Extension of protection in NGFW and UTM

 Ruslan Rakhmetov, Security Vision

Companies protect their internal perimeter by various means, but the first thing that comes to mind for protection against network threats is FireWall, which we have already mentioned in our review of IS solutions. In the current article we will look at use cases, functionalities and differences between a classic firewall, NGFW and UTM.

If we think of the development of an organisation's defence as a character in an RPG, a particular tool can be a special perk (skill), an item in the inventory or an armour that can be assembled piece by piece to provide comprehensive protection.

Classic FireWall, FW

FW (FireWall) is a network device or software that is used to control and filter traffic. Its main purpose is to prevent unauthorised access to protected data from the outside and to restrict the sending of data packets in the opposite direction.

On the one hand, it can perform similar functions to VPN services, hiding IP address and ports from the outside world. In such a mode, this security feature works as a disguise, a special piece of armour that tells the secretiveness of our hero-perimeter of the company. Stealth could be perfect (then the character will be hidden from his enemies when needed). But, as in board and computer games, such a level is difficult to achieve in real life, as hackers have the abilities and tools to discover real addresses and infiltrate the network through various tricks.

On the other hand, FW can allow or block network traffic depending on predefined security rules and policies (using, for example, lists of applications trying to access the Internet or black/white lists of external IP addresses). In blocking mode according to predefined rules, FWs are like natural shelters, safe zones on the battlefield where the enemy cannot physically reach you.

Classic firewalls typically operate at the transport (TCP/IP) or network (IP) layer of a network, and can be physical devices or software applications installed on servers or routers. Network traffic protection in its basic form is implemented and natively deployed in many operating systems, e.g. UFW (Uncomplicated FireWall) in Ubuntu (similar services exist in other Linux distributions) or Microsoft Defender firewall.

Universal Gateway, UTM

UTM (Unified Threat Management) is a gateway that combines the functions of classic FW and other security systems. When integrated into a single complex, their number and capabilities can vary, but most often UTM includes:

- FW;

- IPS - intrusion prevention system;

- DLP - means of analysing traffic for sensitive information;

- Anti-SPAM - a means of protecting email traffic from unwanted messages;

- VPN - a means of virtualising the network and providing secure data transmission tunnels.

UTM components were initially developed as stand-alone solutions. This approach can be compared to the application of several elements of armour covering the company's body parts in the form of a role-playing game character. It is possible to assemble such armour, but it should be taken into account that its separate pieces should be combined. The core of each UTM system is responsible for such integration, so the use of mismatched elements is possible by separately applying several UTMs with matching elements. In this case, a single solution with its set of constraints is usually used for stability or an ecosystem is built through connectors, e.g. using a SOAR platform.

Due to their multitasking, sequential data processing and aggregate hardware requirements, Gartner considers such systems suitable for companies with 100 to 1000 employees. To speed up processing and protection, it is recommended to use next-generation tools, which we will discuss next.

Next Generation FireWall, NGFW

NGFW (Next Generation Firewall) is a next-generation firewall that combines multiple protection capabilities that operate in parallel. In addition to the combination of defences from the previous article NGFW more often include:

- AV - an anti-virus protection tool;

- Sandbox - a means of checking suspicious objects in an isolated sandbox.

NGFWs can also provide application-level traffic control. We've already covered this approach of protecting web applications with Web Application FireWall (WAF) in a separate blog post and audio podcast.

As mentioned earlier, the key difference with NGFW is the parallel execution of tasks, i.e. reducing the load and the time it takes to process a suspected incident. If we apply such a rule to our character, a next-generation firewall is not a set of individual items, but a rare artefact or companion that protects you and doesn't waste precious action points by operating completely independently.

Analysts at Gartner define NGFW as a solution that is effective for companies of large scale or under targeted mass attacks.

An example of how a comprehensive defence can work

Let's imagine an attack by a cunning but already well-studied monster - a phishing email.

Such an email can have a high level of charisma and attractiveness (a text that makes you click a button, respond to an offer and pass your data directly into the hands of the enemy). Charisma can be handled not only by your attentiveness (for example, use the tips from the article about cyber hygiene), but also by the already pre-set anti-SPAM filters of the anti-SPAM engine, which receives millions of emails out of the 3,000,000,000,000 that are sent every day. If the email is successful, it may still be at the stage of being sent by the attacker or before it reaches your infrastructure.

But if something has gone wrong, other defences come into play:

1. FW - Firewall

By preconfiguring lists of IP addresses from which malicious email can be received, this tool can fend off damage. Think of it as the wisdom of your character, who has pre-thought out the types of damage and threat sources that will be immune.

In a similar way, defences can be built using external analytics services (URLScan, WhoIsXML, etc.) that can be integrated into your incident handling process using SOAR: individual email elements and links are sent via API to an external system, where they are validated and return the result in the form of a description and potential threat rating.

2. AV - antivirus

The antivirus module will be able to check the colourful pictures of the email and other attachments for possible malware. Think of it as a dexterity check where you can parry the attack and avoid damage.

As in the previous point, if the antivirus engine is not included in the solution you are using or if you want to connect additional services (VirusTotal, for example), you can do it with a^3rd party connector.

3. sandbox

There are also ways to check files in a safe, isolated environment called a sandbox. If such a module is used, a potential malware will certainly run, but it will not do any harm. Think of it as the application of an illusion spell, when in fact attacks not your character, and therefore can not cause damage.

Such a sandbox variant as web isolation deserves a separate description: when an email is actually opened in a separate window (as a picture, for example) and is deprived of its clickable links.

4. IPS - Intrusion Prevention

Such a tool does not just monitor possible attacks, but also triggers defence processes in case of suspicious activities. Think of it as your counterattack or blocking damage with a shield.

If you do decide to respond to a message by mistake, ignorance or insufficient protection, the additional analysis tool included in the kit can be activated:

5. DLP - leak protection

This analysis tool will check already outgoing traffic for personal data or other important information for you or the company, blocking the sending if necessary. Then an attacker still won't be able to get information from you that is useful to them. Think of it as an opportunity to control the dialogue with the offending NPC, when you can undo the wrong decision and successfully close the current quest.

In this way, you can apply various defences that can exist separately, be part of a single UTM or NGFW gateway, where all actions and checks are performed automatically and in parallel.