What is a Next Gen Firewall? And Why Should I Care?

What is a Next Gen Firewall? And Why Should I Care?

NGFW Security - nextgenerationfirewall.com

I may be going out on a limb here, but I’m going to bet that you found this blog because you were interested in learning more about firewalls. About Internet security? Maybe you wanted to read about next generation security. Bleeding edge. Hype. Hoopla. Who can blame you? You can’t go more than a day without reading about some company that lost millions of private records to hackers. It’s only a matter of time before a hacker aims for your data, your identity, or your financial records.

You are here because you are searching for the best technology that is available to protect yourself against the ever increasing number of threats – very real threats that can expose your data and destroy your online integrity in a matter of seconds.

Let me cut to the chase: You want a Next Generation Firewall.

I’m not going to sell you one, however. I’m not even going to tell you which one to buy. I know better than to stake my reputation on some device that was designed yesterday but will be used to protect against threats that won’t even exist until tomorrow. You shouldn’t either. What I will do is tell you about firewalls so you can decide what is best for your needs and for your network.
It’s a killer sales tactic, I know. Before you big spenders pull out your wallets, let me tell you a few things about firewalls and about internet security that you probably don’t realize.

The three most important things you need to know about firewalls are:

1. All firewalls are insecure.
2. All firewalls are insecure.
3. All firewalls are insecure.

Firewalls are not designed to keep malicious traffic off of your network. Firewalls are designed to recognize friendly traffic and to let it in.

In other words: Firewalls are not steel-reinforced walls and thick iron gates, they are doormen.

That said, there is a difference between a good firewall and a bad firewall. Some firewalls, in fact, act more like greeters at your local Big Box Mart-o-Rama, happily smiling and waving while any and all types of people stroll through the door. You don’t want that. What you want is a doorman who is intelligent, who can recognize people that are coming and going, who can discern their intentions, and who can adapt immediately to sudden changes in circumstances.

This is exactly what you will get in a Next Generation Firewall.

Let’s take one step deeper…

All firewalls rely on ALLOW and DENY rules that define who can enter and who cannot. If I want to attack your network, it’s simple – all I have to do is follow the ALLOW rules, the ones that describe who can enter. If your firewall blocks all incoming traffic from everyone except computers belonging to your sales team, for instance, then all I have to do to break into your network is make my computer look and act like a computer that belongs to your sales team. Your firewall has no choice but to let me – a legitimate attacker – into your network! Why? Because it has to follow the rules.*

These rules are what make every firewall a liability.

This is not a bug or a backdoor. Firewall ALLOW rules represent an intentional hole in your security infrastructure. For this reason, hacking through firewalls is vastly different than other forms of attack. To protect yourself and to choose the best firewall, you must develop new ways of thinking about firewalls and how they function in your network. Sadly, most software firewalls that come with your operating system function in exactly this way. Default firewall security is never enough.

Bad Firewall Bouncer - nextgenerationfirewall.com

Bad firewalls are like bouncers at night clubs, good firewalls are like the secret security.

So what’s next?

If you truly want the best firewall for your needs, the question you must ask yourself isn’t What will this firewall protect me against? You should be asking yourself What rules do I want my firewall to follow? Think about that question for a little bit. Maybe even make a list.

OK, welcome back. You probably ran into a big problem with that last question. Even though I told you to think like a firewall and to think about the rules that you need to follow, you probably realized that it’s impossible to define every rule that your firewall will ever need to follow. It’s the same reason that you can’t hire someone to watch your front door and, on day one, give them a list of everyone who will ever enter or exit the door.

What we need are new types of rules. Complex and sophisticated rules that adapt on the fly to the needs of trusted applications, that respond immediately and intelligently to unusual spikes in traffic, and that can accommodate elevated security for special types of connections. Most importantly, and perhaps counterintuitively, you want rules that apply to both sides of the network – inside and outside.

This is what you will get with a Next Generation Firewall.

And this is what you need to think about when you are shopping for a firewall. You don’t need a firewall that mindlessly follows ALLOW and DENY rules. You need a smart device that is going to scale with your security needs, adapting and responding without requiring constant reconfiguration or monitoring, and keeping you informed when trouble arises.

I’m sure you get the picture by now: This is what Next Generation Firewalls are all about.
Stay tuned for more articles on this site where we explore specific features of next generation firewalls, and even report on some performance testing of popular models from names like Palo Alto, Cisco, Juniper, and Dell SonicWALL.

*A similar attack was once perpetrated at an upscale dining establishment when a notorious offender claimed to be Abe Froman, the Sausage King of Chicago. The maître d’ was rule bound and had no choice but to seat the individual and his companions.

Application Awareness: Next Generation Firewall vs. Traditional Firewalls

Application Awareness: Next Generation Firewall vs. Traditional Firewalls

Working Application Awareness Into Next Generation Firewall:

NGFW - nextgenerationfirewall.com

When considering security in the light of the Internet/Virtual environment, much of the problem is that improvements in such an alien environment are difficult to grasp. The purpose of this blog is to give some real world analogies to how application awareness works in a next gen firewall (NGFW) as opposed to a traditional hardware firewall. I have selected application awareness because I personally believe it is one of the most important differentiators for a Next Generation Firewall.

You can think of a firewall as the wall that secures a physical building. In order for the building to be of use you need to have doors to allow people to travel in and out.  Each of these doors has a security guard that checks if the people exiting or entering have permissions to do so.<If, based on the rules setup for the guard, the answer is “Yes” and “door 80 (as an example)” the guard lets the person through. The guard does not care why the person is there.  Further, the guard is incapable of asking other questions to find out visit’s purpose.

Leveraging Application Awareness with Next Generation Firewall: Application Awareness - nextgenerationfirewall.com

In contrast, a next generation firewall will leverage application awareness, which will improve the qualifying process for entry. First it asks, “What is your purpose here?” and second it performs a “strip search” of the people, checking their profile and equipment against a database of criminals and illegal objects. If the purpose stated is not allowed, or it finds anything illegal/harmful it prevents entry and alerts the appropriate responsible party that an attempt at illegal entry was just made. Some such firewalls include Palo Alto Networks (PAN), Checkpoint firewalls, Fortinet, Cisco firewalls, and Juniper Firewalls. All of these brands can be set to be application aware. While they may all have some significant differences as to how they handle and report on the applications that are trying to invade your network, any of these Next Generation Firewalls will be significantly a better solution than what was considered traditional hardware firewalls.

Obviously, these extra steps go a long way toward better securing your environment. Criminals on the Internet are using new ways to gain access to your data to bypass traditional firewalls. 5 years ago no one ever heard of Malware, Phishing, or compromised websites. Firewalls that leverage technology greater than 5 years old are at risk to threats that were developed to bypass them.

People trying to compromise your environment are leveraging these blind spots and limitations of traditional firewalls to get a foot hold on within your environment. The longer a company runs a security perimeter that relies on a set security products that are fundamentally compromise, the greater the chance some nefarious entity will take advantage of that deployment.

A Next Generation Firewall set up with application awareness will allow you to better guard your network perimeter from those trying to gain access for malicious purposes.

Top 5 Non-Tech Tips a CEO Can Learn from the Target Security Breach

What your US Company and Target Corporation Have In Common

Target Security Breach - Nextgenerationfirwall.com

You’re the CEO of a small or medium sized business-define that any way you want. $500,000 to 500,000,000 million in revenues, 5 to 5000 employees, 1 to 1000 locations, or any combination thereof. Your company may not be named Target, but without a doubt your company information is a target. There could not have been a more apropos company to be associated with the largest security breach (most customers effected) in the US than a company named TARGET! Perhaps this will be a wakeup call for all the SMB’s out there that think  either “nobody will come after them” or “my information isn’t valuable to others” attitude.

So here are the Top 5 non-technical things that a CEO should learn from the Target Corporation breach:

1.) Your company info is valuable. If the Target security breach teaches us anything, it is that a company’s data is valuable. Data about your customers, vendors, personal, marketing strategies, intellectual property, even company memos can have detrimental value in someone else’s hands such as your competitors, cyber-thieves, or even your own employees.

Target Security Breach Valuable Data - Nextgenerationfirewall.com

We certainly try to prevent our employees from taking company data when they leave the company. Has an employee of your firm ever left and went to work for a competitor? Of course they have. Your customers, IP, Marketing, even processes that give your firm an advantage are at risk. Cyber thieves are an obvious danger that does not need any explanation. You need to make sure this data is being protected both internally and externally.  The first step in doing this is realizing that your data is actually valuable and that someone out there wants it.

2.) Fixing a breach is costly. Stating the obvious, Target Corporation is spending oodles of money in PR, discounts to save customers, attorneys, reporting, the list goes on and on. In fact Target just announced that they will be offering effected customers FREE credit monitoring and identify theft protection. Think of the cost of that. Besides those hard costs, think of the cost of human talent that comes from taking on the project of defending your corporate reputation. Now add the costs of this project being completely unexpected. Can you even measure such costs? Could you as CEO of your company basically clear your schedule for the next month+ as Target CEO Gregg Steinhafel is doing? Sure your company might not have to appear on CNBC to explain your reactions and strategy, but as CEO you will probably have to spend a lot of time explaining those same things to your clients, vendors, and employees.  Even if you can eventually delegate that work it is a costly, unexpected project which means it delays other legitimate projects that currently have you and your staff’s resources. Can you calculate the costs of putting all of those projects on hold?

Target Security Breach Checkbox Compliance - Nextgenerationfirewall.com

3.) Checkbox compliance is NOT a strategy.

You may have heard on TV reports that Target actually did have anti-malware software installed on their terminals, so they are not sure exactly how the breach happened. Now, we do not have any insight into Target’s security policies and procedures and we are not accusing them of anything in this paragraph, but that statement is worth thinking about for a minute because many companies take an approach to security and compliance of “check it and forget it”. Installing software or hardware and not putting together a plan to make sure updates happen on a schedule, or that certain types of known cyber-theft strategies are not considered on an ongoing bases can render any hardware or software solution installed to “comply with the auditor’s checkbox “ as worthless. Best practices in security should be created, known, and followed.  Create a plan in house if you have the technology talent or outsource it if you don’t. A solid plan is the best start to a strong defense.

4.) Breach Notification: Timing can be Everything. There is a very good chance that the Target security breach did not just happen a day before it was reported. Many times these breaches can go undetected for a long time while the “cyber-criminal” is in your systems, but just looking for an opening to more valuable data. In such cases it be great to have a plan that incorporates systems and monitoring that would document and inform you of not only a breach, but also actions by these criminals that could even be considered an attempted breach.  Technologies such as SIEM (Security Information Event Managers) can offer such protections. When put together as part of a strategy with your network or Next Generation Firewall you can truly have your staff monitor potential breaches in a much more timely fashion. Therefore, reducing the effects of a breach or avoiding one altogether.

Target Security Breach Hacker Wordle - Nextgenerationfirewall.com

 5.) You can’t just spend to protect. It would be great if all you had to do was purchase a next generation firewall and be all good. However, just like the argument that putting more police on a police force won’t necessarily reduce crime in an area; just frivolously spending budget for security will not stop all cyber-crime. You can have firewall hardware, firewall software, a free firewall or the best firewall in your company, if you don’t have a plan of action, you still may be in for a breach.

Of course every company has a responsibility to its clients, vendors, stakeholders, and even shareholders to try and protect its systems, but educating your employees about cybercrime and the little things they can do to keep an eye out or help prevent can also go a long way. The Cybercriminal is always trying to be one step ahead just like street criminals try to be with the police. So we have to use tools and education to try to keep up and prevent them from being successful.  You do need to budget for solutions. There are of course many hardware firewalls. Cisco firewall, Palo Alto Firewall, Fortinet, Checkpoint Firewall, or Juniper firewall.  However, you can implement any hardware, and if you do not follow best practices on implementation, you can easily not get the most out of the money you spend. You have to plan and spend, not just spend.

As a CEO, it is important that you understand the risks and consequences of a poorly laid out security plan. Of course you are not likely the one who will be executing on such a plan, but since a breach will certainly fall squarely on your plate to fix. It is highly recommended that you have someone designated on your staff to delegate having such a strategy produced. Also, making sure that one of the responsibilities for this staff member is to inform you on a regular basis as to how the plan is being executed on so that diligence and not checkbox compliance is exercised. The CEO’s knowledge on this topic is essential if a breach was ever to occur. You will be much better prepared to deal with what is likely to become a very public affair if you have been involved and informed along the way.

So take these lessons from Target’s misfortune and try to avoid such an occurrence within your organization. You and your staff won’t be able to stop all attempts to target your company’s data, but with the right tools you can both prevent breaches as well as be notified as early as possible if there are attempts at breaches. As CEO this is not the way you want to get your name out there.

Not Your Father’s Perimeter Protection

by Michael Kupfer

The use of firewalls as a network control piece has been around for about 20 years.  In the most basic terms, a firewall sits in front of your network and blocks items coming in on certain ports to prevent intrusion into the network by people who want to gain access for malicious intent.

Over the years, the firewall industry has grown to have many players. Traditional players such as Checkpoint , Cisco, and Sonicwall (now owned by DELL) have all found this market to be a strong growth space over the past 2 decades as network traffic  has increased and compliance for organizations has become more strictly enforced.

Some recent trends in the types of intrusion have made the securing of a network both more difficult as well as more financially necessary.

Below are four major trends that make firewall usage as well as next generation firewall usage an important part of your security strategy.

  • The motivations of the intruders
    • 15 years ago the typical intruder would try to break into a network with the main goal in mind to intrude and then scream about how they did it.  An ego thing if you will all played out in what we now would call the internet but back then were “chat rooms”
    • Today attackers are not screaming anything. In fact they are quietly intruding NOT for the purpose of being able to say they accomplished it, but to slowly and quietly gain access to other systems in the network.  The purpose of which is to steal data. Client lists, Credit card information, Trade secrets, company IP.  All of which are sell able in today’s “internet world” and not even so discretely. Just check out the results when you “GOOGLE”  the term “ How to buy stolen credit cards”
PCI Compliance,PCI,stolen credit cards,firewall,next generation firewall,

There are plenty of easy to find outlets for stolen credit cards

  • The underground market for this type of information is large and the technology to penetrate networks for as much information as can be obtained is heavily invested in by these cyber-crooks.

 

  • Heftier Compliance
    • Compliance getting stricter deems that companies invest in technologies that protect client data. PCI compliance for example, states guidelines that must be followed to protect client credit cards from being accessed. With the authority to fine offenders who can’t pass audits or who are breached, as well as the ability to deny those organizations the ability to accept credit cards, the PCI Security Standards Council has a lot of leverage in making sure investments are made in data protection.
    • Company Brand Protection
      • Nothing can ruin a company faster than the loss of trust. Especially in the past 5 years there has been no shortage of companies having to deal with the financial, Public relations, marketing and legal consequences of information breaches.
      • Sony Online Entertainment, Citibank, and many others high profile names have had breaches. There are some pretty big names on a recent list of worst breaches.  Corporations are not alone,  universities such as Harvard, Stanford, Cornell , Princeton and others, are all examples of companies that have had to deal with the MULTIPLE costs associate with a breach.
      • Some brands can be ruined forever. For example, how comfortable would you be donating to a specific non-profit who had its data breached,  allowing undesirables to collect lots of data about your charitable giving as well as potential personal information?  The answer is probably not likely. That organization’s brand is forever tainted as soon as a break of data is reported on the ten o’clock news.
      • You are not to small anymore
        • Most small to med-sized companies all think “I am too small for someone to want my data” or even more often “What data do I have that others would even consider valuable?”
        • The answer to those questions are  the following: 1) You are not too small. Hackers trying to get through your perimeter find it much easier to target mid sized or even small companies because those companies more more likely easier to breach.  They do not necessarily have compliance concern that a fortune 500 company may have , nor do they typically have the budget to re0-invest as new ways of hacking become available. 2) You absolutely have data that others would want.  Do you keep your documents, drawings, designs, client credit cards, client database, marketing strategies, legal documents, corporate memos, financials, web content on tape or disk within your environment?  Would any of your competitors like to get this information? Don’t put it past a thief of corporate information make his first call to your biggest rival in the industry.

         

data breach protection bolt insurance
Via: BOLT Insurance
The motivations of the bad guys as well as compliance and the fear of brand devaluation have made data protection a top priority for organizations both large and small. The types of networks we work with today, as well as the explosion of internet use within our organizations has forced the security vendors such as the firewall vendors to constantly adapt. If you are asking yourself “What is Next generation Firewall?”  The answer is the latest adaption of the old faithful in the industry- that is there to protect our network.

More to come on NGFW in future posts.