In an industry hurtling towards centralized access of data, the narrative on security is a protracted one. According to the Indian government, there has been a 136% surge in cyber-attacks in the past year. Vulnerabilities in Transport Layer Security, such as Heartbleed have been discovered in SSL cryptography. Furthermore, threats have moved from network layers to data layers, and from denial of service based attacks to information theft. Surprisingly though, corporate espionage and overpaid hackers are not the only factors that have led to a renewed interest in advanced security applications.
The nature of our networks is changing. As recently as 2008-2010, the stage seemed to be set for a mass migration from IPv4 to IPv6. Ever since, the hype and dialogue around IPv6 and network protocols in general, has slowly fizzled out. The reason, a network paradigm shift to an approach known as software-defined networks. Software defined networks allow administrators to manage network services through the abstraction of lower-level functionality. What that means, is that lower levels of a protocol stack such as the network and transport layers no longer influence and constrain application functionality. Bottom-up application design strategies have been inverted and are now top down, allowing applications to dictate how networks are spread out.
Corresponding to this change, application complexity has gone up. Modern day applications perform complex operations such as dynamic IP shifts and port swaps. In addition, a recent Gartner report stated that 30-35% of all internet traffic has moved from HTTP to secure protocols such as HTTPS.
Traditional firewalls were never designed to handle this level of complexity. Legacy firewall technology works on stateful examination of source and destination IPs of packets hitting the firewall. Packets coming in from trusted IPs to the relevant ports were allowed to pass through while traffic not matching the criterion was discarded. This methodology is now blatantly obsolete. Not only can hackers identify and alter packet signatures, but also this technique cannot accommodate the increased complexity of applications as described above. Furthermore, stateful firewalls with encrypted data are blind to SSL traffic altogether. Therefore when it comes to HTTP channels, the admittance of packets becomes an all or nothing equation.
Another major hit to traditional firewalls is the business models surrounding them. A legacy firewall traditionally has multiple other separetly purchasable components. Content filtering software allows for categorization of websites as accessible or otherwise. For example, e-commerce sites might be allowed while social networking sites might be barred. IDPS (Intrusion detection and prevention systems) is another example of software that needs to be purchased separately. In this manner, separate solutions for each requirement results in a rack getting built up over time. Each component requires dedicated logistics, maintenance and human resource. Crucially, the entire rack becomes dispensable in case of a change in business requirement, necessistating a revisit of the whole process. IT consumerization and the blending of personal and business use of technology devices and applications through BYOD (Bring Your Own Device), further increase the plethora of standalone components needed for security. The take home here is that a one-box solution for all services was never a business reality. The introduction of next generation firewalls was made in this backdrop.
NGFs bundle all of these different components into a single stop solution powered by deep packet inspection technology. SSL traffic is no longer an entity in the dark. This allows the enforcement of broader access policies. For example, an enterprise-critical business application such as Microsoft Lync might be allowed with a truncated feature set. Voice call might be enabled but file attachments on chat might be turned off. All of this is facilitated through deep packet inspection.
Next Gen Firewalls do not restrict identification means to IP addresses. In case of internal source accessibility, MAC addresses of network interface cards are used. A better alternative is integration with internal user databases and LDAP (Lightweight Directory Access Protocol).The advantage of this method is that the Principle of Least Privilege can be implemented in full effect through granular access policies in accordance with department and designation. Furthermore, this also solves IT consumerization and BYOD related problems as the level of identification is at user level rendered over an environment (network), rather than at a device level.
The consolidated nature of the Next Generation Firewall also allows for extensibility of solution. This also enables staggered investment, incremental steps of purchase and plugin in accordance with business requirements. In case of a change in business requirements, only the relevant plugin need be discarded whilst the overall framework remains intact.
Written with input from Industry Network Expert, Vinay Kumble