CISCO NEXT-GENERATION FIREWALLS
The CCNA 200-301 Exam topics mention the terms firewall and IPS but prefaced with the term next generation. Around mid 2010 Cisco and some of their competitors started using the term next generation when discussing their security products to emphasize some of the newer features. In short a next-generation firewall (NGFW) and a next-generation IPS {NGIPS) are the now current firewall and IPS products from Cisco.
However, the use of the term next-generation goes far beyond just a marketing label: the term emphasizes some major shifts and improvement over the years. The security industry sees endless cycles of new attacks followed by new solution with some solutions requiring new product features or even new products. Some of the changes that have required new security features include the proliferation of mobile devices- devices that leave the enterprise, connect to the internet, and return to the enterprise – creating a whole new level of risk. Also, no single security function or appliance (firewall, ips, anti-malware) can hope to stop some threads, so the next generation tools must be able to work better together to provide solutions.
An NGFW still does the traditional functions of a firewall , of course, like stateful filtering by comparing field in the IP, TCP, and UDP headers, and using security zones when defining firewall rules. To provide some insight into some of the newer next generation features, consider the challenge of matching packets with ports.
- Each IP based application should use a well-known port
- Attackers know that firewalls will filter most well-known port from sessions initiated from the outside zone to the inside zone.
- Attackers use port scanning to find any port that a company’s firewall will allow through right now.
- Attackers attempt to use protocols, there choosing eg: (http) but with non standard port found through port scanning as a way to attempt to connect to host inside the enterprise.
The sequence list a summary of some of the steps attackers need to take but does not list every single task. However, even to this depth, you can see how attackers can find a way to send packets passed the corporate firewall.
The solution, a next-generation firewall that looks at the application layer data to identify the application instead of relaying on the TCP and UDP port numbers used. Cisco performs their deep packet inspection using a feature called Application Visibility and Control (AVC). Cisco AVC can Identify many applications based on the data send (application layer headers plus application data structures far passed the TCP and UDP headers). When used with Cisco NGFW instead of matching port numbers, the firewall matches the application, defeating attacks like the one just described.
The list mentions a few of the features of an NGFW
- Traditional firewall :: An NGFW perform traditional firewall features, like a stateful firewall filtering, NAT or PAT, and VPN termination.
- Application Visibility and Control (AVC) :: This feature looks deep into the application layer data to identify the application. For instance, it can identify the application based on the data rather than port number, to defend against attacks that use random port number.
- Advanced Malware Protection :: NGFW platform run multiple security services not just as a platform to run a separate service , but for better integration of function. A network based anti malware function can run on the firewall itself blocking file transfers that would install malware, and saving copies of files for later analysis.
- URL filtering:: This feature examines the URLs in each web request categorizes the URL and either filters or rate limits the traffic based on rules.
- NGIPS:: The Cisco NGFW products can also run there NGIPS feature along with the firewall