NGFW Day 2025

We're not ripe yet

Sergey Savchenko, head of the information security department, "Air Gate of the Northern Capital," spoke about how NGFW firewalls help protect critical infrastructure.

Sergey Savchenko, Head of the Information Security Department, "Air Gate of the Northern Capital"

Previously, the business wanted to have unlimited access inside - outside and vice versa, but it was another time, and access had to be limited, "says Sergey Savchenko. - The airport ranks first in the number of attacks - we repel up to 500 thousand different attacks per day.

The speaker presented a scheme for building the company's protection, within which firewalls from three different manufacturers operate. He also listed the methods of protection used in NGFW. It includes deep packet scanning, intrusion prevention system, application control, and so on.

Sergei Savchenko also named the disadvantages of using the border NGFW. Among them are false positives after initial configuration and after receiving signature updates, probable packet delay due to verification, high cost.

It was critical for us to have GOST encryption in NGFW, "the speaker emphasized. To begin with, he recalled Federal Law No. 187 of 26.07.2017 "On the Security of the Critical Information Infrastructure of the Russian Federation.

Andrey Vaskovsky, Head of Information Security Department, Rusenergosbyt

The "Intelligent Electricity Accounting System" (ISUE) of the Rusenergosbyt company fell under the regulation, providing for the possibility of remote power outage from unscrupulous users-individuals. The key negative consequence of the incident in ISUE, which has social significance, is the possibility of unauthorized power outage. Firewall is one of the technical methods for protecting the system.

Andrei Vaskovsky made a short review of the leading products of the Russian NGFW market, including solutions from UserGate, Positive Technologies, Ideco, Security Code, Solar and Infotecs. What kind of domestic product was chosen, the speaker did not say, but noted that the chosen ITU was configured for six months. As a result, the system was configured, everything works. However, Cisco is still used as an additional layer of protection.

Among other things, the speaker named the shortcomings inherent in all Russian solutions in comparison with Western products. First, they are less effective because of the technological backlog. There is less coverage of zero-day due to the smaller community of researchers. Secondly, there are hardware restrictions, the reason for which was dependence on imported components. The ecosystem is limited, third-party integrations are not enough, updates are delayed, some products lack encryption according to GOST, and the price is high due to the monopolization of the domestic market.

Vyacheslav Kasimov, Director of the Information Security Department, Moscow Credit Bank, recalled the need to replace Western firewalls due to the fact that Russian companies have stopped receiving updates. In addition, our laws require such a step.

Vyacheslav Kasimov, Director of the Information Security Department, Credit Bank of Moscow

The speaker listed possible ways to solve the problem. You can expect parallel import and alternative support. Of the pluses, this is the cheapest way, and it works for sure. The disadvantage lies in non-trivial procedures for interaction with regulators. The second option is to purchase the Russian NGFW. The domestic solution not only imports Western software, but also makes it possible to develop the product for yourself. However, it is expensive, the functionality is limited. There will be problems with bandwidth, with security, and with long implementation times.

You can disassemble NGFW into separate solutions. Again, you will get a domestic product, which will also give flexibility in choosing technologies. But it's not cheap either. In addition, some of the functionality is still absent, and it will be difficult to manage the entire system as a whole. The last option is in-house development based on open components. Pros are a domestic solution, you develop it for yourself. The disadvantages are the timing of implementation, dependence on engineers and architects.

A new generation ITU is a complex technical device that contains a whole pool of technologies, "recalled Vyacheslav Kasimov. - In Russia, NGFW products are being developed recently, so it is not surprising that so far they are immature.

Business doesn't want to work as a beta tester

Ilya Borisov, director of the data protection department, VimpelCom, recalled that data must be protected at all levels: physical, infrastructure and application levels. He noted that in a large company, traffic organized by an attacker who entered the perimeter from one of the compromised servers may not be noticed at all.

Ilya Borisov, Director of the Data Protection Department, VimpelCom

In this case, the following ITU functionality can help. Deep Packet Inspection (DPI) is used to detect suspicious file types (archives) sent to the outside, as well as to identify data patterns, such as personal data. There is an encrypted traffic inspection (SSL Inspection) and DNS, which detects anomalies in DNS traffic, finds DNS tunnels and blocks pre-domains. Anomalies are also detected in traffic - unusual patterns are tracked by user, traffic growth during non-working hours, unusual destination points (protocols, addresses). Various integrations complement the functionality.

Usually when they talk about data protection, NGFW is not even mentioned, - explains Ilya Borisov. - However, the ITU functionality is able to provide an additional level of data protection when an attacker has already got inside the perimeter and downloads something.

Ivan Kokorev, Department of Information Protection and IT Infrastructure, MMC Norilsk Nickel, dedicated his speech to the most popular functions of NGFW for the industrial sector using the example of his company, most of whose production sites are located in the Arctic Circle. Norilsk Nickel conducts business in seven areas and unites 70 legal entities.

Ivan Kokorev, Information Protection and IT Infrastructure Department, Norilsk Nickel

Until 2022, Norilsk Nickel used Western NGFWs, and, as the speaker admitted, they are still used. At the same time, the company adopted a strategy for the gradual introduction of domestic ITUs, but so far in small batches and at facilities that are less significant for business.

Ivan Kokorev called the characteristics of the Russian NGFW, necessary and expected in the first place. For such a solution, the basic needs are closed by L7 ME filtering with HTTPS inspection and IPS. Network capabilities are provided by a hybrid L2/L3 scheme with performance up to 40 Gbps. The product must scale horizontally and work with routing. As for management and integration, it requires convenient centralized management and monitoring, integration with DLP, SIM and SOAR systems. Need DPI to monitor applications. In general, the customer is waiting for the stable operation of the cluster and PAC.

He stressed that it is important for Norilsk Nickel to get stable Russian NGFWs that meet the basic requirements by 2027, and expanded functionality, for example, filtering industrial protocols, streaming antivirus and everything in this spirit, can wait. The speaker emphasized in conclusion that the company is ready to transfer its requirements to manufacturers, but does not want to act as a beta tester of raw solutions.

We are actively working with Russian NGFW manufacturers, we are waiting for the appearance of more stable solutions, - said Ivan Kokorev. - For us, first of all, it is stability, continuity and availability of services that is important. It seems that all Russian vendors want to implement everything at once, although for a start it would be more correct to make a stable solution with limited functionality, and then develop it.

Anastasia Gainetdinova, IT security analyst, Whoosh (VUSH), identified stop factors in the use of Russian NGFW class solutions. They are expensive, performance poor, and difficult to integrate with your current infrastructure, unsuitable, and difficult to manage.

Anastasia Gainetdinova, IT security analyst, Whoosh

The presenter elaborated on the complexity of management, interfaces and the need for integration with the infrastructure, emphasizing that the product should be more friendly towards users. We need tips and clear reports for business.

She summarized the speech with the following theses. Working with Russian NGFW requires a high input competence threshold for a specialist. Firewall developers should remember that not only technical specialists, but also managers and managers work with NGFW reports. Compatibility is important not only within the ecosystem of a particular vendor - it is important not to forget about products from other manufacturers.

The presence of a visual interface, AI assistants and detailed documentation written in an understandable language greatly simplifies the life of non-" techies "users," Anastasia Gainetdinova explained. - In addition, I really want customers to stop testing the possibility of integrating NGFW with the products of other vendors.

Need stability

Igor Matvienko, Head of Business Development at NGFW, Positive Technologies, spoke about the company's success in developing a new generation firewall. In November 2024, the commercial release of the NGFW firewall was released, and the company has now entered the top five in terms of its firewall market share. The fourth level FSTEC certificate was obtained.

Igor Matvienko, Head of Business Development at NGFW, Positive Technologies

It is necessary that NGFW works quickly, stably, reflects current threats, and such indicators of our product are no worse than those of Western vendors, says Igor Matvienko. - Our advantages are high performance, service at the level of Western vendors, flexibility. And we also have the cheapest gigabit of protected traffic.

The speaker presented the Positive Technologies product line, which includes seven devices. All of them are in Registers of the Ministry of Digital Development and Minpromtorg. The commercial success of the vendor in numbers looks like this. He has 45 customers, 46 distributors and partners in Russia. 256 firewalls have been shipped to customers. Positive Technologies took 4% of the NGFW market in 1.5 months of sales.

The speaker said that out of 256 shipped PAC, customers returned seven, and only three devices were really defective, and in four cases the customer simply did not understand.

Alexander Lebedev, Head of Product Marketing, Ideco, spoke about the capabilities of the Ideco NGFW firewall, as well as product implementations in the corporate segment. At the beginning of the report, he noted that the Ideco NGFW firewall has already chosen more than 5 thousand customers, of which 2,600 companies have a staff of over 500 people.

Photo 9. Alexander Lebedev, Head of Product Marketing, Ideco

The speaker outlined the following benefits of the product. The microservice architecture system is stable. Updating without stopping industrial operation takes 5 minutes, restoring from the backup - 30 seconds, switching nodes in the cluster is carried out while saving the session. Fault tolerance and redundancy are provided here - when a server is disconnected, traffic is not lost. There is support for remote work. Automation of migration from CheckPoint, Cisco, FortiGate and other Western systems has been established.

In conclusion, Alexander Lebedev presented several cases. Thus, at the St. Petersburg Tractor Plant, a seamless transition was made from PAC Kerio Control to Ideco NGFW, and import substitution in a distributed infrastructure was implemented in Atrium Group of Companies with an expansion from 180 infrastructure facilities to 300.

We have been working with VPN for a long time, since the time of covid, - said Alexander Lebedev. - And we support not only user scenarios, but also interaction between branches in a secure channel.

Kirill Pryamov, NGFW Development Manager, UserGate, spoke about a new product in the line of NGFW solutions with increased performance - UserGate Data Center Firewall, designed for data center-level tasks.

Kirill Pryamov, NGFW Development Manager, UserGate

He outlined the characteristics of the UserGate Data Center Firewall security functionality:

• Session Status Monitoring (FW L4)
• Application Control (FW L7)
• Intrusion Prevention (IPS)
• Network Address Translation (NAT)
• Employee Authentication (FW ID) and a number of others.

The network capabilities of the new product are static and dynamic routing, segmentation and scaling of networks (VLAN, VXLAN), optimization, balancing (PBR, VRF, ECMP, BFD, WCCP, DHCP).

In the case of UserGate Data Center Firewall, we made our own version of the vector firewall, which can process up to 130 thousand firewall rules, "said Kirill Pryamov.

In the near future, it is planned to logically divide PACs into independent virtual NGFWs - the so-called "contexts." There everyone will have their own settings, which will save resources and racks of the data center.

The speaker also presented a line of hardware and software solutions, in particular, the UserGate FG platform with hardware acceleration (achieved 85 Gb/s on EMIX), and a series of high-performance hybrid devices. All PACS are included in the registers of the Ministry of Industry and Trade of Russia.

NGFW will reveal phishing

Alexey Gromov, head of development, Korbit, identified three types of NGFW development companies in the general case. These are either companies with system integration experience. They follow the path of developing next-generation firewalls based on open components. The second type is companies that develop crypto-gateways or communication equipment (switches, routers, network brokers). The third is companies that develop network analyzers based on their own DPI solutions.

Alexey Gromov, Head of Development, "Korbit

As Alexey Gromov said, the development of the Corebit.NGFW product started in 2022. Corbit went by creating its own system based on a DPI solution. The speaker outlined in detail the evolution of the product, listed what security functions were implemented and at what stage. He paid special attention to the development of a network management center for administrators - from the command line to the web console, working from a single window.

We started with a DPI solution, in which the division of architecture into two planes was worked out, - recalls Alexey Gromov. - This gave us the opportunity to reduce the number of OS calls, as well as effectively use the processor cache.

He introduced NGFW products, which are divided into three lines:

• for medium and small objects (three models, performance up to 16 Gbps);
• for control centers and large facilities (three models, up to 120 Gbps);
• for data center (two models, up to 180 Gbps).

Corebit.NGFW firewalls allow you to build a network security system using a network management center and high-performance multifunctional ITUs combined into a fault tolerance cluster. The hardware platform on which the products of the Corebit.NGFW line are created is from Kraftway. The solution does not yet have commercial implementations; currently, the system is being tested in the internal contour of the company.

Alexey Sorochenkov, General Director, A8Tekh, recalled the realities: Western vendors' licenses do not work, NGFW solutions are not supported - and spoke about the path the company has taken over the past year. Here they started with the idea of ​ ​ the product, and ended with serial production of software and hardware systems.

Alexey Sorochenkov, General Director, A8Tekh

"Begonia" is our answer to modern challenges, - said Alexey Sorochenkov. - At the same time, we were engaged not only in engineering developments in order to create NGFW, but tried to build a global ecosystem.

The NGFW Begonia firewall is not the only product, but an entire PAC family with different performance. In addition to NGWF systems themselves, the company's product line includes, in particular, Horizon routers and a A8IdentityMatrix access and identity control solution.

The advantages of Begonia, according to the speaker, are stability, high availability of devices and building an ecosystem taking into account information security.

Sergey Petrukhin, Head of Product Marketing, Kaspersky Lab, listed global trends in information security. Among them are the use of machine learning and artificial intelligence to detect threats, collect and analyze data, update and work with rules. It is still proposed to pay attention to the principle of zero trust (Zero Trust) in the financial, public spheres and in health care. The top holds cloud security and Hybrid Mesh Firewall (hybrid cloud protection), the SASE (Secure Access Service Edge) concept and the convergence of security technologies.

Sergey Petrukhin, Head of Product Marketing, Kaspersky Lab

Russian trends intersect with global ones in terms of requirements for ensuring integrated security and integration, the speaker says. Next, he listed the trends taken into account in the Kaspersky NGFW product, which has been developing since 2020:

• the use of AI and machine learning;
• development of hardware platforms;
• integrated security and technology convergence;
• SASE concept;
• new regulatory requirements.

In the global market, NGFW is considered, among other things, as a basic technology for protecting against the ransomware virus, identifying zero-day threats and phishing, says Sergey Petrukhin.

This year the product will be certified by FSTEC. The company's plans for 2026 include the release of Kaspersky NGFW and SD-WAN within a single hardware platform.

Core protection

Nikita Semenov, a leading systems engineer, TS Solution is confident that most companies have perimeter protection, loyalty but many do not control traffic at the kernel level.

Nikita Semenov, Leading Systems Engineer, TS Solution

"And they also lack tools to identify malicious activity within the network," the speaker said. He presented typical schemes for organizing protection depending on the size of the company. The base case assumes one network termination point and is suitable for small companies. In the standard version, there are already two segment termination points (perimeter and core). The advanced option is suitable for those companies whose server-to-server schedule exceeds the rest.

The speaker stressed the importance of protecting the core using NGFW, which closes a number of tasks. SPI allows you to form stricter access rules, while significantly reducing the number of rules, making access control more convenient and secure. It is also recommended that you have application control. Proactive security measures require Deep Data Packet Scanning (DPI) and Intrusion Detection and Prevention (IDS/IPS).

Nikita Semenov noted that until recently it made no sense to consider the use of an NGFW class firewall in the kernel, because there were performance problems, but at the moment there are already solutions that can "digest" from 10 Gbps. in NGFW mode and from 50 Gbps. in simple firewall mode.

It cannot be guaranteed that one SNI will fully protect, echeloned protection is necessary, the speaker assures. - At the same time, they often forget about protection within the network, in particular - about kernel protection, which today can already be carried out, including using NGFW.

Anton Kobyakov, Senior Engineer of the Key Project Development Department, Security Code, shared the results of testing by independent testers of the NGFW Continent 4 product. He stressed that both vendors and customers need independent tests.

Anton Kobyakov, Senior Engineer, Key Project Development, Security Code

There is a problem of distrust between customers and vendors, the speaker admitted. - And our company wants to solve this problem. Including by attracting independent testers.

He cited separate test results of several NGFW class solutions (including "Continent 4") by three independent testers: Jet infosystems"," BI.ZONE and TS Solution.

As part of the testing of the NGFW high-performance farm from BI.ZONE, the highest confirmed throughput in the ITU market was recorded at NGFW Continent 4, DS Integrity and Eltex. And the results of testing the security mechanisms from TS Solution and testing the IPC-R800 from BI.ZONE revealed that Continent 4 is the only ITU that has provided protection against malicious activity.

Recalling that the firewall is not the only product of the vendor, the speaker additionally presented the results of last year. Here they recorded business growth by 2.5 times, and the volume of the installed base amounted to 12.5 thousand devices.

Dmitry Belyaev, Director of the Security Department, VS Robotics, shared his experience in introducing NGFW products from various vendors in companies where the speaker worked earlier. He recalled the difference between corporate segment oriented NGFW class firewalls and UTM firewalls, which are more designed for the SMB segment.

Dmitry Belyaev, Director of Security Department, VS Robotics

These classes of solutions differ in the way information is processed, the depth of analysis, performance, and integration with SIM and DLP systems. "The NGFW solution is more multifunctional, it allows you to implement more tasks than UTM," explains Dmitry Belyaev. - But when a large number of functions are turned on, there may be a sharp slowdown in the work of the ITU. The most important thing is to test NGFW on your infrastructure, and you need to test everything. Even what should work by definition. "

The speaker called typical errors in the implementation of NGFW:

• Selection of low throughput devices
• Open ports 22/3389 without multi-factor authentication
• skipping firmware updates and signatures;
• flat networks with horizontal movement of threats;
• Rejection of the test environment before implementation
• Incorrect SSL/TSL inspection configuration
• untrained personnel;
• lack of monitoring and logging;
• mismanagement of users and roles.

In conclusion, the speaker cited several cases of data leakage due to incorrect NGFW configuration. Thus, the 2024 incident with the theft of data from 165 client companies of the cloud storage provider Snowflake became possible, according to the speaker, due to the lack of multifactor authentication in customers' personal accounts.

During the break and at the end of the conference, the participants talked informally, and also had the opportunity to familiarize themselves with the solutions and services of IT suppliers at the stands deployed in the event hall.