their protection will have a different set of requirements. The idea of ​ ​ hybrid NGFW is that over time they will be more and more different from each other. For example, in the west, firewalls for public "clouds" technologically already differ quite seriously from ordinary hardware NGFWs.

The mechanisms associated with determining the trust of network nodes will also be strengthened. That is, if traffic can be sent to a network host, according to a security policy, to another segment, then if the host behaves suspiciously, the firewall will block it. This definition of trust is not easy from a technological point of view, but extremely promising.

Another promising story is the tendency to cooperate, the fact that the "Security Code" is implemented within the CyberAlliance. The concept stipulates that we take NGFW as the core of network security and build several technological partnerships around it, providing higher value to the customer. For example, if this is remote access, then we add mechanisms to control compliance with security requirements, the so-called compliance. If these are mechanisms for analyzing security policies, then integration with advanced means of detecting malicious software - sandboxes.

In the segment of hardware solutions and everything related to increasing bandwidth, integration with network packet brokers and, in general, the construction of multi-node systems is underway. That is, we combine several NGFWs either within a blade server with a load balancer (switch), or as a separate set of firewalls that are interconnected by a network packet broker/balancer. From the point of view of the "Security Code," this approach is most promising in the matter of creating high-performance farms, because at the moment there are no sufficiently efficient chips on the domestic market that will allow you to quickly process traffic.