Network security is a critical concern for enterprises, government agencies and organizations of all sizes — and thus, helping them to solve these problems should be a critical concern for you.
Today’s advanced threats demand a methodical approach to network security. In many industries, enhanced security is not just an option — it is a requirement. Federal regulations such as Sarbanes-Oxley, HIPAA, GLBA, and others require organizations, including financial institutions, health care providers and federal agencies, to implement stringent security programs to protect digital assets.
Network security and the devices used to protect the network have become increasingly confusing. With such high stakes, it is imperative that security integrators are fully aware of the technologies available to them to help mitigate the risk for these important clients and markets. Perhaps the most common and effective network security technology is the firewall — the backbone for most network security deployments. Firewalls have evolved over time to adapt to the changing risks, vulnerabilities and needs of end-users.
Here’s a look at how firewalls have evolved, along with complimentary firewall technologies that can be deployed for specific risk mitigation.
The Beginnings
Firewalls were the first independent security devices used with external network connections. An example of a traditional firewall is the Cisco ASA. The purpose of the original firewalls was to ensure that only those connections that were required were allowed into the enterprise network, which typically included services offered to the public, such as e-mail, Web, FTP, DNS and a few others. Firewalls were also used to limit the types of services that internal computers may access outside the enterprise; thus, somewhat limiting malware from contacting external servers.
Firewall rules were applied against connections attempted through the firewall, either inbound or outbound, to determine whether the connection is allowed or not. This worked well for a number of years, but as services and their protocols multiplied and applications began to use HTTP’s port (80) as their transport mechanism, the ability of firewalls to meaningfully control traffic diminished. To handle this, firewall designers began to use a technique known as deep packet inspection (DPI), which looks into layer 7 application information to determine the service being used. This additional information is then used in firewall rules.
These traditional “stateful inspection firewalls” have effectively become obsolete because of two significant limitations. First, they did not inspect the data payload of network packets. Second, while more and more network traffic uses Web protocols — including legitimate business applications, non-business applications and attacks — traditional firewalls did not have the fine-grained intelligence to distinguish one kind of Web traffic from another and enforce business policies, so it was either all or nothing.
Enter the Next Generation
Over time, security vendors have integrated new approaches with the old to come up with a true “all-in-one” device, the “next-generation firewall.” These programs attempt to address the traffic inspection and application awareness drawbacks of stateful inspection firewalls without hampering performance.
The most significant difference between the next-gen devices and traditional firewalls is that they are application-aware by using a variety of techniques to identify applications, including Web apps. Thus, instead of allowing all traffic coming in via typical Web ports, next-gen firewalls can distinguish between specific applications (for instance, YouTube vs. Salesforce.com) and then apply policies based on business rules.
Next-gen firewalls also use deep packet inspection techniques to examine traffic for anomalies and known malware; however, these devices are optimized so that packets need to be examined only once, rather than processed through multiple engines.
Newer features, such as data leakage prevention, can further help organizations protect themselves from within. Often, even trusted employees can send sensitive data into untrusted zones, either intentionally or by accident. Next-gen firewalls combat this by using sophisticated pattern matching techniques and user identity to detect and prevent unauthorized communication of sensitive information and files through the network perimeter.
In all, next-gen firewalls provide a thorough job of inspecting and filtering network traffic and enable you and the end-user to fine-tune exactly what type of content to allow or block, to apply per-user policies regarding content, and to provide intrusion prevention and reputation-based functions to stop attacks and malicious activity.
Intrusion Detection and Preventions Systems (IDS/IPS).
Intrusion detection systems passively monitor network traffic, looking for particular malicious patterns, such as repeated attempts to log on to an account or server. When these devices notice a pattern, they send alerts to administrators and sometimes modify firewall rules to restrict access from the offending IP address.
Intrusion prevention systems work in conjunction with next-generation firewalls — where all traffic from the firewall’s external link is sent through the IPS, which is responsible for identifying and stopping suspected traffic.
Specific IPS rules and signatures are used to control how many flows are monitored and for how long so to ensure that the IPS does not significantly diminish the overall traffic flow. IPSs are complex systems, attempting to minimize the number of false positives. Vendors such as SourceFire, Palo Alto Networks and Tipping Point are examples of IPS vendors.
Zero-Day Attack Mitigation
A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability; thus the developers have had zero days to address and patch the vulnerability.
Zero-day exploits — the software and/or strategies that use a security hole to carry out a successful attack — are used or shared by attackers before the developer of the target software knows about the vulnerability.
Solutions such as Palo Alto Networks’ WildFire are typically an adjunct subscription to existing firewalls. They actively analyze network traffic it in a safe, cloud-based virtual environment to observe the behavior of malicious malware. Through these a subscription services, updates are automatically generated and distributed to installed firewalls for global protection against the newly discovered malware.
Ronen Isaac is vice president of Continental Computers, a networking and video surveillance products reseller and integrator/VAR based out of El Segundo, Calif. He is also vice president of WLANmall.com.
