Defense-in-Depth

During the last several years, we’ve seen a major increase in risks due to changes in our clients objectives for leveraging information technology, the information technology itself, the types of threats created by new technology, compliance requirements, and of course the severe economic recession.

The traditional approaches to network and host security, log management and security information and event correlation simply do not address these new risks.

This has driven Cymbel to rethink our security/compliance strategy and to develop a new approach to defense-in-depth focused on users, applications, and data.

Network Security – Next Generation Firewall

Traditional firewalls and separate complementary firewall helpers like Intrusion Prevention, URL Filtering, and Proxy Systems are too expensive, too complicated, and simply do not sufficiently reduce today’s risks created by social networking, SaaS collaboration services, and the hundreds of other Internet based applications and services people are using.

Users simply going to web sites or using social networking or collaboration applications are at risk of attacks such as keyloggers and spyware, backdoor or Command/Control, or SQL Injection attacks which represent over 50% of the Threat Action Types that cause breaches of credit card information, personal information, trade secrets and other intellectual property.

Gartner and Forrester are both using the term “next-generation” firewall to describe a network security solution. Here is Gartner’s description of a Next-Generation Firewall:

To meet the current and coming generation of network security threats, Gartner believes firewalls need to evolve yet again to what we have been calling "next-generation firewalls" (see "Toolkit: Evaluating Information Security Budgets, 2007 Update"). For example, threats using botnet delivery methods (see "Case Study: Early Detection of PCs That Have Been Compromised via Botnet Clients") have largely been invisible to first-generation firewalls.

As service-oriented architectures and Web 2.0 grow in use, more communication is going through fewer ports (such as HTTP and HTTPS) and via fewer protocols, meaning port/protocol-based policy has become less relevant and less effective. Deep packet inspection intrusion prevention systems (IPSs) do inspect for known attack methods against operating systems and software that are missing patches, but cannot effectively identify and block the misuse of applications, let alone specific features within applications.

Gartner has long used the term "next-generation firewall" to describe the next stage of evolution to deal with these issues. Gartner defines a network firewall as an in-line security control that implements network security policy between networks of different trust levels in real time. Gartner uses the term "next generation firewall" to indicate the necessary evolution of a firewall to deal with changes in both the way business processes use IT and the ways attacks try to compromise business systems.

As a minimum, an NGFW will have the following attributes:

Support in-line bump-in-the-wire configuration without disrupting network operations.
Act as a platform for network traffic inspection and network security policy enforcement, with the following minimum features:

Standard first-generation firewall capabilities: Use packet filtering, network address translation (NAT), stateful protocol inspection, VPN capabilities and so on.
Integrated rather than merely colocated network intrusion prevention: Support vulnerability-facing signatures and threat-facing signatures. The IPS interaction with the firewall should be greater than the sum of the parts, such as providing a suggested firewall rule to block an address that is continually loading the IPS with bad traffic. This exemplifies that, in the NGFW, it is the firewall correlates rather than the operator having to derive and implement solutions across consoles. Having high quality in the integrated IPS engine and signatures is a primary characteristic. Integration can include features such as providing suggested blocking at the firewall based on IPS inspection of sites only providing malware.
Application awareness and full stack visibility: Identify applications and enforce network security policy at the application layer independent of port and protocol versus only ports, protocols and services. Examples include the ability to allow Skype use but disable file sharing within Skype or to always block GoToMyPC.
Extrafirewall intelligence: Bring information from sources outside the firewall to make improved blocking decisions, or have an optimized blocking rule base. Examples include using directory integration to to tie blocking to user identity, or having blacklists and whitelists of addresses.