What the next generation firewalls are capable of and who needs. NGFW Concept Analysis

Firewall Evolution

The firewalls were originally designed to create an enterprise perimeter, organize demilitarized zones (DMZs), segment internal networks, and connect affiliates using VPN tunnels. Such screens completely closed all network interaction from strangers, leaving only ports for web (HTTP - 80 port) and mail (25 port) open. It was assumed that the protection of these protocols would be controlled by special proxy applications located in the DMZ. Remote connections via encrypted VPN channels could be organized at the level of the devices themselves.

Although modern protection works in much the same way, it turned out that all malware fits into the two above network protocols, since most malware is transmitted either in email messages or downloaded from the website. That is why the developers of network protection tools focused on a thorough analysis of these protocols in order to analyze links, files, programs and other fragments of data that are transmitted through them in as much detail as possible and identify signs of a network attack in them. This analyzes the reputation of files and links, user actions on the network, downloadable files and many other elements of the network flow.

It should be noted that back in 2004, IDC introduced the concept of a universal threat management (UTM) device, which involved the addition of firewall functions with the ability to analyze the traffic of specific applications in detail, filtering malicious links (antispam), detecting virus signatures in traffic and the advent of an integrated intrusion detection system (IPS). However, UTM still had no control over individual user sessions with the ability to draw up rules on them and confirm the most dangerous actions using an additional authentication procedure - dynamic authorization.

After the release and distribution of UTM, the so-called targeted attacks (advanced persistent threat - APT) were discovered, which made it possible to bypass complex firewall rules for the then released firewalls. The problem was that both antiviruses anti and phishing IPS embedded in UTM used signature methods attacks and could not qualitatively protect against constantly changing attacks that used APT groupings to penetrate firewalls. The search for possible means of protection began, which acquired features in the form of the integration of sandbox tools, control (), leaks DLP identifications devices and control of network protocols at the session level of individual users with the ability to identify abnormal behavior. As a result, analysts in 2008 Gartner formulated the concept of firewalls of a new, already third generation, which received the name NGFW.

NGFW should provide tiered protection at the network perimeter and between internal segments of the organization's network, combining tools such as traffic filtering, intrusion prevention and detection systems and malware, systems that recognize application types through deep batch analysis, traffic inspection TLS, proxying user traffic to web resources and many more

In general, it can be noted that the NGFW concept has been used for 15 years, and its definition is also used by developers of domestic products to protect corporate networks. This is how cyber security BI.ZONE Alexey Kudryavtsev, head of network solutions management, defined this term at the request of TAdviser:

NGFW is a class of SMTs that allow for multi-level protection on the network perimeter and between internal segments of the organization's network. It combines tools such as filtering traffic up to the application layer of the OSI model, intrusion prevention and detection systems and malware, systems that recognize application types through deep batch analysis, traffic inspection, TLS proxying user traffic to web resources, integration sandboxes and many others.

In general, the concept of NGFW implies the presence of the following set of functions in the gateway device:

• Traditional firewall. It involves both managing network traffic in accordance with the company's access policy and hiding the internal network infrastructure using address translation (NAT), and organizing a secure connection to a corporate network over VPN, for example, using TLS.
• User authentication/SSL inspection. Before providing access to certain infrastructure services, NGFW self-authenticates users. Moreover, the more responsible protocols and operations are used by employees, the more carefully the system authenticates them. For example, for web application access systems, it is enough to use ordinary SSL certificates, but for remote administration or RDP connection, the system may require both two-factor authentication and even hardware identifiers.
• Intrusion Detection/Prevention Systems (IPS/IDS). These are systems that allow, if signs of intruders invading the infrastructure are detected, to change to more conservative rules for filtering network traffic. At the same time, signs of infrastructure compromise (IoC) are usually supplied by TI information services.
• Antivirus/sandbox. The UTM concept used a streaming antivirus that collects a stream transmitted to internal users into files and malware signatures prepared by antivirus companies are already applied to them. However, over time, antivirus companies have developed so-called sandboxes - these are special virtual machines in which flow elements are analyzed for suspicious activity. It was in this form that they ended up in NGFW.
• Leak Prevention (DLP). The data leakage control system is now most important due to the tightening of legislation on personal data, but it must also work effectively at the network level - to prevent the transfer of important data from outside the corporate network. However, for this, such a system must be deployed in the enterprise itself - NGFW acts only as an executive device that blocks unauthorized data transmission through itself.
• URL Filtering/WAF. Identifying and blocking potentially dangerous links performs the functions of antispam, anti-phishing, antivirus, and, in addition, the incoming stream of web requests to corporate web applications also needs to be filtered from malicious inclusions and exploits of various vulnerabilities.

From the definition of NGFW, it can be seen that in fact one device of this class allows you to replace a whole set of protections, which can be convenient and economically justified. However, the opposite is true - if you need to supply NGFW, but they are not available, for example, since there is a requirement to use only domestic products, and there are not many domestic NGFWs, then you can simply use a set of several devices depending on your needs - the classic firewall can be supplemented with DLP, IDS/IPS and even a sandbox connected to the SPAN port of the firewall.

However, virtualization technologies allow you to make a "virtual NGFW" - collect virtual images of all of the listed protections, place them in one hypervisor and configure data transfer inside this virtual system. Since there is already a certified hypervisor, and for most security tools there are their images in the form of virtual machines, then any company can independently assemble NGFW from disparate components and virtualization systems now, however, this requires quite high competencies both in virtualization systems and in the interaction of security tools.

In a layered modern security system, security operations specialists usually assign the role of one of the main means of incident response to NGFW. It is at the firewall level that a specialist can isolate a compromised node or network segment from an external attacker and give time to monitoring and investigation commands to understand the situation inside. The attacker loses the control channel and is forced to use other, not yet discovered, or, in the best case for the information security service, look for new penetration points. Also, NGFW functionality allows you to detect malicious effects on the perimeter of the infrastructure using a fairly wide range of technologies and is one of the main sources of information for the monitoring service.

NGFW's Role in a Zero Trust Architecture

The further firewall technologies evolved, the clearer it became that the main problem was not so much protocol control as management of enterprise security policy at the network level. Yes, firewalls offered information security services a wide variety of protection mechanisms: antiviruses, antispam, anti-phishing, anti-APT, DLP, intrusion detection systems, and much more, but a concept was needed to manage all this wealth of capabilities that could systematize the management of all network defenses, as well as optimize their use by eliminating duplication.

And this concept was formulated by Gartner in the form of Zero Trust Network Access (ZTNA). She suggests that no element of network interaction can be trusted, but all devices need to prove the absence of compromise. Moreover, the more potentially dangerous the operation is requested, the more confirmation it must require from the user.

ZTNA is a set of practical steps to implement a zero trust approach while providing users with network access to modern network applications. Implementing a zero-trust approach reduces the surface of a potential attack, reduces the risk of cyber threats, and better protects network infrastructure and increases its availability. ZTNA's practical steps include NGFW. Its use helps cybersecurity systems adapt to the current requirements of the company. However, no matter how rich the functionality of NGFW is, if it is not easy to manage and automate, it will not be able to work smoothly with other parts of the network perimeter.

The need to use NGFW to implement the ZTNA principles will be obvious if we consider the three main tasks that this concept should solve:

• Device control. All devices inside the corporate system must be constantly checked to prevent their substitution or simply interception of traffic. Moreover, the verification procedure should take place not only for currently working network devices, but also for temporary connections, mobile communication devices and even IoT equipment, since they can be used to attack other elements of the information system. Typically, mutual authentication of devices is provided by various security mechanisms, such as TLS or network routing. It is important to properly configure and optimize all this.
• User control. All users within the corporate network must be identified in one way or another - this is done using the dynamic authentication procedure when entering the corporate network. This requirement is intended to simplify the investigation of incidents - log records must contain all information about users so that in the future you can raise the archive and see who, how and from where performed this or that operation.
• clouds Control/shadow IT services. Now a fairly large part of the enterprise's digital assets is located outside the corporate infrastructure, but even when they are in and out of interaction with them from within the infrastructure, it is necessary to strictly control and in every possible way prevent their unauthorized use. The same applies to the control of unauthorized applications installed inside the infrastructure, such as games, VPN services, miners and many other programs. The infrastructure with ZTNA should identify such installations and block their use.

It is clear that it is important to ensure that these mechanisms fully cover the entire enterprise infrastructure, and it is NGFW, as the lowest-level element of network protection, that should be charged with full control of devices, users and shadow IT resources. Such control is achieved due to network traffic markup mechanisms using special tags - it is very similar to the technology of software-defined SD-WAN networks. Managing these labels allows security tools to bind each individual packet to a specific application, user, or service - this is used both to optimize network switching and to speed up security mechanisms. Thus, understanding network traffic markup at the NGFW level within the framework of the comprehensive ZTNA infrastructure at the enterprise allows you to maximize its processing at the boundaries of zones - this is why performance is achieved in new generation foreign firewalls.

You can understand the place of NGFW in the ZTNA architecture by examining the SASE (Secure access service edge) framework proposed by Gartner. Along with other network management tools such as SD-WAN, NGFW is used within the framework as a means of monitoring and restricting access to segments, nodes and applications. Moreover, including NGFW of the operator level, used according to the service model.

Which categories of users need a next-generation screen?

Firewalls are the backbone of corporate network security. They are placed both on the communication channels of the company and all branches with the Internet, and between different segments. They provide both the connection of remote users and the creation of secure communication channels between remote segments of the corporate network using Virtual Private Network (VPN) technology. Firewalls are also used to create demilitarized zones - DMZs, which host corporate web applications that must transfer data to external networks. Let's analyze which categories of users need next-generation firewalls.

• Personal data. As of 2023, almost all companies must comply with the requirements of Law No. 152-FZ "On the Security of Personal Data" at least to protect the personal data of their customers and employees. Therefore, it is no longer enough for them to have a classic firewall, but at least they need DLP and intrusion detection functionality, which will be required to investigate incidents if they occur. The law requires, if a personal data leak is detected, to provide the results of an internal investigation within a week.
• Owners of critical infrastructure. For owners of a critical infrastructure, in principle, a classic firewall is enough, since it is important for them that this device is domestically produced. However, the requirements of Law No. 187-FZ "On the Safety of CII" are extensive enough to use all NGFW components. Therefore, the owners of KII facilities have a huge need for NGFW, but only for domestic production. Such a device will help them not to assemble a set of several network protection tools that generally provide NGFW functionality. Of course, they can already use virtual NGFWs, but here they already need competencies in creating this type of solutions, and it was more convenient to have a holistic, tested and certified product on a domestic platform.
• Industrial enterprises. For most industrial enterprises that are owners of CII facilities, the reasoning in the paragraph above is also relevant, but they have another need - segmentation of the internal system into an industrial area and an office one. Usually, a firewall is used for this, however, given the increased danger of attacks on industrial segments to disable them, it is better to use NGFW for segmentation to complicate the work of hackers who expect to encrypt the industrial segment.
• Small companies. For small businesses, it is naturally better to use a comprehensive product, so NGFW will also be useful for them, since it allows them to make the protection of their company and especially branches quite reliable with the help of one device. Moreover, in this case, most likely, it will be possible to outsource corporate security - commercial SOCs that will monitor customer safety around the clock, it will be more convenient to interact with NGFW.
• Users of multi-cloud services. When using cloud services, it is important to control the use of extraneous cloud applications within the corporate network and the transfer of data valuable to the company to the clouds. It is NGFW that allows you to solve both of these problems by centralized traffic control of applications installed within the company and a DLP module that will control the transfer of valuable data to external services. Now that companies are somewhat limited in the development of their own information infrastructure, many are thinking about more active use of cloud services and applications, service in which is transferred to the shoulders of providers. However, multi-cloud configuration requires companies to use more intelligent means of monitoring network interaction - there is a good niche for NGFW.

Sometimes they indicate that NGFW is also used to organize the work of remote users, but on the current development of technologies, a classic firewall, which includes a VPN client connection, is quite enough for this. For remote users, NGFW functionality can be useful in the case of parallel use of clouds and internal corporate applications.

Domestic NGFW

It should be noted that there are quite a few developers of classic firewalls on the Russian market. UTM products, like the second generation of network protection, are no longer so many, but they appeared - problems arose in order to assemble a fairly wide functionality in a single device and make it work together. However, the implementation of third-generation firewalls - NGFW - was able to implement units. They turned out to be quite complex and could not very compete with similar solutions of foreign manufacturers.

Last year, after well-known events, it became obvious that the NGFW segment of the cybersecurity solutions market was historically poorly worked out by domestic manufacturers, "Pavel Kuznetsov explained to TAdviser. - For various reasons, including because many customers preferred to use network security solutions manufactured by world-renowned companies. Moreover, it is with serious expertise in terms of deep analysis of network traffic and analysis of its large volume "on the fly." Therefore, the number of such solutions is small. However, there is appropriate expertise in the development of solutions, including operator-level solutions, required to solve other problems, for example, the production of Network Traffic Analysis and Anti-DDoS products.

It should be noted that the departure from the Russian market of foreign product developers, who just promoted the use of NGFW, forced Russian developers to start creating their own solutions of this class. In particular, companies such as Positive Technologies and Garda Technologies announced plans for the development of NGFW. While their development is difficult to assess - they are in the process of creation and testing, that is, they are worked out together with customers in order to meet their needs as much as possible. At the same time, there are a lot of solutions on the market that are even declared by manufacturers as NGFW, but still they are not.

You can argue a lot about what kind of functionality is needed in NGFW, but from a practical point of view it is important that the product contains not only sets of different functions, but also a methodology for how to use them correctly to ensure corporate security. In this regard, it is rather not separate functions that are important, but support for modern concepts of network protection, and ZTNA can be used as a kind of litmus test to compare them. Actually, firewalls that support ZTNA a little are UserGate, BI.ZONE Secure SD-WAN and the recently released Solar NGFW. We will analyze the approaches of these companies in more detail.

UserGate

UserGate specialized in the development of intelligent firewalls, and it was one of the first to announce the implementation of NGFW functions. The company even offers the market quite high-performance UserGate NGFW F8000 devices, which are designed to protect large-scale and geographically distributed networks and solve complex tasks to protect the information infrastructure. It was UserGate solutions that implemented support for the ZTNA concept in the form of an additional module, which allows us to talk about these products as a third-generation firewall.

"Security Code"

Another company that produces domestic UTM devices, Security Code, has also started developing new generation firewalls. The products "Continent 4" and "Continent TLS" are positioned by the company as NGFW, but the search of the company's website by the keyword ZTNA did not yield results. Perhaps the concept is supported by the company's developers, but we could not find out exactly how.

BI.Zone

BI.ZONE went from the other side - it implemented at the network level a software-controlled enterprise environment on the protocols of the SD-WAN family, which is traditionally the basis for ZTNA. The company has supplemented its devices for this technology with third-generation firewall capabilities. Knowledge of attack methods is being prepared by the company's commercial SOC, which makes it possible to consider the BI.Zone solution a new generation firewall.

Rostelecom-Solar

Interestingly, Rostelecom-Solar has approached the solution to the NGFW problem from DLP. The fact is that it is solutions of this class that are well versed in users and applications - they are developed for their control. For DLP, it is enough to implement only network traffic control and attack detection. As in the previous case, knowledge of the attacks is provided by the commercial Solar JSOC company, whose specialists prepare the necessary signs of compromise and malicious activity in the client's infrastructure for Solar NGFW. However, Solar NGFW can handle traffic markup by DLP agents on the ground who know a lot about users and applications - these solutions are integrated through a single dossier. This allows you to optimize the processing of network flows on next-generation firewalls.

Prospects

In general, it can be noted that the NGFW market in Russia is developing very actively. The first players have already appeared on it, but they still do not reach the functionality and convenience of foreign products - they only meet the formal requirements of analysts. When there are more products, and customers can choose a product suitable for them, then the process of market competition for the selection of truly necessary and optimally implemented products will work. Exactly one thing - until 2025, this process should lead to certain results, since it is for this period that the refusal of CII subjects from foreign products is appointed to protect CII facilities. To stimulate this process, FSTEC is even developing its guidance document, in which it plans to list the requirements for new generation firewalls - perhaps it will be adopted and published in 2023. When the first FSTEC certificates for new generation firewalls appear, then it will be possible to finally answer the question of which of the domestic manufacturers are indeed NGFW, but already according to domestic standards.

Read also

"Weak link" of the information security market: FSTEC and Ministry of Digital Development pedal the development of the segment of Russian firewalls of a new generation

FSTEC, together with the expert community, have developed requirements for new generation firewalls. Now they are going through various legal procedures, comments have already been received from the lawyers of the Ministry of Justice, Vitaly Lyutikov, deputy director of FSTEC, told PHDays on May 19, 2023. When this process is completed, the requirements will take effect. And Ministry of Digital Development actively interacts with developers in order to synchronize them with customers: to make sure that several products in the NGFW segment appear in Russia that would satisfy a larger number of customers. Read more here.

NGFW Guide. The 10 most notable products available on the Russian market

TAdviser has collected an NGFW guide from the most notable domestic developers of this class of protection. Read more here.