The rapid evolution of IT has changed the face of the network perimeter. Data and users are everywhere. Devices are proliferating more quickly than most can keep up. At the same time, IT teams are adopting cloud, big data analytics and automation to accelerate delivery of new applications to drive business growth. Meanwhile, applications are increasingly accessible. The result is an incredibly complex network that introduces significant business risk. Organizations must minimize this risk without slowing down the business.
Cybersecurity is not keeping up as attacks continue to disrupt business. Spending on security feels endless, without clear risk reduction. Deploying disparate tools and technologies that are not natively integrated leaves your business exposed to threats. Security tools that weren't designed for automation require analysts to manually stitch together insights from many disconnected sources before acting. We need a different approach.
It starts with a next-generation firewall as the cornerstone of an integrated security platform. This foundation offers a prevention-focused architecture that is easy to deploy and operate; uses automation to reduce manual effort so security teams can focus on high-value activities; and delivers new innovations that are natively integrated and easy to adopt.
This paper describes the evolution of the firewall to "next-generation" and highlights the 10 key things an NGFW must do to secure your network and your business.
Early on, stateful inspection firewalls classified traffic by looking only at the destination port, such as TCP port 80 for HTTP. As the need for application awareness arose, many vendors added application visibility and other software or hardware "blades" into their stateful inspection firewall, which they then sold as a unified threat management offering. UTMs did not improve security, however, since the functions were retrofitted into the firewall and not natively integrated.
Unlike UTM, a next-generation firewall is application-aware and makes decisions based on application, user and content. Its natively integrated design improves security and simplifies operations. Given its success, the term "NGFW" has become synonymous with "firewall."
NGFW selection criteria typically fall into three areas: security functions, operations and performance. The security functions correspond to the efficacy of the security controls and your team's ability to manage the risk associated with the applications traversing your network, without slowing down the business. From an operations perspective, application policy should be accessible and simple to manage, applying automation to reduce manual effort so security teams can focus on high-value activities. The performance criteria are simple: the firewall must do what it's supposed to do at the required throughput for your business needs. As part of this, new innovations should be natively integrated and easy to adopt. Although requirements and priorities will vary within these criteria, there are 10 things your next firewall must do.
Next-Generation Firewall Requirements
Employees, customers and partners connect to different repositories of information within your network, as well as to the internet. These people and their many devices represent your network's users. It's important to your organization's risk posture that you're able to identify who they are beyond IP address, as well as grasp the inherent risks they bring with them based on the devices they're using, especially when security policies have been circumvented or new threats have been introduced to your network. In addition, users are constantly moving to different physical locations as well as using multiple devices, operating systems and application versions to access the data they need. IP address subnets are mapped only to physical locations, not to individual users, meaning that if users move around – as they tend to do, even within the office – policy doesn't follow them.
Figure 1: Users access data from different devices and locations
User and group information must be directly integrated into the technology platforms that secure modern organizations. Your next firewall must be able to pull user identity from multiple sources, including VPN, WLAN access controllers, directory servers, email servers and captive portals. Knowing who is using the applications on your network, and who may be transmitting a threat or transferring files, strengthens security policies and improves incident response times. The firewall must allow policies to safely enable applications based on users or groups of users, outbound or inbound – for example, by allowing only your IT department to use tools such as SSH, telnet and FTP. User-based policies follow users no matter where they go – at headquarters, branch offices or home – and on whatever devices they may use. However, the issue of user identity goes beyond classifying users for policy reporting.
Users and their credentials are among the weakest links in an organization's security infrastructure. According to the 2017 Data Breach Investigations Report by Verizon®, in the 12-month period covered in the report, 81 percent of hacking-related breaches took advantage of stolen and/or weak passwords.2 With stolen credentials as part of their toolset, attackers' chances of successfully breaching go up, and their risk of getting caught goes down. To prevent credential theft, most organizations rely on employee education, which is prone to human error by nature. Technology products commonly rely on identifying known phishing sites and filtering email. However, these methods can sometimes be bypassed: checking for known bad sites misses newly created ones, and attackers can evade mail filtering technology by sending links through social media. Attackers can easily steal credentials through phishing, malware, social engineering or brute force, and can even buy them on the black market. Once obtained, attackers use these credentials to gain access to a network, move laterally and escalate privileges for unauthorized applications and data.
Organizations should look for a firewall with machine learning-based analysis to identify websites that steal credentials. If the analysis identifies a site as malicious, the firewall should be updated and block it. Still, there will always be new, never-before-seen phishing sites that are treated as "unknown." Your next firewall must allow you to block submission of corporate credentials to unknown sites. The firewall must also allow you to protect sensitive data and applications by enforcing multi-factor authentication, or MFA, to prevent attackers from abusing stolen credentials. By integrating with common MFA vendors, your firewall can protect your applications containing sensitive data, including legacy applications.
More and more applications, such as instant messaging applications, peer-to-peer file sharing or VoIP, are capable of operating on nonstandard ports or hopping ports. Additionally, users are accessing diverse types of apps, including software-as-a-service apps, from varying devices and locations. Some of these apps are sanctioned, some tolerated and others unsanctioned, and users are increasingly savvy enough to force applications to run over nonstandard ports through protocols such as RDP and SSH. Further, new applications provide users with a rich set of functions that help ensure user loyalty, but may represent different risk profiles. For example, WebEx® is a valuable business tool, but using WebEx desktop sharing to take over an employee's desktop from an external source may be an internal or regulatory compliance violation. Google® Gmail® and Hangouts™ make another example. Once users sign in to Gmail, which may be allowed by policy, they can easily switch to Hangouts audio and video, which may not be allowed. Security administrators want complete control over usage of these apps and set policy to allow or control certain types of applications and application functions while denying others.
Your next firewall must classify traffic by application on all ports, all the time, by default, and it should not burden you with researching common ports used by each application. The firewall must provide complete visibility into application usage along with capabilities to understand and control their use (see Figure 2). For example, it should understand usage of application functions, such as audio streaming, remote access and posting documents, and be able to enforce granular controls over that usage, such as upload versus download permissions, chat versus file transfer and so on. This must be done continuously. The concept of "one-and-done" traffic classification is not an option as it ignores the fact that these commonly used applications share sessions and support multiple functions. If a different function or feature is introduced in the session, the firewall must perform a policy check again. Continuous state tracking to understand the functions each application may support – and the different associated risks – is a must for your next firewall.
Figure 2: Control application usage in policy
Most enterprise web traffic is now encrypted, and attackers exploit encryption to hide threats from security devices. This means even businesses with mature and comprehensive security measures in place can be breached if they are not monitoring encrypted traffic. Plus, SSH is used nearly universally and can be configured easily by end users to hide non-work-related activity.
The ability to decrypt SSL and SSH is a foundational security function. Key elements to look for include recognition and decryption on any port, inbound or outbound; policy control over decryption; and the necessary hardware and software elements to perform decryption across tens of thousands of simultaneous SSL connections with predictable performance. However, your next firewall must be flexible enough to easily decrypt certain types of encrypted traffic, such as HTTPS from unclassified websites, via policy while other types, such as web traffic from known financial services organizations, is left alone in compliance with privacy standards. A next-generation firewall should apply security and load balance decrypted flows across multiple stacks of security devices for additional enforcement. This eliminates dedicated SSL off-loaders, reducing network complexity and making decryption simpler to operate. Read the white paper "Decryption: Why, Where and How" for a detailed overview of this important capability.
Most modern malware – including ransomware variants – uses advanced techniques, such as wrapping malicious payloads in legitimate files or packing files to avoid detection, to transport attacks or exploits through network security devices and tools. As organizations have increasingly deployed virtual sandboxes for dynamic analysis, attackers have evolved to focus on ways to evade them. They employ techniques that scan for valid user activity, system configurations or indicators of specific virtualization technologies. With the growth of the cybercrime underground, any attacker, novice or advanced, can purchase plug-and-play threats designed to identify and avoid malware analysis environments.
Your firewall, using integrated security services, should automatically prevent known threats. Unknown threats, too, need to be automatically analyzed and countered. Your organization needs a service that looks for threats at all points within the cyberattack lifecycle, not just when a threat first enters your network. Blocking known risky file types or access to malicious URLs before they compromise your network reduces your threat exposure. Your firewall should protect you from known vulnerability exploits, malware and command-and-control activity without requiring you to manage and maintain multiple single-function appliances. Signatures should be updated automatically as soon as new malware is encountered, keeping you protected and allowing your security and incident response teams to focus on the things that matter.
Figure 3: Disruption at every step to prevent successful attacks
A next-generation firewall that utilizes multiple methods of analysis to detect unknown threats, including static analysis with machine learning, dynamic analysis and bare metal analysis, results in high-fidelity and evasion-resistant discovery. Rather than use signatures based on specific attributes, firewalls should use content-based signatures to detect variants, polymorphic malware, or command-and-control activity. In addition, command-and-control signatures based on analysis of outbound communication patterns are much more effective protective measures that can scale at machine speed when created automatically. Finally, cloud-delivered security infrastructure is critical for security enforcement. It supports threat detection and prevention at massive scale across your network, endpoints and clouds in addition to allowing you to tap into an open ecosystem of trusted innovators.
The mobile workforce continues to increase, and they use mobile devices to connect to business applications, often using public networks and devices that are open to advanced threats. This increases risk when users are off-premises because there is no network firewall to stop attacks, and the issue becomes even more complex when considering the effects of cloud and BYOD. In addition, remote locations and small branch offices often lack consistent security because it is operationally inefficient and costly to ship firewalls to them or backhaul traffic to headquarters.
The mobile workforce and remote locations need access to applications from places far beyond your network. They also need protection from targeted cyberattacks, malicious applications and websites, phishing, command-and-control traffic, and other unknown threats. This requires consistent security. Your next firewall must enable the required levels of visibility, threat prevention and security policy enforcement to protect your distributed users and locations by delivering next-generation firewall capabilities from the cloud, securing them without deploying physical hardware.
Data and applications reside everywhere – in your network and in the cloud. According to the RightScale® 2018 State of the Cloud Report, 81 percent of enterprises have a multi-cloud strategy – made up of multiple public, private and/or hybrid clouds – leveraging five clouds on average.4 Compounded with SaaS environments, organizations must now secure sensitive data in the network and a variety of cloud environments. In addition, legacy security tools and techniques designed for static networks do not work with cloud-native tools and capabilities. Moreover, native security services from the cloud providers themselves, such as Google® Cloud Platform, Amazon® Web Services and Microsoft® Azure®, typically provide only Layer 4 protections and are specific to that cloud provider.
To succeed, your organization needs cloud security that extends security policy consistently from the network to the cloud; stops malware from accessing and moving laterally, or east-west, within the cloud; and simplifies management as well as minimizes the security policy lag as virtual workloads change. Your next firewall must protect the resident applications and data with the same security posture that you may have established on your physical network. To secure multi-cloud deployments, the firewall must support a variety of cloud and virtualization environments, including all major public cloud providers and virtualized private clouds. The firewall must integrate with native cloud services, such as Amazon Lambda and Azure, and automation tools, such as Ansible® and Terraform®, to integrate security into your cloud-first development projects.
Conventional security models operate on the outdated assumption that everything inside an organization's network can be trusted. However, given the increased sophistication of attacks and insider threats, you need new security measures to stop them from spreading once inside. Because traditional security models are designed to protect your perimeter, threats that get inside your network are invisible to them and go uninspected, free to morph and move wherever they choose to extract sensitive, valuable business data. In the digital world, an assumption of trust is nothing but a vulnerability.
Figure 4: Zero Trust Segmentation Platform
Zero Trust is a data-centric cybersecurity best practice that removes the assumption of trust and provides a reliable baseline for security. In a Zero Trust world, there are no trusted devices, systems or people. You identify the assets and data that require protection, determine who or what requires access to it through a need-to-know and least-privilege model, define security rules that reflect the business policy, and inspect and log all traffic. An NGFW should help with these steps, including enabling secure access for all users irrespective of location, inspecting all traffic, enforcing policies for least-privileged access control, and detecting as well as preventing advanced threats. This significantly reduces the pathways for adversaries to access your critical assets, whether the adversaries are outside or inside your organization.
Individual security products typically come with their own management applications. To configure security for each one, security operators must work with different management devices. According to the 2017 U.S. IT Services Report from ResearchCorp. org, more than 60 percent of organizations use products from three separate vendors, or five or more, to secure their network infrastructure.5 These products are disconnected and cannot share insights. Organizations also find it challenging to scale firewall onboarding, maintain consistent security policies and deploy emergency changes across thousands of firewalls. This makes security complex and stretches IT teams to the limit.
You must be able to operationalize the deployment of consistent, centralized security policies across tens of thousands of firewalls spanning on-premises and cloud deployments – including remote locations, mobile users and SaaS applications – through centralized management, consolidated core security tasks and streamlined capabilities. For example, you should be able to use a single console to view all network traffic, manage configuration, push global policies, and generate reports on traffic patterns or security incidents. Your reporting capabilities must let security teams drill down into network, application and user behavior, providing the context they need to make informed decisions. When these capabilities are delivered from the cloud, your teams can build out the right security architecture to prevent known and unknown threats at every corner of the extended network. In today's constantly changing threat landscape, using a single security vendor to address the vast spectrum of your security and business needs isn't always practical. In this case, the ability to integrate with and consume third-party insight and innovation is critical. When evaluating future security vendors, be sure to evaluate the extensibility and programmability of what they offer.
A recent survey from the Enterprise Strategy Group found 51 percent of cybersecurity professionals feel their organization has a problematic shortage of cybersecurity skills.6 This is compounded by a dependency on too many manual processes for day-to-day security operations, such as chasing down data, investigating false positive alerts and managing remediation. Done manually, the process of analyzing and correlating the vast number of security events slows mitigation, increases the chance for error and is difficult to scale. Security teams can easily drown in the volume of alerts and miss the critical, actionable ones. This is exacerbated by a looming shortage of skilled cybersecurity professionals. Although big data analytics uncovers hidden patterns, correlations and other insights to provide security teams with actionable intelligence, you still need the right data. That data must be sourced from everywhere – networks, endpoints, SaaS applications, public clouds, private clouds, data centers and so on – and be ready for analytics.
By using precise analytics to drive automation, you can easily operate security best practices like Zero Trust; streamline routine tasks; and focus on business priorities, such as speeding application delivery, improving processes or hunting for threats. There are three ways to think about automation:
Some threats remain hidden in data. By looking deeper into that data across locations and deployment types, you can find threats that may be lurking in plain sight. With automation, you can accurately identify threats, enable rapid prevention, improve efficiency, better utilize of the talent of your specialized staff and improve your organization's security posture.
Consuming cybersecurity innovation is an arduous process. Organizations waste time deploying additional hardware or software every time they want to take advantage of a new piece of security technology. They invest more resources managing their ever-expanding security infrastructure instead of improving their security controls to stay ahead of attackers and prevent threats.
As the number of needed security functions increases, there are two options: add more devices or use an existing device to support new capabilities. If your firewall can act as a sensor for third-party innovations, you can rapidly adopt new security functions without deploying or managing endless new devices. Look for a firewall that allows you to implement new security technologies, such as analytics, threat intelligence and orchestration, without requiring the deployment of additional sensors or enforcement points. If your firewall can provide rich data and enforcement services for a growing ecosystem of security apps, you can focus on using your new technologies instead of deploying and managing them. This way, you can solve the most challenging security use cases with the best technology available without the cost or operational burden of deploying new infrastructure for each new function.