Next-Generation Firewalls

You’ve probably seen this term being used everywhere lately, but what exactly is a ‘next generation’ firewall?

According to the commonly accepted wisdom such devices include an IPS and a firewall on the same device, closely integrated and working together.

This is something that products like Network Box have had for a long time and certainly is not new.

A traditional IPS would be placed as an isolated device in front or behind a firewall – or sometimes you would place two – one in front and one behind. In this configuration the IPS must assume that there is no other protection, and try to it all on its own.

This has a few drawbacks:

1) Since you can’t assume that the firewall is equipped to do certain things or that there even is a firewall in line, you need to keep all available signatures and block at ‘deep packet inspection’ level traffic that a firewall could block at the syn packet; for example, blocking traffic coming from knowingly infected networks is very inefficient with an IPS.

2) Since there is no connection to the firewall, once the IPS drops a packet, it will need to scan the next packet of the same connection because that connection cannot be dropped. And what if the next one does not look ‘suspicious’ and the IPS does not drop it?

If the firewall and IPS are closely integrated, things work in a very different way. The first line of defense becomes the firewall. Only traffic on open ports passes through. If a port is closed, traffic is dropped and there is no need to scan it. This alone reduces the need for the IPS to scan traffic as much as 90% in most cases. If you want to block traffic from specific subnets that are known to be sources of malware, do that in the firewall, at packet filtering level, rather than doing it in the IPS.

Because the two parts are working together, when the IPS drops a packet, it can communicate to the firewall to instruct it to tear down that connection – so the next packet does not come through at all — the IPS does not need to scan it, and there’s no chance that something could be missed and your network could become compromised.

And what about application filtering – is it useful and really necessary? In brief, this feature attempts to recognize a protocol independently from the port it is trying to use. For example, it would recognize HTTP even if it is not using port 80; or it would recognize Skype no matter what port is it using. To be able to recognize a protocol to know that a certain application is trying to use an alternate port and trying to bypass the firewall, it’s often necessary to allow a few packets through, back and forth, to properly recognize the protocol and not incur false positives. This alone can be a source of problems.

So in trying to solve an issue, you may be creating another one. Too many firewalls are configured considering the LAN a trusted network and all traffic outbound is allowed. Some old firewalls don’t even have a way to lock up outbound traffic. A well configured firewall will block such traffic simply because the ports are locked up and open only with specified sources and destinations. Traffic that does not fit the configuration is simply blocked.

The devices available in the market today offer nothing more than what illustrated thus far. They offer no AV filtering, no anti spam, no special routing features, nothing else but what I have outlined above.

So when you compare these to a UTM device, the UTMs offer a lot more integrated features and solve more problems than a next generation firewall does. As the UTM devices evolve to integrate the IPS and the firewall (as Network Box already does), they will certainly become even more competitive against the next generation devices and these new devices will need to either offer all the features (and become themselves UTMs) or disappear.

Photo by FLY:D on Unsplash