Ruslan Rakhmetov, Security Vision
The unexpected move of foreign information security vendors in early 2022 contributed to the emergence of new types of import-substituting security solutions on the Russian market. One of the main needs of domestic customers has become network security tools, including next-generation firewalls (NGFW). In this article, we will talk about what functions such products should have and what they are needed for, as well as the main challenges faced by Russian manufacturers and consumers.
Firewalls (abbreviated as firewalls, also called brandmauers, from the German Brandmauer , or firewalls , from the English firewall ) are network security tools that allow you to restrict access to network segments or individual hosts based on rules set by the administrator, based on the properties of the network connection, including the IP address, port, protocol, network packet content, and also checking the traffic for malicious or unwanted content. Currently, we can conditionally distinguish 4 generations of firewalls:
· 1st generation: the simplest packet filters without monitoring the state of network connections ( stateless firewalls ), which appeared in the late 1980s. These solutions are still used today in cases where simplicity and speed of operation are required. These firewalls operate at the network (third) and transport (fourth) levels of the OSI model and analyze each network connection separately, without having the context and history of previous network connections. Thus, they can, for example, block incoming traffic from a specific IP address and on a specific port, as well as prevent simple network attacks (simple DDoS , port scanning).
· stateful firewalls, which appeared in the early 1990s. These products were able to see the relationships between network connections: the RAM of such a device stores information about the state and context of each network connection, which is used when deciding whether to allow or block traffic. Firewalls of this generation were able to use dynamic network access rules - open and block certain ports based on the connection state, which is especially useful when working with protocols with dynamic port selection during connection negotiation. Such firewalls are still used today: despite significant requirements for performance and memory capacity of the device, they help prevent attacks such as "Session hijacking" (TCP session interception) and "Packet injection" (injection of fake packets).
· 3rd generation: since the mid-2000s, more and more attention has been paid to network attacks on web servers and web applications, so a class of solutions has emerged that supports traffic analysis at the application (seventh) level of the OSI model - application-level firewalls. Thus, proxy servers (proxy firewalls ) are installed in the corporate infrastructure and act as an intermediary between the user and the Internet, intercepting web traffic and analyzing its content. Such solutions prevent users from accessing unwanted sites (phishing and malware distribution, containing illegal content, social networks, gaming resources, etc.), and also block the download of potentially unsafe files from the Internet. Around the same time, security solutions for web servers began to appear - for example, in 2002, the ModSecurity module was developed for the Apache web server, which allowed filtering requests and responses to/from the web server to prevent network attacks (the project is still developing, providing, for example, a set of rules Core Rule Set for blocking various types of web attacks according to the OWASP methodology). The development of this idea became WAF class solutions (Web Application Firewalls) - software or hardware solutions for ensuring network security, designed for deep analysis of web traffic at the L7 level and behavioral analysis of clients' work with a web application with blocking of suspicious actions and installation of virtual patches.
· 4th generation: with the increase in equipment performance, it became possible to combine various security functions on a single platform - this is how UTM solutions ( Unified Threat Management (unified cyber threat management), which combined a stateful firewall , a network intrusion detection and prevention tool (IDS/IPS), a VPN gateway, an antivirus, and a content filtering tool. The idea of a combined, unified solution for protection against network attacks began to develop - in 2008, the Palo Alto Networks introduced a class of solutions called NGFW (Next-Generation Firewall). NGFW class solutions supplemented the functionality of UTM by providing the ability to control network activity of applications at the application (seventh) level of the OSI model, filter malicious URLs, integrate with user authentication systems, integrate with sandboxes for checking suspicious objects, check encrypted traffic (SSL/TLS inspection), and protect against DDoS attacks.
In a Gartner Research article titled "Defining the Next-Generation Firewall" ("Defining the Next Generation Firewall"), which was released in 2009, said that at that time, previous generations of firewalls could not effectively counter network attacks, the use of IPS/IDS systems separately from firewalls did not provide any advantages and led to an increase in operational costs, and new NGFW class solutions at that time allow identifying attacks at the application level and applying granular network access policies. Gartner analysts listed a set of functions required for an NGFW class solution:
· Connection "into the gap" of the network without negative impact on network communications;
· Use of all the functionality of previous generations of firewalls, including packet filtering, NAT translation, stateful protocol inspection, support for working as a VPN server, etc.;
· High-quality intrusion detection and prevention integrated into NGFW, including signature-based and rule-based threat detection, blocking malicious traffic and attacking hosts;
· Deep analysis of network applications regardless of the ports and protocols they use, as well as the ability to granularly restrict network access (for example, the ability to only allow instant messaging, but not file sharing);
· Integration with external sources, such as integration with directory services to provide network access only to certain domain users or integration with services that provide blacklists of external IP addresses;
· Support for capabilities to improve functionality, including integration with data sources and new security technologies.
Gartner currently defines NGFW as a firewall with deep packet inspection at the application layer (regardless of ports and protocols used), built-in network intrusion prevention functionality, and integration of data from external cyber threat analytics sources.
A lot of time has passed since the creation of the first NGFW, therefore, modern new generation MEs are subject to expanded requirements, such as:
· Support for network traffic analysis at gigabit speeds;
· Support for a large number of network rules running simultaneously (from 1 thousand rules for the enterprise segment);
· Support for SSL/TLS inspection, including on-the-fly traffic decryption through the implementation of sanctioned MitM inspection using a root certificate installed in the user's OS;
· Support for analyzing hundreds of thousands of network sessions simultaneously;
· Support for integration with cyber intelligence sources to download various indicators of compromise (IP addresses, domains, URLs, hashes of malicious files, etc.);
· Analysis of DNS traffic with detection of requests to suspicious domains (DGA and DNS Fast methods) Flux ), with detection of connections to attacker C&C servers, with identification of hidden information leakage channels (DNS tunneling);
· Detection of malicious and potentially dangerous content of various types (viruses, network worms, Trojans, encrypted archives, office documents with macros, etc.), use of various detection methods (rule-based, signature analysis, launch in a third-party or integrated "sandbox"), blocking the download of dangerous files "on the fly";
· Advanced URL filtering and categorization with restriction of user access to potentially dangerous or illegal web resources, such as gambling, unlicensed software, dangerous programs, as well as blocking access to phishing or malicious resources;
· Deep inspection of network traffic at the level of functionality of specialized DPI solutions ;
· Advanced application control with detection of traffic specific to certain programs (messengers, collaboration systems, cloud storage, etc.), using granular network access rules for various applications and user groups (including domain ones through integration with directory services);
· Intrusion detection with detection of signs of exploits (including 0-Day) and unknown cyber-attack tools;
· Detection of previously unknown malicious traffic and content, including using ML models;
· Analysis of device behavior in the network and detection of anomalies in traffic, including using ML models;
· Integration with other types of corporate information security systems, API integration, sending information security events to SIEM/SOAR systems via various protocols and in different formats (CEF, LEEF, EMBLEM, ELFF, etc.);
· Support for fault tolerance, load balancing, scaling;
· Delivery in the form of a virtual appliance or a hardware and software complex;
· Support for centralized management of the NGFW network solutions through a single console or through a third-party tool (for example, through a SOAR platform).
It should also be noted that there are currently about 20 different NGFW solutions from a variety of vendors on the Russian market. However, the main challenges faced by both manufacturers and customers are related to performance: large corporations require high-performance NGFW solutions that will operate stably at high speeds (for example, at 100 Gbit/sec with the application control function enabled) and will also be able to perform TLS inspection of encrypted traffic "on the fly" (for example, at a speed of 10 Gbit/sec). Such speeds are currently available only when implementing NGFW as a hardware and software complex - a physical device with a large amount of RAM and high-performance CPUs with a specialized OS, into which the software for managing firewall functions is tightly integrated. Such hardware import-substituting solutions require a special approach in terms of their cybersecurity - in particular, the use of an untrusted (foreign, even from friendly countries) component base can lead to the introduction of hardware and software backdoors in NGFW. Consequently, import-independent NGFW hardware solutions must be assembled exclusively using our own domestic microelectronic component base at Russian factories, which must be equipped with Russian equipment and machines, which must be operated by qualified domestic engineers. The task of creating such a modern Russian microelectronic industry is still at the solution stage.
.jpg)
