How next-generation firewalls boost protection

next-generation firewalls

Daniel Ayoub from Dell’s SonicWALL team cleverly used condiment packets to illustrate how next-generation firewalls can group and control different types of data packets. Credit: Dell

Verizon unearthed a startling statistic in its latest data breach investigations report — it said that 69 percent of security breaches are discovered by outside parties who then notify the victim organization.

Daniel Ayoub, a member of Dell’s SonicWALL team, used this figure in an online presentation on network security last week to describe the current state of affairs in the IT world. The implications of unnoticed attacks, he said, include the theft of intellectual property and some degree of embarrassment for having to rely on outsiders — sometimes customers — for network insight.

“You do not want to suffer a bad breach and be notified about it by an outside organization,” he said.

Traditional firewalls pose risks

His main point was to illustrate the challenges faced by organizations that use traditional firewalls, which remain widely deployed.

A cornerstone of the traditional firewall is stateful packet inspection, which monitors active connections and determines which network packets to allow through the firewall. Other safeguards include access control rules and IPsec VPN tunnels. But Ayoub argues that all three of these technologies can only see what’s happening on the surface of the network

A new generation

Modern protection, however, means obtaining a deeper level of understanding, insight that next-generation firewalls can provide, Ayoub said. Next-gen firewalls include all of the protections offered by traditional firewalls while incorporating the latest technologies. These include the following pillars:

SSL decryption and inspection: SSL-based attacks are a common means of intrusion that become more prevalent during major news events — when a hunger for details drives people to the web. Ayoub cited an SSL attack during the Boston Marathon bombings in April that embedded malware in a Word file containing a prayer for the victims. Once the malware is embedded, it opens a line of communication with the base of the attack. “If you’re not inspecting SSL traffic, you’re not going to be able to know that command and control traffic that’s going back and forth,” Ayoub warned.

IPS with anti-evasion technology: Evasions enable hackers to use coding mechanisms that make attacks undetectable to the IPS. Modern IPSs, however, offer better visibility and can spot this kind of traffic that would otherwise go unnoticed. A 2013 study by security consultant Mandiant found that the typical advanced attack goes unnoticed for nearly eight months.

Network-based malware protection: Firewalls with this level of protection have the ability to cross-reference files against a cloud-based database containing details of millions of variants of malware to identify those that may pose a risk. Next-gen firewalls are designed to cancel downloads within seconds of a match being made, preventing malware from getting onto the network.

Application visibility and control: This feature allows network administrators to see not only what applications are in use, but also how they’re being used. These details can help organizations set network policies that can set aside enough bandwidth for critical application and forbid risky activities, such as peer-to-peer file sharing.

Nick Clunn
Nick Clunn is a journalist covering the tech beat and an adjunct professor at Montclair State University. He lives in New Jersey, where he had worked as a staff writer for several leading daily newspapers and websites.
Nick Clunn
Nick Clunn
Tags: IT Security,Technology