january 1 2015 - j2aztech.com · modern network security: study guide for nse 1 2015 1 modern...

Modern Network Security: Study Guide for NSE 1 2015

1

Modern Network Security:

Study Guide for NSE 1

January 1

2015 This Study Guide is designed to provide information for the Fortinet Network Security Expert Program – Level 1 curriculum. Each chapter in the study guide corresponds to a module in the NSE level 1 curriculum and examinations. The study guide presents discussions on concepts and equipment necessary as a foundational understanding for modern necessary security prior to taking more advanced and focused NSE program levels.

Fortinet Network Security Solutions


2

Introduction ............................................................................................................................................ 8

Infrastructure Evolution ....................................................................................................................... 9

Threat Landscape .............................................................................................................................. 10

Threat Timeline ............................................................................................................................. 11

Advanced Threats .......................................................................................................................... 11

Advanced Threats and Network Security: Continuing Evolution ......................................................... 12

Module 1: Data Center Firewalls ............................................................................................................ 13

Data Center Evolution........................................................................................................................ 13

Market Trends Affecting Data Centers ............................................................................................... 13

Infrastructure Integration .............................................................................................................. 14

Edge vs. Core Data Center Firewalls ............................................................................................... 14

Data Center Firewall Characteristics .................................................................................................. 16

Virtual Firewalls ............................................................................................................................. 19

Data Center Network Services ........................................................................................................... 21

Application Systems ....................................................................................................................... 21

Application Services ....................................................................................................................... 22

Summary ........................................................................................................................................... 24

Module 2: Next Generation Firewall (NGFW) ......................................................................................... 25

Technology Trends ............................................................................................................................ 25

NGFW Characteristics: Fundamental Changes .................................................................................... 26

NGFW Evolution ............................................................................................................................ 27

Traditional NGFW Capabilities ........................................................................................................... 28

NGFW Functions ............................................................................................................................ 32

Extended NGFW Capabilities ............................................................................................................. 33

Sandboxes and APT ........................................................................................................................ 36

Advanced Persistent Threats (APT) ................................................................................................ 37

Advanced Threat Protection (ATP) ..................................................................................................... 38

NGFW Deployment ............................................................................................................................ 38

Edge vs. Core ................................................................................................................................. 38

NGFW vs. Extended NGFW ............................................................................................................ 39


3

Summary ........................................................................................................................................... 40

Module 3: Unified Threat Management (UTM) ...................................................................................... 41

The Key to UTM: Consolidation ...................................................................................................... 41

UTM Features .................................................................................................................................... 41

UTM Distributed Enterprise Advanced Features ............................................................................. 43

Extended UTM Features .................................................................................................................... 44

Evolving UTM Features .................................................................................................................. 45

UTM Functions .................................................................................................................................. 47

Where UTM Fits In… .......................................................................................................................... 48

UTM: Scalable Deployment ............................................................................................................ 49

Summary ........................................................................................................................................... 50

Module 4: Application Security .............................................................................................................. 51

Application Challenges to Meeting User Needs .................................................................................. 51

Application Layers: The OSI Model ................................................................................................. 52

Application Vulnerabilities ................................................................................................................. 53

OWASP .......................................................................................................................................... 53

Distributed Denial of Service (DDoS) .................................................................................................. 55

Application Security Solutions............................................................................................................ 58

Application Delivery Controllers (ADC) ........................................................................................... 58

Application Delivery Network (ADN) .............................................................................................. 59

ADC: Solutions and Benefits Part I...................................................................................................... 60

Web Application Firewall (WAF) Characteristics ................................................................................. 61

Heuristics ....................................................................................................................................... 62

WAFs and PCI DSS Compliance ....................................................................................................... 63

ADC: Solutions and Benefits Part II..................................................................................................... 64

Summary ........................................................................................................................................... 66

Module 5: Management and Analytics .................................................................................................. 67

Security Management ....................................................................................................................... 67

Managing the Security Console ...................................................................................................... 69

Policy and Security............................................................................................................................. 70

Analytics ............................................................................................................................................ 73


4

Security Information and Event Management ................................................................................ 73

Network Visibility .......................................................................................................................... 74

Summary ........................................................................................................................................... 76

Key Acronyms ........................................................................................................................................ 77

References ............................................................................................................................................ 79


5

Figure 1. From closed networks to Global Information Grid ..................................................................... 9

Figure 2. The scope of modern global network users. .............................................................................. 9

Figure 3. Fortinet UTM versus traditional ad hoc model......................................................................... 10

Figure 4. Chronology of major networks attacks since October 2013. .................................................... 11

Figure 5. Advanced Threat Protection (ATP)........................................................................................... 11

Figure 6. Notional edge firewall configuration. ...................................................................................... 15

Figure 7. Notional data center firewall deployment. .............................................................................. 15

Figure 8. Data center firewall adaptability to evolving capabilities. ........................................................ 16

Figure 9. Data center in a distributed enterprise network. ..................................................................... 17

Figure 10. Data center core firewall. ...................................................................................................... 19

Figure 11. North-South (Physical) vs. East-West (Virtual) traffic. ............................................................ 20

Figure 12. Notional network. ................................................................................................................. 22

Figure 13. Differences between IaaS, PaaS, and SaaS. ............................................................................ 23

Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models. ......................................... 24

Figure 15. Bring Your Own Device (BYOD) practices in 2011. .................................................................. 26

Figure 16. Edge firewall vs. NGFW traffic visibility. ................................................................................. 26

Figure 17. Traditional port configuration example. ................................................................................ 27

Figure 18. NGFW configuration example by application, user ID. ........................................................... 27

Figure 19. NGFW evolution timeline. ..................................................................................................... 28

Figure 20. Intrusion Prevention System (IPS).......................................................................................... 28

Figure 21. Deep Packet Inspection (DPI)................................................................................................. 29

Figure 22. Network application identification and control. ..................................................................... 29

Figure 23. Access enforcement (User identity). ...................................................................................... 30

Figure 24. NGFW distributed enterprise-level capability. ....................................................................... 30

Figure 25. Extra-firewall intelligence IP list assignment. ......................................................................... 31

Figure 26. Notional network with managed security (MSSP). ................................................................. 31

Figure 27. Application awareness: The NGFW application monitoring feature. ...................................... 32

Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP). ..................................... 33

Figure 29. Authentication functions integrated into NGFW. ................................................................... 34

Figure 30. Web filtering profile control. ................................................................................................. 35

Figure 31. FortiGate antivirus/malware. ................................................................................................ 35

Figure 32. FortiGuard Anti-botnet protection. ....................................................................................... 36


6

Figure 33. FortiGate Web filtering capability. ......................................................................................... 36

Figure 34. Sandbox deployed with NGFW Solution. ............................................................................... 37

Figure 35. The NGFW three-step approach to APT. ................................................................................ 37

Figure 36. Fortinet Advanced Threat Protection (ATP) model................................................................. 38

Figure 37. NGFW deployment to edge network ..................................................................................... 39

Figure 38. Current NGFW vs. Extended NGFW capabilities. .................................................................... 39

Figure 39. Legacy network security add-ons vs. UTM architecture ......................................................... 41

Figure 40. Unified Threat Management (UTM)....................................................................................... 42

Figure 41. LAN control. .......................................................................................................................... 45

Figure 42. Typical Power over Ethernet (POE) cable configuration. ........................................................ 46

Figure 43. UTM scalability. ..................................................................................................................... 48

Figure 44. Fortinet’s concept of “Connected UTM.” ............................................................................... 50

Figure 45. DDoS architecture. ................................................................................................................ 56

Figure 46. SYN Flood DDoS attack. ......................................................................................................... 56

Figure 47. ICMP Flood DDoS attack. ....................................................................................................... 57

Figure 48. Zombie DDoS attack. ............................................................................................................. 57

Figure 49. Application Delivery Controller (ADC). ................................................................................... 58

Figure 50. Typical Application Delivery Network (ADN) infrastructure. ................................................... 59

Figure 51. Intelligent Load Balancing. .................................................................................................... 60

Figure 52. SSL offloading and HTTP compression. .................................................................................. 61

Figure 53. Web Application Firewall (WAF). ........................................................................................... 62

Figure 54. Global Server Load Balancing (GSLB). .................................................................................... 64

Figure 55. Server ID masking with ADC. ................................................................................................. 65

Figure 56. Security Management (SM) conceptual diagram ................................................................... 68

Figure 57. Integrated security control console ....................................................................................... 70

Figure 58. Policy Package example. ........................................................................................................ 71

Figure 59. Global Policy “Bookend” flow. ............................................................................................... 71

Figure 60. Network visibility benefits. .................................................................................................... 75


7

Table 1. Comparative security features of edge firewalls vs. NGFW. ...................................................... 27

Table 2. Comparison between flow-based and proxy-based inspections ................................................ 40

Table 3. Comparative models for layers, protocols, and devices............................................................. 51

Table 4. Translation of ISO/OSI layers to TCP/IP model. ......................................................................... 52

Table 5. Function of network layers in OSI model. ................................................................................. 52

Table 6. OWASP top 10 2010 vs. 2013 comparison. ............................................................................... 54

Table 7. Web Application Firewall (WAF) application-level security measures. ....................................... 62

Table 8: Payment Card Industry Data Security Standards (PCI DSS). ....................................................... 63


8

Introduction

Welcome to the fascinating world of network security…

…or, on second thought, should we be letting you in?

That is the question around which this primer was written—helping you learn the background,

processes, capabilities, and questions to consider when configuring your systems and networks to help

analyze, identify, and either allow or block traffic from entering or leaving your computer network in the

dynamic 21st Century information technology environment. In other words—modern network security.

Modern network security is comprised of many facets, some of which are in your control, others which

may not be. In an increasingly mobile world, traditional network security measures focused on desktop

platforms and “dumbphones” are no longer relevant to the world of tablets, phablets, and smartphones.

Because of the constantly changing landscape of network environments, organizations of all sizes and

complexities face challenges in keeping pace with change, developing counters to emerging threats, and

controlling network and security policies. Once the realm of the highly trained and richly resourced,

development of malicious code has become widespread to the degree that school children have been

known to compete with each other in hacking contests. To meet modern and emerging threats,

companies and organizations must adopt dynamic network security programs that keep pace with

changing trends and activities.

Back to the opening question: Should we be letting you in? People—or the man-machine interface—is

the weakest link in any security process. People are easily lulled into a false sense of security about the

effectiveness of passwords and access codes, identity verification, and policies regarding the use of

information technology (IT) systems and networks. It takes just one careless moment to potentially

breach the integrity of protected information and systems—if network security user policies and

protocols are too complicated, compliance is less likely. Because of this human factor it is important to

ensure that network security schema are clear and simple for network administrators and users to

operate, with the necessary complexity to identify, deter, or contain threats being embedded in state-

of-the-art hardware and software solutions that are nearly transparent to internal network users.

But a note of caution—just as every organization is not alike, neither will their networks, hardware,

software, or needs be alike. Each organization needs a customized strategic network security program

tailored to balance its needs against its operating environment, perceived threats, and operating

budget. Of course, the best network security program would be an end-to-end, 24/7 monitored program

with regular analytics informing plan effectiveness and potential enhancements—this would be the holy

grail of network security. Systems like Fortinet’s Unified Threat Management (UTM) provide the ability

to balance needs, capabilities, and resources to secure networks while maintaining the ability of the

organization to operate. In essence, this book will help you learn about how to take steps to mitigate

best the threats to your network and optimize network security while balancing those factors.


9

Infrastructure Evolution

In a world growing ever more complex with network portability being built into an increasing number of

devices of varying capabilities, network security continues to evolve in complexity—and importance. In

the 1980’s a transition from early closed networks to a broader Internet occurred, with the advent of

Ethernet, Bitnet, TCP/IP, SMTP, DNS, and in 1985—the first .com domain name registration. It was not

until six years later, in 1991, that the Worldwide Web (WWW) came into existence; by 1995, what we

know now as the modern Internet became established as a fixture in how business—and the world—

would communicate in the future (Figure 1).

Figure 1. From closed networks to Global Information Grid

No longer was high-tech the sole domain of major companies, organizations, and government agencies,

but the global information network became the domain of everyone from multi-billion dollar

international conglomerates to grade school children (Figure 2). As technologies developed, the industry

response was typically the addition of new stand-alone, single- or dual-purpose hardware or integrated

hardware-software packages designed to address newly identified threats. This resulted in a constant

state of expensive upgrades that added network complexity, integration of new devices and scrubbing

and repurposing or disposing of legacy hardware, new policy development and new management

consoles. This served to increase workload, retraining, and complexity for network administrators and

end users, exacerbating the balancing problem between security and productivity.

Figure 2. The scope of modern global network users.

Because new products were not always able to integrate fully into existing systems, the piecemeal

approach to network development and security led to potential blind spots that threats may exploit

undetected. In order to solve this growing challenge, a move toward more strategic solutions to network

security were needed—not new stand-alone systems addressing individual threat vectors; rather,

strategic systems and processes designed to protect networks comprised of systems-of-systems. From

this problem developed the Unified Threat Management (UTM) concept, which goes beyond a system-

of-systems approach to integrate individual system characteristics into strategic systems (Figure 3) [1].


10

Figure 3. Fortinet UTM versus traditional ad hoc model.

Threat Landscape

One may view the threat landscape much the same as law enforcement views threats using three

primary characteristics—motive, means, and opportunity. In terms of technology threats, these terms

are translated into motivation (motive), knowledge (means), and access (opportunity). Motivation may

be as simple as a student trying to get into protected information or as malicious as a competitor trying

to delay or disable a company’s ability to reach the market. Knowledge on networks—and hacking—is

widespread, with books and guides available

globally through the Internet and often at little or

no cost. As for access, this is the area where the

veracity of your network security will pay off—

identifying potential threats, analyzing them, and

either determining validity or cataloging and

rejecting them as a threat.

Contemporary and future threat landscapes are dynamic and often include unforeseen technological

advances. Devices and applications are under development and appear on the market at more rapidly—

and with those new technologies come new threats. Not only companies and organizations, but

individual users of less expensive technology such as smartphones, tablets, and laptop computers who

are novices where information security is concerned must deal with optimizing their devices and

applications while blocking potential threats. With the explosion of social media as the primary source of

connectivity for so many people internationally, addressing the hidden threats from social media sites is

a continuing challenge…and more cross-platform sharing and integration will continue to make device

and network security an evolving challenge at all levels.


11

Threat Timeline

Since the last quarter of 2013, major network attacks have affected large companies and billions of

consumers. These attacks not only affected business systems, but also had the ability to infect personal

systems and mobile devices, such as the Heartbleed and Find My iPhone attacks. Figure 4 below

chronicles these threats and the targets affected by them.

Figure 4. Chronology of major networks attacks since October 2013.

Advanced Threats

Experienced hackers or groups of hackers possessing significant resources pose an increased threat to

systems and networks, including developing and implementing techniques not previously used to

compromise, gain control of, or shut down service. Advanced Threat Protection—also referred to as

Advanced Persistent Threat Protection—provides integrated measures to detect and block advanced

threats. These measures include botnet and phishing antivirus profiling, as well as zero-day threat

protection using sandboxing to analyze, identify, and block suspicious code and add the suspicious code

profile to the ATP signature database.

Figure 5. Advanced Threat Protection (ATP).


12

Advanced Threats and Network Security: Continuing Evolution

The early days of personal computer availability to consumers and the advent of the Internet and

Worldwide Web are behind us. These events were followed by parallel development of more powerful

hardware appliances and more complex applications for those machines. Unfortunately, with those

developments also came a thriving developmental path for malware and other methods by which to

breach system and network security to obtain data from or deny use of targeted platforms. This Modern

Network Security Primer presents current and future appliances, applications, and concepts to provide

the options to keep pace with emerging capabilities and threats—and maintain the safety and security

of your system and network.


13

Module 1: Data Center Firewalls Data centers have become abundant in the increasingly technology-based business environment of the

21st Century. Because of this growth, data centers provide a new field for trends in computing and

networking driving revisions to IT infrastructure strategies and, along with new strategies, new methods

to bolster network security. Presented in this module are characteristics and functions of data center

firewalls as they apply to networks and applications.

Data Center Evolution

A common notion in today’s business environment is that “No

matter what business you are in, you are a technology

business.” In the 21st Century, this is not only true of large

businesses, but also applies to successful small and medium

businesses (SMB). Modern data centers typically contain a

servers with a variety of purposes, including web, application,

and database servers.

Along with growing use of technology came a need to not only develop more specialized applications

but also develop innovative ways to store ever-increasing volumes of digital data. This growing storage

requirement spurred a new sector in the technology operations—the Data Center. As new technologies

for end users of computing platforms evolve, so must security measures for the data centers they will

access for operations such as email, social media, banking, shopping, education, and myriad other

purposes. Developing strategies to keep pace with the accelerating integrated and distributed nature of

technology has become a critical industry in protecting personal, business, and organizational data and

communications from legacy, advanced, and emerging threats.

Market Trends Affecting Data Centers

As mentioned previously, consumer trends influenced data center development; however, the business

sector was also instrumental in spurring on this development. As technology evolved, businesses

learned to step to the leading edge of innovation in order to get ahead—or stay ahead—of competing

enterprises. To this end, changes in business practices that influenced data center development

included:

Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,

network or even an operating system where the framework divides the resource into one or more

execution environments.

Cloud Computing. Computing in which large groups of remote servers are networked to allow the

centralized data storage, and online access to computer services or resources. Clouds can be

classified as public, private or hybrid.

Software-Defined Networks (SDN). An approach to networking in which control is decoupled from

hardware and given to a software application called a controller. Dynamic, manageable, cost-

effective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's

applications.


14

BYOD. Refers to employees taking their own personal device to work, whether laptop, smartphone

or tablet, in order to interface to the corporate network. According to a Unisys study conducted by

IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by the employee.

Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to

process using traditional databases and software techniques. In many enterprise scenarios, the data

is too big, moves too fast, or exceeds current processing capacity.

The Internet of Things (IoT). The [once future] concept that everyday objects have the ability to

connect to the Internet & identify themselves to other devices. IoT is significant because an object

that can represent itself digitally becomes something greater that the object by itself. When many

objects act in unison, they are known as having “ambient intelligence.”

Infrastructure Integration

Meeting the challenge of data center growth while maintaining

throughput capability requires the use of technology integration to

reduce potential for signal loss and speed reduction because of

bridging and security barriers between ad hoc arrangements of

independent appliances. There are definitely two camps on what

should be at the heart of a modern firewall, with two types of

hybrid design being prevalent:

CPU + OTS ASIC. A design whereby a general purpose central processing unit (CPU) is augmented by

an off the shelf (OTS) processor.

CPU + Custom ASIC. Most difficult but best design, bringing together a general CPU linked closely to

a number of custom built application-specific integrated circuits (ASICs). By matching ASICs that are

designed to handle the specific tasks for which the processor and device is intended, the ability to

process data is enhanced and system performance is optimized.

On one side, there are vendors who want to use off-the-shelf (OTS) central processing unit (CPU) design.

This is the simplest design but suffers from performance degradation. On the other side are those

advocating the use of hybrid designs, merging CPUs with application-specific integrated circuits (ASIC),

which are more efficient and may provide the necessary infrastructure to meet the demand for

throughput, growth, and security.

Edge vs. Core Data Center Firewalls

Edge Firewall. Implemented at the edge of a network in order to protect the network against potential

attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall—

the gatekeeper. In addition to gatekeeper duties, the edge firewall may have capabilities added as other

security appliances are linked to the firewall. This method, however, leads to a complex architecture

that results in complex network—and security—controls. A typical edge firewall is depicted in Figure 6.


15

Figure 6. Notional edge firewall configuration.

Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of

functions. Depending on network size and configuration, the data center firewall may also provide

additional security functions, such as segregating internal resources from access by malicious insiders,

and ensuring compliance with regulations protecting consumer, patient, and other sensitive user data.

These functions are referred to as Multi-Layered Security, and may include:

IP Security (IPSec)

Firewall

Intrusion Detection System/Intrusion Prevention System (IDS/IPS)

Antivirus/Antispyware

Web Filtering

Antispam

Traffic Shaping [2]

These functions work together, providing integrated security for the data center, concurrently providing

consolidated, clear control for administrators while presenting complex barriers to potential threats.

Figure 7 shows a notional data center firewall deployment, providing gatekeeper duty, integrated

security solutions (as depicted in Figure 6, above), with simplified control and complex protection.

Figure 7. Notional data center firewall deployment.


16

Data Center Firewall Characteristics

As end user devices and activities evolve, data centers must evolve to ensure both service and security

keep pace. Some market trends affecting data centers include increasing use of mobile devices,

employee device portability—or BYOD, data center consolidation through server virtualization, cloud

computing, and software-defined networking.

The key benefit of a data center network core firewall configuration with high-speed, high-throughput,

low-latency is the ability to evolve as technology develops.

Throughput speeds have potential to double every 18 months

High-speed 40/100 GbE ports are already going into existing systems

External users moving from Internet Protocol version 4 (IPv4) to IPv6

Figure 8 illustrates how the data center firewall is adaptable to evolving technology and user trends.

Figure 8. Data center firewall adaptability to evolving capabilities.

Size Matters. Historically, a determining factor in network firewall selection included consideration

based on the size of users—both internal and external—accessing the network or its components. Using

data center firewalls in small and medium businesses (SMB) makes sense, because modern data center

firewall systems provide higher throughput speeds, higher connectivity (port capacity), and a higher

capacity for concurrent sessions.

As a business or organization grows and network access begins to grow into multiple locations and

thousands of users, the option to consider using an enterprise campus firewall may become a necessary

investment. While the capacity to handle thousands of users and multiple locations may be

accomplished with enterprise firewalls, the trade-off is in the need for redundancy to ensure reliability—

resulting in significantly higher costs and equipment complexity—and the need for extensive training if

an organization intends to self-manage the enterprise firewall. Because of these complexities, enterprise


17

data centers may reside on-premises at a company site, in a dedicated co-location space in a provider’s

data center facility, or as an outsource service in a multi-tenant provider cloud environment.

Figure 9. Data center in a distributed enterprise network.

Because of the increasing size and complexity of data center operations and needs of external users—as

well as the increased costs associated with enterprise firewall equipment and training needs—

companies may decide to outsource data center security operations to a third party, or Managed

Security Service Provider (MSSP). A growing market along with evolving technologies, MSSPs provide a

wide range of network security services, from one-time services—such as configuring routers—to

ongoing services such as network monitoring, upgrade, and configuration. This provides small and

medium businesses (SMB) enhanced capabilities without having to increase technical staff, while

providing large and high-visibility businesses with supplemental protection beyond their technical staff.

When deciding on whether to engage an MSSP for network security operations, a number of

considerations must be taken into account. From the most basic perspective, the MSSP should align with

your business and security philosophy. Will they sign a non-disclosure agreement, so details about your

company’s security will be secure? The MSSP needs to be highly available to you, especially if you run

24/7 operations and reach a global audience (and who on the Internet doesn’t these days?). It is worth a

visit to their facility to check out their operations and talk with staff. The MSSP’s service must be

sustainable—what are their redundancy capabilities in case of primary system failures or disaster; what

is the likelihood they may go out of business (the market is still maturing and the current failure rate is

high). Identify clearly the level of serviceability you can expect from the MSSP—demand a strong service

level agreement (SLA) spelling out all roles and responsibilities for both parties. These requirements are

foundational to success with using an MSSP to manage data center security.

As cloud services and software-defined networks (SDNs) became prevalent, network functions

virtualization (NFV) such as VMware NSX and Cisco ACI also began to take the place of physical devices,

encapsulating appliances such as firewalls, load balancers, and switches as scalable virtual appliances

within the same physical devices. The emergence of OpenFlow from behind the research lab walls and


18

into mainstream management in cellular, TELCO, and data center operations has brought major network

operators and manufacturers onboard in making OpenFlow the standard protocol for communications

between controllers and network switches in the SDN—or virtual—environment. The OpenFlow

protocol abstracts the network control plane from the data control plane in order to program network

traffic flows to be more dynamic and automated.

As virtualization and SDN deployment expanded, the practice became available for implementation by

private individuals and organizations outside traditional boundaries of those with large amounts of

available capital and resources. With broad availability of open-source software enabling low-cost

network development, cloud computing has reached into the realm of private and personal clouds. One

popular open-source platform for cloud computing is OpenStack, which provides capability to develop

and manage private and public clouds, even providing compatibility with popular enterprise and open-

source technologies for controlling large pools of data center computing, storage, and networking

resources.

By designing and implementing network infrastructures combining high throughput with a dynamic

software-defined network (SDN), the data center firewall provides the capability to evolve with

consumer and industry trends. To accomplish this, data center firewalls must focus on three primary

areas as foundations for security: performance, segmentation, and simplification.

Performance. As the need for network speeds to accelerate continues, the data center will be at the

forefront of network design enabling higher performance through high-speed, high-capacity, and low

latency firewalls. Currently, the minimum required throughput of a data center firewall is 10 Gbps, with

an expectation by large company data center users that throughput may be increased up to an

aggregate 100+ Gbps. Similarly, enabling high throughput requires a minimum port size connectivity of

10 Gigabits for Ethernet ports on the data center firewall, with some capabilities already expanding in

the 40-100 Gigabit range.

Segmentation. With the evolution of IT devices and evolving network threats, organizations using data

centers have adopted network segmentation as a best practice to isolate critical data against potential

threats. Common data isolation criteria include applications, user groups, regulatory requirements,

business functions, trust levels, and locations. To support the use of network segmentation in network

security schema, data center firewalls must provide high density and logical abstraction supporting both

physical and virtual segmentation clouds. Benefits include keeping sensitive data partitioned from

unauthorized access for security and compliance purposes, limiting lateral movement of advanced

threats that gain initial footholds in the network, and ensure employees and users have access to only

the services and applications for which they are authorized.

Simplification. Because data centers extend to external users of varying trust levels, the need to extend

a “Zero-Trust” model for data access beyond the traditional data center edge and into the segmentation

throughout the network’s core. This requires a consolidated—simplified—security platform that can

manage multiple functions while supporting high speed network operations. In order to further simply

data center firewall operations, integration of network routing and switching functions into firewall


19

controls provides added centralized visibility and control to network functions and security monitoring.

Consolidation may also be accomplished by putting multiple physical server workloads onto a shared

physical host by using virtual machines on a hypervisor.

A good example of a data center core firewall that incorporates all the requirements of low-latency, high

throughput, and high performance is the FortiGate platform line. These firewalls includes models that

deliver over 100 Gbps performance with less than 5 µs latency (Figure 10).

Figure 10. Data center core firewall requirements.

One of the benefits to a data center network core firewall configuration as illustrated in Figure 10 is the

ability to evolve as trends in technology develop. With an estimated potential for throughput speeds to

double every 18 months, and adoption of high-speed network interfaces such as 40/100Gb Ethernet

ports into existing architectures, data center firewalls will need to be ready for the challenge. With these

developments, and as external users move from transmitting traffic using Internet Protocol version 4

(IPv4)—which currently carries over 95% of the world’s Internet traffic—to IPv6, firewalls such as the

FortiGate line provide ability to keep pace and maintain data center service and security.

Virtual Firewalls

Traditional firewalls protect physical computer networks—those running on physical hardware and

cabling. As such, the most effective means of security was and still is a physical, locked, fire door. This is

also referred to as “North-South” traffic. Unlike physical machines and networks, virtual machines

operate in a virtual environment, isolated on a host but acting as though it were an independent system

or network. Even as a virtual reality, however, the network may be subject to threats and intrusion from

external sources. Virtual traffic—that traffic moving laterally between servers without leaving the data

center—is referred to as “East-West” traffic (Figure 11).


20

Today, 60-70% of traffic is E-W because of the trend in virtualization and consolidation –

which is why virtual networks are of vital importance in the emergence of data centers

and need for reliable and adaptable data center security in modern networks.

Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physical

switch—to secure data being transmitted between virtual machines in a virtual network, the virtual

firewall was developed. A virtual firewall is simply a firewall service running entirely within the virtual

environment, providing the typical packet filtering and monitoring that would be expected when using a

physical device in a physical network. The virtual firewall may take a number of forms: it may be loaded

as a traditional software firewall on the virtual host machine, it can be built into the virtual environment,

it can be a virtual switch with additional capabilities, or it can be a managed kernel process within the

host hypervisor for all virtual machine activity.

Figure 11. North-South (Physical) vs. East-West (Virtual) traffic.

Virtual firewalls may operate in one of two modes, depending how they are deployed, either bridge

mode or hypervisor mode. A virtual firewall operating in bridge mode acts like a physical firewall,

normally situated at an inter-network switch or bridge to intercept network traffic needing to travel

over the bridge. In this way, the virtual firewall may decide to allow passage, drop, reject, forward, or

mirror the packet. This was the standard for early virtual networks and some current networks still

retain this model.

In hypervisor mode the virtual firewall is not actually part of the virtual network at all; rather, it resides

in the host virtual machine—or hypervisor—in order to capture and analyze packets destined for the

virtual network. Since virtual firewalls operating in hypervisor mode are not part of the virtual network


21

in a virtual machine, they are able to run faster within the kernel at native hardware speeds. Examples

of popular hypervisors on the market include VMware vSphere, Citrix Xen, and Microsoft HyperV.

As these developments in virtual capabilities occurred, they necessarily gave way to a new paradigm by

which to consider the definition of the data center itself. Instead of the need for a traditional physical

infrastructure that defines the data center—such as a building or a server room within a structure—

what if the paradigm shifted to a data center that resided within a software-defined space? Because of

continued evolution of virtual technology, this capability is a reality. The software-defined data center

(SDDC) presents a paradigm that infrastructure such as servers, network, and storage can be logically

and dynamically orchestrated without the need for adding or configuring new physical appliances or

expanding into new facilities. Because of the virtual nature of these SDDCs, the emergence of on-

demand data centers was enabled that provided benefits to small consumers and SMBs, such as pay-as-

you-use infrastructure, delivery on demand without extended provisioning times, and no requirement

for long-term obligations or contracts. In other words, the emergence of SDDCs provided new paths for

economical flexibility in data center definition and operation.

In summary, the flexible deployment capability for data center firewalls provides for targeting of the

threats identified as most important to the network or system. Deploying the firewall at the network

edge is effective to block external intrusions from accessing the network. Deploying the firewall at the

network core provides segmentation in the event that an external threat gains access to the network. At

the virtual layer, the firewall is able to monitor traffic between virtual machines (VM).

Data Center Network Services

As technology evolved, more and more services moved from running as physically resident to virtual or

cloud-based applications to reduce bottlenecks, increase throughput, and optimize data sharing, among

other benefits. Data center traffic has increased because of factors such as the increased number of

users depending on mobile applications to access data anytime and anyplace, businesses aggregating

and storing increasing amounts of data to enable analytics, and increased use of SaaS cloud storage over

local physical drive storage appliances. Because of these shifts, networks from distributed enterprises

down to SMB and home businesses began to depend on virtual and cloud applications for remote and

mobile capability. This led to a parallel focus on development of threats to the application layers of the

Open Systems Infrastructure (OSI), which will be discussed later in this book. The remainder of this

module will focus on how the data center serves to facilitate the use of applications in the modern

mobile, virtual and cloud-based technology environment.

Application Systems

Application systems typically consist of user interfaces, programming (logic), and databases. A user

interface is the control or method by which the user interacts with the computer, system, or network,

often consisting of screens, web pages, or input devices. Some application systems have non-visual

interfaces that exchange data electronically with other systems in a network. Figure 12 illustrates a

notional network.


22

Programming consists of the scripts or computer instructions used to validate data, perform

calculations, or navigate users through application systems. Many large computers use more than one

computer language to drive the system and connect with networks. This allows linking of systems

performing specialized functions into a centrally-manageable network.

Figure 12. Notional network.

Databases are simply electronic repositories of data used to store information for the organization in a

structured, searchable, and retrievable format. Most databases are configured to facilitate access for

downloading, updating, and—when applicable—sharing with other authorized network users.

Computer systems are simply sets of components that are assembled into an integrated package. The

heart of a computer system is the central processing unit (CPU), around which various other

components such as data storage, drives, displays, memory, input devices, and other peripherals are

built. Computer system components may vary in size and complexity and can be designed for single or

multiple purposes.

Control is accomplished through user interfaces. The level of application control found in Next

Generation Firewalls (NGFWs) is not generally necessary as a data center core firewall, primarily

because of the lack of end-users running in the data center itself. Typically data center applications are

accessed and used as cloud services or database information, rather than platforms for writing and

execution of programming by external users.

Application Services

With increasing use of “the cloud” to enable mobile—even global—use of applications and access to

organization databases, technology services designed to fulfill the needs of various industries from SMB

to large international corporations developed. In today’s market—and the foreseeable future—cloud


23

services continue to grow quickly. Integral to this broad range of services are three primary

components: infrastructure (IaaS), platforms (PaaS), and software (SaaS) as services. The primary

difference between models rests in responsibility tradeoffs between developer (user) and vendor

(provider), as illustrated in Figure 13 [3].

Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The service

provider creates the infrastructure, which becomes a self-service platform for the user for accessing,

monitoring, and managing remote data center services. The benefit to IaaS is that the user does not

have to invest large amounts into infrastructure and ongoing upgrades and service, while retaining

operational flexibility. The down side is that this model requires the user to have a higher degree of

technical knowledge—or at least know or employ someone who does. Examples of businesses using the

IaaS model appear in Figure 14.

Figure 13. Differences between IaaS, PaaS, and SaaS.

Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyond

the IaaS model. In this model, the provider not only builds the infrastructure, but also provides

monitoring and maintenance services for the user. Users of PaaS cloud services have access to

“middleware” to assist with application development, as well as inherent characteristics including

scalability, high availability, multi-tenancy, SaaS enabling, and other features. This allows the user to

focus on what is most important to their business—their application(s). In particular, businesses large or

complex enough to employ an enterprise data center model benefit greatly from PaaS because it

reduces the amount of coding necessary and automate business policy. Examples of businesses using

the PaaS model appear in Figure 14.

Software as a Service (SaaS). The SaaS model represents the largest cloud market and continues to

grow. This model takes the final step of bringing the actual software application into the set of functions

managed by the provider, with the user having a client interface. Because the application resides in the

cloud itself, most SaaS applications may be operated through a web browser without the need to


24

download or install resident software on individual physical systems. This allows businesses to develop

software and operational requirements, but to have those requirements written and fulfilled by a third

party vendor—although such designs typically involve customization of pre-existing software

applications, because SaaS does not provide the broad flexibility of software development options

available in the SaaS model. Examples of businesses using the IaaS model appear in Figure 14 [4].

Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models.

The Shared Security Responsibility (SSR) Model. When using application services—“the cloud”—for

applications and access to databases, these services come with a shared responsibility for security and

operations split between the cloud provider and the cloud tenant. Depending upon which model is

chosen for operations—IaaS, PaaS, or SaaS—your level of security responsibility changes in magnitude.

Referring back to Figure 13, as you relinquish more control of operations and decision-

making/configuration to the vendor/provider, such as with the SaaS model, your degree of security

responsibility also declines. Conversely, if you decide to retain more management, such as in the IaaS

model, your security responsibility increases in magnitude.

Summary

From an introduction to the current status of computer network options and configurations, to the

challenges posed by evolving technologies and advanced threats, this module has prepared a foundation

for more focused discussion on emerging threats and the development of network security technologies

and processes designed to provide organizations with the tools necessary to defend best against those

threats and continue uninterrupted, secure operations. The next module will focus on the Next

Generation Firewall (NGFW), an evolving technology in network security.


25

Module 2: Next Generation Firewall (NGFW) Just because you’re paranoid that hackers are trying to steal your data…

…doesn’t mean they’re not really out to get you!

Early firewalls acted much like a fire door in a building—if something bad was happening in the hallway,

it protected what was in your room and other parts of the building. As personal computers became

more affordable and digital portable devices became more widespread, system and network threats

evolved as well, creating a need for protection technology able to evolve along with—or ahead of—

advanced threats. Legacy firewalls operated on the basis of port access, using source/destination IP

addresses or TCP/UDP port data to discern whether packets should be allowed to pass between

networks or be blocked or rejected. Most firewall configurations allowed all traffic from trusted

networks to pass through to untrusted networks, unless policy exceptions were implemented. In closed

networks and the early days of the Internet, this was a viable option—this predominantly static firewall

configuration model no longer provides adequate protection against advanced and emerging system

and network threats to large, distributed enterprise businesses and organizations having to serve

customers, clients, and employees in an ever-evolving mobile environment.

Technology Trends

Trends in information technology development and employment over the last 15 years have led to a

need to rethink the methodology behind modern network security. To further exacerbate this challenge,

these trends occurred simultaneously across major industry, all levels of business, and personal

consumer environments.

Consumerization of IT has resulted in IT-enabled devices—such as

smartphones, digital music and video players, recorders, cameras,

and others—becoming so commonplace in the market that their

lower pricing resulted in an explosion of individual consumers

acquiring technology-enabled devices for personal use. This extends

beyond the obvious devices listed above. IT-enabled devices now

include such appliances as refrigerator/freezers, home security systems, personal home networks that

include WiFi-enabled televisions, stereos, and even the automated “smart house.” In other words, what

we have to be mindful of today is the Internet of Things (IoT) when we acquire devices and appliances.

Because consumers have embraced technology devices for both communication and information

sharing, Social Media enterprise has been embraced at the business level as a way to reach consumer

markets and supplement Web and traditional marketing and communication pathways. With so many

applications—especially social media—being cloud based, the challenge of network security expands

beneath the surface of traffic and into substance.

With the proliferation of inexpensive, technology-enabled devices interacting with business networks—

including both external users and those using personal devices for work purposes (Bring Your Own

Device – BYOD), the question becomes one of how to provide security, network visibility, control, and

user visibility simultaneously without an exponential increase in required resources (Figure 15).


26

Figure 15. Bring Your Own Device (BYOD) practices in 2011.

NGFW Characteristics: Fundamental Changes

The primary benefits of NGFW is visibility and control of traffic entering the firewall ports. In legacy

firewalls, ports were opened and closed, or protocols allowed or disallowed without consideration

beyond basic characteristics.

Figure 16. Edge firewall vs. NGFW traffic visibility.

With NGFW, administrators are provided finer granularity that provides deeper insight into the traffic

attempting to access the network (Figure 16). This includes deeper visibility of users and devices, as well

as the ability to allow or limit access based on specific applications and content rather than accepting or

rejecting any traffic using a particular transmission protocol. This is the primary difference that

separates traditional and next generation firewalls (NGFW).

With a traditional firewall, traffic is accepted based on identification criteria of designated port and IP

address. Conversely, traffic is accepted with NGFW based on user ID (not port) and both the IP address

and traffic content. The diagrams in Figures 17 and 18 illustrate better the visibility and control

capability provided when NGFW is integrated into the network security architecture, supplanting the

legacy edge firewall.


27

When comparing the granularity in how

traditional and legacy firewalls assess data,

note that in NGFW the ports are identified with

traffic flowing through them as well as specific

information about the user sending the traffic,

traffic origin, and the type (content) of traffic

being received. This information goes beyond

the basic link level and brings security into OSI

levels 3 & 4 (application security capability).

Figure 17. Traditional port configuration example.

Figure 18. NGFW configuration example by application, user ID.

In addition to enhanced visibility over traffic, NGFW provides enhancements in both complex security

protection and administrator control simplicity over traditional firewalls, as compared in Table 1.

Table 1. Comparative security features of edge firewalls vs. NGFW.

Edge Firewall NGFW

Gatekeeper Gatekeeper

ISO/OSI L4 Port Protocol Application-Centric (Content Flow) Protocol

Basic Security + Add-ons Integrated Security Solutions

Complex Architecture Integrated Architecture

Complex Control Simplified Control

Simple – Moderate Security Integrated Complex Security

NGFW Evolution

Referring to an evolving technology offering high-performance protection, Next Generation Firewalls

(NGFW) provide solutions against a wide range of advanced threats against applications, data, and

users. Going beyond standard firewall protections, NGFW integrate multiple capabilities to combat

advanced and emerging threats. These capabilities include intrusion prevention system (IPS), deep

packet scanning, network application identification and control, and access enforcement based on user

identity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector,

persistent network or system attacks against large and distributed enterprise networks.


28

The concept of NGFW was first coined by Gartner in 2004 in their paper discussing the need for

integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities into

firewalls [5]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level firewall

with integrating IPS or Deep Packet inspection, Application Identification, and “extra-firewall”

intelligence (such as Web Content Filter), but allowing for interoperability with third-party rule

management technology [6]. In 2009, Gartner published a new definition of NGFW, defining the

characteristics as including VPN, integrated IPS interoperability with firewall components, application

awareness, and “extra-firewall” intelligence [7].

Figure 19. NGFW evolution timeline.

Traditional NGFW Capabilities

Traditional NGFW provides solutions against a wide range of advanced threats against applications,

data, and users. Traditional enterprise network security solutions such as legacy firewalls and stand-

alone intrusion detection/prevention systems (IPS) are no longer adequate to protect against today’s

sophisticated attacks. In order to defend networks against the latest threats, NGFWs should include, at a

minimum, the ability to identify and control applications running over a network, an integrated intrusion

prevention system (IPS) with deep packet scanning capabilities, and the ability to verify a user or

device’s identity and enforce access policies accordingly.

However, advanced threats require advanced protection. Some NGFW devices—such as the Fortigate

line—include additional technologies that provides you with a real-time ranking of the security risk of

devices on your network and cloud-based threat detection and prevention. Traditional NGFW integrates

multiple capabilities to combat emerging threats.

Figure 20. Intrusion Prevention System (IPS).

Intrusion Prevention System (IPS). Sometimes called integrated IDS/IPS. Monitors network and directs

firewall to allow or block traffic. Intrusion Detection System (IDS) detects threats but does not alert the

firewall to take action against identified threats or unknown traffic. IDS is integrated into IPS technology.

IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more


29

effective to tie it into network segregation, enabling protection against both internal and external

attacks against critical servers [8].

Figure 21. Deep Packet Inspection (DPI).

Deep Packet Inspection (DPI). Examining the payload or data portion of a network packet as it passes through a firewall or other security device. DPI identifies and classifies network traffic based on signatures in the payload [9]. Examines packets for protocol errors, viruses, spam, intrusions, or policy violations.

Figure 22. Network application identification and control.

Network Application Identification & Control. Traditional firewall protection detects and restricts

applications by port, protocol and server IP address, and cannot detect malicious content or abnormal

behavior in many web-based applications. Next Generation Firewall technology with Application Control

allows you to identify and control applications on networks and endpoints regardless of port, protocol,

and IP address used. It gives you unmatched visibility and control over application traffic, even unknown

applications from unknown sources and inspects encrypted application traffic. Protocol decoders

normalize and discover traffic from applications attempting to evade detection via obfuscation

techniques. Following identification and decryption, application traffic is either blocked, or allowed and

scanned for malicious payloads. In addition, application control protocol decoders detect and decrypt

tunneled IPsec VPN and SSL VPN traffic prior to inspection, ensuring total network visibility. Application

control even decrypts and inspects traffic using encrypted communications protocols, such as HTTPS,

POP3S, SMTPS and IMAPS.


30

Figure 23. Access enforcement (User identity).

Access Enforcement (User Identity). When a user attempts to access network resources, Next

Generation Firewalls allow identification of the user from a list of names, IP addresses and Active

Directory group memberships that it maintains locally. The connection request will be allowed only if

the user belongs to one of the permitted user groups, and the assigned firewall policy will be applied to

all traffic to and from that user.

Figure 24. NGFW distributed enterprise-level capability.

Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks.

The foundation of the enterprise campus offering is a high performance next generation firewall (NGFW)

that adds intrusion prevention, application control and antimalware to the traditional firewall/VPN

combination. In particular, Fortinet NGFWs:

Provide fine-grained, user- or device-based visibility and control over more than 3000 discrete

applications to establish/enforce appropriate policies.

Include powerful intrusion prevention, looking beyond port and protocol to actual content of

your network traffic to identify and stop threats.

Leverage top rated antimalware to proactively detect malicious code seeking entry to the

network.

Deliver actionable application and risk dashboards/reports for real-time views into network

activity.

Run on purpose-built appliances with Custom ASICs for superior, multi-function performance,

even over encrypted traffic.


31

Figure 25. Extra-firewall intelligence IP list assignment.

“Extra-firewall” Intelligence. This provides the ability to create lists for access or denial of external

traffic to the network. These lists may be designates by IP address List types include:

White List. Designated sources considered trusted and will be allowed access to the network.

Black List. Designated sources considered not trusted and will be denied access to the network.

A key point to this function is that the source is based on an address, therefore, access does not relate

to any specific type of information that may be carried on traffic from that source. This is a surface

screening rather than a content screening function.

Figure 26. Notional network with managed security (MSSP).

Interoperable with Third-Party Management. Enterprise-class appliances deliver the comprehensive

security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full

suite of ASIC-accelerated security modules for customizable value-added features for specific customers.

FortiGate NGFW appliances include the ability to create multi-tenant virtual security networks,

supporting up to 5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated

management applications—including granular reporting features—offer unprecedented visibility into

the security posture of customers while identifying their highest risks.

VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications

and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN

protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and


32

decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections—

including antivirus, intrusion prevention, application control, email filtering and web filtering—can be

applied and enforced for all content traversing the VPN tunnel.

Figure 27. Application awareness: The NGFW application monitoring feature.

Application Awareness. While establishing port and protocol are important first steps in identifying

traffic, positive identification of application traffic is an important capability added by NGFW, requiring a

multi-factor approach independent of port, protocol, encryption, or evasive measures. Application

awareness includes protocol detection and decryption, protocol decoding, signature identification, and

heuristics (behavioral analyses). [10]

NGFW Functions

Two important functions of NGFW is to detect threats and prevent them from exploiting system or

network vulnerabilities. The best way to detect threats is to deploy an Intrusion Detection System (IDS)

as part of the network architecture. In order to prevent identified threats from exploiting existing

vulnerabilities, an Intrusion Prevention System (IPS) should be deployed. The purpose of IPS is to react to

detected threats to a network in order to block intrusion by traffic attempting to take advantage of

system vulnerabilities, deviations from standard protocols, or attacks generated by trusted sources [8].

NGFW appliances, such as the FortiGate line of network hardware, provide integrated capability for IDS

and IPS to both detect and prevent intrusion and exploitation of protected networks.

Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type

of inspection protects endpoint clients as well as Web and application servers from potentially hidden

threats. SSL Inspection intercepts and inspects encrypted traffic for threats before routing it to its

destination and can be applied to client-oriented traffic, such as users connected through a cloud-based


33

site, or to Web and application server traffic. Using SSL inspection allows policy enforcement on

encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. Like

other inspection protocols, however, the tradeoff to enabling SSL inspection is a decrease in throughput

speed.

Extended NGFW Capabilities

Beyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced and

emerging threats are clearly needed. Particularly within enterprise network security infrastructure, the

need to protect against new and evolving classes of highly targeted and tailored attacks designed to

bypass common defenses is needed. Because of these advanced and evolving threats, additional

defenses—referred to by Fortinet as Advanced Threat Protection (ATP)—include anti-virus/malware,

anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional capabilities

appear in Figure 28.

Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP).

When integrated with NGFW, capabilities of ATP enhance security by providing additional protections

against evolving threats, including:

Dual-level sandboxing, allowing code activity examination in simulated and virtual environments

to detect previously unidentified threats.

Detailed reporting on system, process, file, and network behavior, including risk assessments.

Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing

communications with malicious sites and IPs.

Option to share identified threat information and receive updated in-line protections.

Option to integrate with other systems to simplify network security deployment.


34

With continued shift toward mobile and BYOD practices, integrated user authentication takes on

increased importance in visibility and control of applications being employed by network users. With the

sophistication of advanced and evolving threats, use of two-factor—or “strong”—authentication has

become more prevalent. In addition to the capabilities discussed previously as additive measures to the

NGFW, a number of strong authentication factors may also be enabled:

Hardware, software, email, and SMS tokens

Integration with LDAP, AD, and RADIUS

End user self-service

Certificate Authority

Single sign on throughout the network

Illustration of authentication functions integrated into NGFW appear in Figure 29.

Figure 29. Authentication functions integrated into NGFW.

While the Application Control feature of the extended NGFW serves to identify network users, monitor

applications employed by those users, and block applications representing a risk to the organization, this

feature differs from how the Web Filtering function of ATP operates. Unlike Application Control that

focuses on the actual content of the accessed site, Web Filtering focuses on the Internet Sites (URLs)

based on a categorization of the site, or type of content [8]. This allows the NGFW to block web sites

known to host malicious content. An example of how Web Filtering categorizes site appears in Figure 30.


35

Figure 30. Web filtering profile control.

Antivirus/malware. Responsible for detecting, removing, and reporting on malicious code. By

intercepting and inspecting application-based traffic and content, antivirus protection ensures that

malicious threats hidden within legitimate application content are identified and removed from data

streams before they can cause damage. Using AV/AM protection at client servers/devices adds an

additional layer of security.

Figure 31. FortiGate antivirus/malware.

Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other

coordinated network attacks. Organizations may prevent, uncover, and block botnet activities using

Anti-Bot traffic pattern detection and IP regulation services supplied in real-time. This capability is

important in detecting and reacting to Distributed Denial of Service (DDoS) or other coordinated

network attacks.


36

Figure 32. FortiGuard Anti-botnet protection.

Web filtering. Function that allows or blocks Web traffic based on type of content, commonly defined

by categories. Web filtering protects endpoints, networks and sensitive information against Web-based

threats by preventing users from accessing known phishing sites and sources of malware.

Figure 33. FortiGate Web filtering capability.

Code emulation. Allows testing of unknown or potentially malicious traffic in

a virtual environment by emulating the actual environment to which the

traffic was addressed.

Sandboxing. Isolating unknown or potentially malicious codes to fully execute all functions before

allowing the traffic to download into the network. Sandboxing has a unique capability to detect zero-day

exploits that other security solutions cannot identify. If malicious activity is discovered, Advanced Threat

Protection (ATP) can block it.

Sandboxes and APT

You might be thinking whether this is Back to the Future? After all, sandbox technology is old, having

long been a standard safety isolation to analyze code. So why would sandboxes be important when

examining the implications of Advanced Persistent Threats (APT)?


37

Sandboxes were initially developed for executable files. Now they run application data that may contain

malicious code, like Adobe Reader or JavaScript, which sandbox identified malicious code before it can

infect your operating system. Modern sandbox technology can help detect and identify new threats—

such as old legacy threats in new veneers, by emulating endpoint device environments to analyze how

the potential threat behaves. In this way, relatively unknown malware—constantly being developed at

all levels of complexity—and APTs may be detected, identified, cataloged, and blocked by the NGFW

(Figure 34). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic is

forwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.

Figure 34. Sandbox deployed with NGFW Solution.

Advanced Persistent Threats (APT)

Since widespread availability of computer technology—especially since introduction of affordable

personal computing platforms and open availability of computer training—people have used software to

target systems and networks to damage, steal, or deny access to data. Modern and future challenges—

or Advanced Persistent Threats—present a more daunting sophistication of malware, attack vectors, and

perseverance by which they mount offensives against their targets. Just as APT uses multiple attack

layers and vectors to enhance chances of success, network security administrators must also design and

implement a multi-layered defense to protect against these threats. It is critical to understand that no

single network security feature will stop an APT. Simplified, a three-step approach to how NGFW

addresses APTs appears in Figure 35, below.

Figure 35. The NGFW three-step approach to APT.


38

Advanced Threat Protection (ATP)

In order to protect against modern and emerging future threats, adaptive defense tools like ATP are

being incorporated into network security infrastructures at an increasing pace. This level of protection

provides increased security across all network sizes from SMB to large enterprises. Critical capabilities

brought to bear by ATP include:

Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.

Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,

antimalware.

Threat Detection. “Sandboxing,” botnet detection, client reputation, network behavior analysis.

Incident Response. Consolidated logs & reports, professional services, user/device quarantine,

threat prevention updates.

Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.

The continuous nature of ATP protection is illustrated in Figure 36, below:

Figure 36. Fortinet Advanced Threat Protection (ATP) model.

NGFW Deployment

Edge vs. Core

When deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFW

brings a unique combination of hardware- and software-related segmentation capabilities that allow

isolation of critical network sections, such as data centers. Deploying NGFW into an Edge Network

accomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 37).


39

Figure 37. NGFW deployment to edge network

NGFW vs. Extended NGFW

Another consideration that must be made is what NGFW capabilities are needed—or desired—for the

network being protected. A consideration whether to deploy extended NGFW capabilities depends on

the nature of what functions will be accomplished both internally and external to the network. In

particular, with movement to more cloud-based and web applications, the benefits of extended NGFW

may be best suited. As illustrated in Figure 38, Extended NGFW incorporates the capabilities of current

NGFW plus enhanced features that make it more capable against modern and emerging threats.

Figure 38. Current NGFW vs. Extended NGFW capabilities.

One of the characteristics of most technologies is that with added capabilities comes concomitant trade-

offs. In the case of NGFW, the addition of inspection functions such as web filtering—or anti-malware—

presents options that balance capabilities and protection levels versus traffic processing speed. The two

methods used to inspect traffic are Flow-based and Proxy-based inspections. In flow-based inspection,

the NGFW performs a “string comparison” to examine patterns in the traffic without breaking the

connection, resulting in a small portion of the traffic stream being inspected but with a trade-off of

faster throughput. In proxy-based inspection, the entire traffic stream is analyzed, breaking the

connection and reestablishing it after analysis, resulting in slower throughput.


40

Table 2. Comparison between flow-based and proxy-based inspections

Type of Inspection Flow-based Proxy-based

Speed/Performance Resources Faster Slower

Security Analysis Method Comparing traffic to database of known bad situations

Conducting specific analysis on relevant information

TCP Transparency TCP flow not broken. Only packet headers changed if necessary.

TCP convention broken, TCP sequence numbers changed.

Protocol Awareness Not required Understands protocol being analyzed

File size limits Only during scanning Yes, when buffering, based on available NGFW memory

Features supported Antivirus, IPS, Application Control, Web Content Filtering

Antivirus, DLP, Web Content Filtering, AntiSpam

Because Flow Mode does not unpack compressed files or email/FTP attachments, deploying anti-

malware in Flow Mode may result in decreased detection rate.

Summary

The concept of Next Generation Firewalls developed to address evolving threats as technology itself

evolved. With the rapid rise of technology integration, portability and BYOD models in business,

education, and other environments, combined with more widespread ability for hackers from novices to

experts to develop malicious code, a system deriving from the initial premise of NGFW needed to

develop for the future.

Because of these capabilities and the flexibility to proactively address modern and developing threat

environments across networks of varying sizes, NGFW will be the standard in network firewall

protection at least through 2020…


41

Module 3: Unified Threat Management (UTM) Unified Threat Management (UTM) is a security management approach providing administrators the

ability to monitor and manage multiple security-related applications and infrastructure components

through a single management console. Through this simplified management approach, UTM provides

administrators the ability to protect both local and branch offices from potential threats, rather than

having to depend on coordination with remote site administrators or multiple control panels. This

integrated approach to security control is an extension of the philosophy that resulted in integration of

multiple security functions into hardware and software appliances, compared to legacy network security

systems that used single- or dual-function add-on appliances that resulted in complex hardware,

software, and management control systems (Figure 39).

Figure 39. Legacy network security add-ons vs. UTM architecture

UTM provides administrators the ability to monitor and manage multiple, complex security-related

applications and infrastructure components through a single management console. Because UTM is

designed as an integrated solution, it does not suffer the problems of network address translation,

overheating, or throughput difficulties caused by activating multiple security services in legacy systems.

The Key to UTM: Consolidation

Similar to NGFW, one of the strengths of UTM is integration of components and functions into both

hardware appliances and associated security software applications. The advantage to UTM is that it goes

beyond the NGFW focus of high performance protection of data centers by incorporating a broader

range of security capabilities to provide administrator-friendly, threat-unfriendly management. Using

firewall capabilities as a foundation, UTM integrates additional VPN, intrusion detection and prevention,

and secure content management capabilities.

UTM Features

UTMs are generally acquired as either cloud services or network appliances, and integrate firewall,

intrusion detection system (IDS), anti-malware, spam and content filtering, and VPN capabilities (Figure

40). These can be installed and updated as necessary to keep pace with emerging threats. [11]


42

Figure 40. Unified Threat Management (UTM).

Firewall. The most basic, necessary, and deployed network security technology, which uses sets or rules

or policies to determine which traffic is allowed into or out of a system or network. UTM builds on this

foundation to integrate—rather than add on—enhanced security capabilities. [8]

Intrusion Detection System (IDS). IDS is capable of detecting potential threats to the network, but does

not react by sending a message to the firewall to block the threat. [8] The function of IDS is an

integrated feature in Intrusion Prevention System (IPS).

Antivirus/malware. Antivirus/Antimalware (AV/AM) provides multi-layered protection against viruses,

spyware, and other types of malware attacks. It enables scanning for e-mail for viruses, but it doesn’t

stop there. You can also apply anti-virus protection to File Transfer Protocol (FTP) traffic, instant

messaging (IM), and web content at the network perimeter. Some solutions support Secure Sockets

Layer (SSL) content scanning, which means that you can protect the secure counterparts to those types

of traffic as well, such as HTTPS, SFTP, POP3S, and so on. A UTM virus filter examines all files against a

database of known virus signatures and file patterns for infection. If no infection is detected, the file is

sent to the recipient. If an infection is detected, the UTM solution deletes or quarantines the infected

file and notifies the user. [9]

Antispam. This is a module that detects and removes unwanted email (spam) messages by applying

verification criteria to determine if the email fits defined parameters as spam traffic. Anti-spam filtering

can block many Web 2.0 threats like bots, many of which arrive in your users’ e-mail boxes. Multiple

anti-spam technologies incorporated into UTM can detect threats through a variety of techniques

[9].These parameters may be as simple as a list of senders identified by a user or comparison against

databases of known bad messages and spam server addresses [8].

Content filtering. These devices block traffic to and/or from a network by IP address, domain

name/URL, type of content (for example, “adult content” or “file sharing”), or payload. They maintain a


43

whitelist of trusted sites and a blacklist of forbidden sites to prevent users from violating acceptable use

policies or being exposed to malicious content. [9]

VPN. A Virtual Private Network (VPN) uses special protocols to move packets of information across the

Internet securely. In general, VPN protocols encrypt traffic going from sender to receiver. This makes

such traffic appear completely garbled to anyone who might intercept and examine those packets while

they’re on the Internet. VPNs use encryption to protect the traffic they carry from unauthorized access.

Because the VPN packets wrap the encrypted data inside a new protocol envelope — a technique

known as encapsulation — a VPN creates a private, encrypted “tunnel” through the Internet. [9]

UTM Distributed Enterprise Advanced Features

Enterprise customers may have access to more advanced features, such as identity-based access

control, load balancing, intrusion prevention (IPS), Quality of Service (QoS), SSL/SSH inspection, and

application awareness [11].

Access (Application) control. Application control can identify and control applications, software

programs, network services, and protocols. In order to protect networks against the latest web-based

threats, application control should be able to detect and control Web 2.0 apps like YouTube, Facebook,

and Twitter. Enterprise-class app control provides granular policy control, letting you allow or block

apps based on vendor, app behavior, and type of technology. For example, you can block specific sites,

block only your users’ ability to follow links or download files from sites, or block games but allow chat.

Another feature of application control is the ability to enforce identity-based policies on users. The UTM

system tracks user names, IP addresses, and Active Directory user groups. When a user logs on and tries

to access network resources, UTM applies a firewall policy based on the requested application or

destination. Access is allowed only if the user belongs to one of the permitted user groups.

Load balancing. Load balancing distributes traffic and routes content across multiple web servers. This

load balancing increases application performance, improves resource utilization and application stability

while reducing server response times. With data compression and independent SSL encryption

processor, this capability increases further transaction throughput and reduce processing requirements

from web servers, providing additional acceleration for web application traffic.

Intrusion Prevention System (IPS). An IPS acts as a network’s watchdog, looking for patterns of network

traffic and activity, and records events that may affect security. An IPS issues alarms or alerts for

administrators, and is able to block unwanted traffic. IPS also routinely log information as events occur,

so they can provide information to better handle threats in the future, or provide evidence for possible

legal action [9]. IPS is the best way to detect threats trying to exploit network vulnerabilities.

Quality of Service (QoS). QoS refers to a network’s ability to achieve maximum bandwidth and deal with

other network performance elements like latency, error rate and uptime. Quality of service also involves

controlling and managing network resources by setting priorities for specific types of data (video, audio,


44

files) on the network. QoS is exclusively applied to network traffic generated for video on demand, IPTV,

VoIP, streaming media, videoconferencing and online gaming. [12]

SSL/SSH inspection. This provides the ability to inspect content encrypted by applications using Secure

Socket Layer (SSL) cryptologic technique, in which it performs a “man-in-the-middle” takeover of the SSL

traffic. This allows other inspections to be applied such as DLP, web filtering, and antivirus/malware.

Some popular examples of SSL protocols are HTTPS, FTPS, and mail protocols SMTPS, POP3S, and IMAPS.

[8]

Application awareness. Web Application Security solutions provide specialized, layered application

threat protection for medium and large enterprises, application service providers, and SaaS providers.

FortiWeb application firewall protects your web-based applications and internet-facing data. Automated

protection and layered security protects web applications from layer 7 DoS and sophisticated attacks

such as SQL Injection, Cross Site Scripting attacks and data loss. Web Vulnerability Assessment module

adds scanning capabilities to provide a comprehensive solution to meet your PCI DSS section 6.6

requirements.

Tradeoffs. The main advantage to UTM is reducing operational complexity. In particular, reducing

operational complexity for network administrators increases the likelihood that they will use the

available protection features to optimize network security. However, while simplification presents the

advantage of security optimization by administrator, the main drawback may be positioning UTM as a

single point of failure (SPOF) in a system or network.

Extended UTM Features

One of the key factors that enables specialized UTM products to achieve the highest levels of

performance and boost network throughput is incorporating custom application-specific integrated

circuits (ASICs) into UTM hardware components. As discussed previously in Module 1, using custom-

designed ASICs present a more challenging design process, but the tradeoff is achieving the highest

levels of system performance by having tailored the ASICs to the device capabilities and intended

functions. As with most highly efficient technologies, planning and configuration are critical in achieving

optimum performance and control when systems and networks are brought online.

Expanding on the foundation of an integrated firewall, UTM builds additional capabilities to enhance

network security management. With ever-increasing capabilities for data transfers between remote

users, integration of capabilities not resident in NGFW include Data Leak Prevention (DLP) (sometimes

referred to as Data Loss Prevention), helps prevent unauthorized transfer of information to someone

outside an organization by protecting the contents of email, web pages, and transferred files. DLP

provides a strong authentication appliance to control data by methods such as inbound/outbound

filtering and fingerprinting.

DLP filtering scans inbound and outbound files, searching for text string and patterns that, when

compared against the DLP database, determine whether the content will be allowed, blocked, or

archived.


45

Fingerprinting consists of a method by which each document file is encoded with a unique

“fingerprint”—based on the fingerprint, DLP determines whether the document is a sensitive or

restricted file that should be blocked or if the file is allowed to be shared beyond the network.

DLP has the ability to scan and identify data patterns using supported scanable protocols—for example,

FortiGate systems are capable of detecting HTTP, FTP, SMTP, POP3, IMAP, and instant messaging

protocols for Yahoo, MSN, AOL, and ICQ messaging services [8]. A limitation of DLP, however, is that it is

affected by the same limitations as antivirus scanning—maximum file size, data fragmentation (but not

necessarily packet fragmentation), and encryption—all of which may limit effective data leak detection

and subsequent prevention.

Evolving UTM Features

As mentioned previously, UTM is a user-simplified, protection-complex, integrated concept with the

ability to evolve as technologies, user trends, and threats evolve. With this focus on being flexible and

future-ready, additional technologies are increasingly being integrated to UTM devices. Among these

capabilities—suited to various size networks—are switching, Wireless Local Area Network (WLAN)

control, and Power-over-Ethernet (POE).

Switching. By integrating Switching into UTM, the capability to manage switching is added to single

control console security management. This again reduces the number of physical hardware devices and

control monitors necessary to manage the UTM system. From this integrated control panel, individual

ports can be switched on or off to physically isolate network traffic. This is important, because some

applications attempt to use port 80 to avoid detection from traditional port-based firewall security

systems. Port 80 is the primary port used by the Worldwide Web (WWW) and is how web servers

“listen” for incoming unsecure (HTTP) connections from web browsers. This is a primary port through

which malicious code tries to sneak through via Internet applications. Conversely, secure WWW

connections are monitored through port 443 (HTTPS) using TLS/SSL security protocols.

Figure 41. LAN control.

Wireless LAN (WLAN). Integrating the WLAN into UTM provides more than added economy of

hardware. Integrating WLAN into UTM provides a simplified method to ensure each network on the full

infrastructure—physical, WLAN, and VPN—may be controlled together to maintain consistent security


46

policies and controls across all networks on the control interface. This approach also detects and

eliminates potential “blind spots” and better prevents unauthorized or rogue wireless access to the

combined network. WLAN is also important for SMB networks where secure wireless coverage must

take the place of non-existent cable-based network connectivity, such as rented small office spaces.

With continued increases in mobile computing and BYOD operations, many people in today’s

technologically-empowered workforce expect the ability to replicate their office environment wherever

they happen to be conducting business. Because of the many variables involved in such an endeavor—

variations in available Internet speeds, availability of secured versus open networks, volume of users on

remote networks, the cost of high-speed links, and so forth—a technique needs to be available to

enable effective remote communication for authorized network users. In this situation, a process called

WAN Optimization (WANOpt) is such a technique for use with UTM-empowered network

infrastructures.

WANOpt provides improved application and network performance to authorized remote users through

five primary methods [9]:

Protocol optimization. Improves efficiency of FTP, HTTP, TCP, and other protocols to accelerate

network performance.

Byte caching. Caches files and data to reduce amount of data necessary to be sent across WAN.

Web caching. Stores/caches web pages to serve on request to avoid reloading over the WAN to

reduce latency and delays between servers.

SSL offloading. Offloads SSL decryption/encryption onto SSL acceleration hardware to boost

web server performance.

Secure tunneling. Secures traffic crossing the WAN. Power over Ethernet (POE). POE allows UTM to provide power to external devices, much like legacy

systems such as Universal Serial Bus (USB). With POE, power can be supplied over Ethernet data cables

along extensive cable lengths, either on the same conductors as data or on a dedicated conductor in the

same cable (Figure 42). USB data + power capabilities are designed for up to 5m (16ft), compared to POE

capability up to 100m (330ft) or even more with new POE-plus developments.

Figure 42. Typical Power over Ethernet (POE) cable configuration.

UTM applications utilizing POE enables connection of Wireless Access Points, 3G/4G Extenders, Voice

over Internet Protocol (VoIP) handsets, and IP cameras to the network security platform while keeping

the devices away from system main power supplies. Depending on how it is applied, some advantages of


47

POE over other technologies include: lower cost because of combined cabling for power and data, ability

to remotely cycle appliance power, and fast data rates.

3G/4G. 3G/4G extenders integrate with UTM to provide a secure WAN connection for SMB and

distributed enterprise locations, with ability to serve as a secondary failover connection to the wired

WAN link for business continuity or, if desired, as a primary WAN link.

UTM Functions

UTM provides a number of integrated functions beyond the

scope of NGFW. Two of these important functions focus on

threats inherent in platform capabilities used daily by users in

systems and networks of all sizes, from personal computers,

to smartphones and phablets, to networks and data center

operations and automated business functions. In particular,

these common threats—which continue also to evolve with

technology and more widespread integration of technology

components into common devices—include email and

“Surfing the Web.”

You may have heard on many different commercials—both online and on other media—the phrase “we

have an app for that!” Fortunately, UTM has apps—or solutions—to help protect your networks from

these continually evolving threats.

Antispam. One of most widely used “buttons” on email applications is the one

that allows users to designate messages from a particular sender as “spam,”

thereby delegating it to be routed to a folder for which the user receives no alert

when the message arrives and the message is often automatically deleted at a

programmed periodicity. UTM has an integrated Anti-Spam function as well,

acting as a filter to block many threats like bots—many of which arrive in user

email boxes. The multiple anti-spam capabilities integrated into UTM may detect

threats using a variety of methods, including:

Blocking known spam IP addresses to prevent receipt.

Blocking messages with any URL in the message body associated with known spam addresses.

Comparing message “hashes” against those for known spam messages. Those that match may

be blocked without knowledge of actual message content.

Comparing the client IP address and sender email address to stored whitelist/blacklist profiles.

Whitelist matches get through; blacklist matches get blocked.

Conducting a DNS lookup on the domain name to see if the domain exists or is blacklisted.

Blocking email based on matching message keywords or key phrases in a banned word/phrase

filter list. [9]


48

Intrusion Prevention Systems (IPS). IPS performs a dual protection function. In the UTM environment,

IPS protects the internal network from attacks that originate from outside the network perimeter as well

as those that originate from within the network itself. IPS is also discussed as a component of NGFW—in

a UTM solutions environment, the IPS component provides a range of security tools to both detect and

block malicious activity, including:

Predefined signatures. A database of malicious attack signatures is included, which is updated

regularly to keep pace with newly identified threats.

Custom signatures. Customizable entries that add to the standard threat signature library to add

protection against new, little known, or unknown attacks.

Out-of-band mode. Alternately referred to as “one-arm IPS” mode, the component may be

programmed to operate as only an Intrusion Detection System (IDS), detecting but not acting

upon identified threats and attacks. In this configuration, such identified threats/attacks would

be analyzed on a separate switch port.

Packet logging. This feature provides the option to save network packets that match identified

IPS signatures and analyze the log files with analysis tools. [9]

Where UTM Fits In…

UTM provides a scalable security solution for networks from SMB to large and distributed enterprise

networks.

Figure 43. UTM scalability.

As network magnitude and function complexity grow, so also must the capabilities of the security

apparatus. One of the considerations for both SMB and smaller, remote offices tied to a corporate

headquarters or central database, is consideration of implementing UTM security as an all-in-one

solution that provides flexible, future-ready security that is user-friendly and threat-complex. Figure 43

illustrates how UTM may be deployed to support satellite branches in a distributed enterprise network,

while NGFW and ATP technology is maintained at the central office where increased staff and capability

exists to monitor and manage security parameters at all network locations.


49

Home Office / Administrator. Next Generation Firewall (NGFW)

Application Visibility & Control. Identify and control applications on a network regardless of the

port, protocol, or IP address used.

Advanced Threat Protection (ATP). Sophisticated on-device and cloud-based detection and

mitigation techniques block Advanced Persistent Threats (APTs) that target specific people or

functions within an organization, and use extensive evasion techniques to remain stealthy for

long periods before exfiltrating data.

Remotes. Unified Threat Management (UTM)

Content Security & Web filtering. Combines sophisticated filtering capabilities together with a

powerful policy engine and cloud-based model to create a high performance and flexible web

content filtering solution.

Antispam. Real-time protection against spam.

IPS/IDS. Intrusion Detection and Prevention Systems monitor, log, identify and block malicious

network activity

UTM: Scalable Deployment

Because UTM may be configured to provide network security tailored to specific environments, UTM is

designed for deployment across a broad range of organizational needs. The integrated hardware and

software features of UTM make it ideal for SMB networks, while simultaneous control of wired, VPN,

and wireless infrastructure components provide the means for distributed enterprise and select large

enterprise deployment (Figure 44). Across these various deployment environments, UTM provides

enhanced and cost-effective network security options.

SMB networks. Simple controls and multiple scalable options. Provides option for control and scalable

security for businesses with limited physical space and IT staff, or branch offices where IT policy and

control is managed from a central location (Figure 43).

Distributed enterprise networks. Simultaneous control of wired, VPN, and wireless infrastructure

components, with centralized control with advanced features to effectively run operations up to a global

scale.

Like many other sectors of the technology industry, UTM deployment may be accomplished in various

ways. A common method for vendors—following traditional hardware procurement paradigms—was to

license UTM infrastructure based on the amount of devices included in the deployment package. In

other words, the standard was an “a la carte” menu of options. However, in an effort to provide a better

option for organizations wanting to upgrade to the UTM security model, leading UTM companies

developed a new licensing model that more closely reflects the “bundle” model offered by cable and

DSL companies. Fortinet, recognized by Gartner as a leader in UTM development and implementation

along with CheckPoint, offers a “bundle” concept that includes the purchased hardware, software

updates, security feature updates for all included security components, and system support [8]. This not


50

only provides simplified licensing and reduced costs, but also enables better future budget planning for

UTM system customers.

Figure 44. Fortinet’s concept of “Connected UTM.”

Summary

NGFW improved on the basic gatekeeping security of Edge Firewalls by introducing such features as IPS,

Deep Packet Scanning, Network Application Identification and Control, and Access Enforcement.

However, beyond those capabilities, additional security functions meant additional appliances and

software configurations, increasing operational complexity for the network administrator.

Because increased operational complexity often results in bypassing of processes in the interest of time

or administrator overload, development was needed for a new dynamic vision of a flexible, future-ready

security solution to meet the needs of today’s network environments and keep pace—or think ahead

of—advanced threats of the future. This dynamic, integrated network security concept—Unified Threat

Management (UTM)—is in place today and ready for tomorrow’s evolving challenges.

Overcoming the difficulties of patching together legacy systems with newer, state of the art systems,

UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have

international reach. Combining user-simple interfaces with threat-complex protections, as well as cost

effective procurement, operations, and support, UTM provides an optimum system to best ensure

continued network operations in a secure environment.


51

Module 4: Application Security Because threats are constantly evolving, network security technologies and methods must evolve also.

One of the most important points about application security is that threats—including such evils as Bots,

Ransomware, Advanced Persistent Threats (APT), Viruses, and Spam, to name some recent prevalent

threats—have a heavy content component and not just focused on the physical and data layers. In this

context, content refers to packet payload analysis and how they are transported—in particular, layers 3-

7 of the OSI Model (Table 3) [13].

Table 3. Comparative models for layers, protocols, and devices.

Because of the focus of these threats on the application content component and transport rather than

link and physical components, firewalls designed to protect, load balance, and accelerate content

between web servers are necessary. This type of appliance is the Web Application Firewall (WAF),

designed to provide protection for web applications and related database content [8]. In order to

understand better the type of threats that the WAF faces in protecting networks, an examination of the

vulnerable areas targeted by application threats provides the necessary context.

Application Challenges to Meeting User Needs

With increased reliance of businesses on cloud-based applications, focus on the vulnerabilities of web-

based applications is essential to system and network security. These applications reside deep in layer 7

of the OSI Model, which will be discussed further in this module, but remain vulnerable to targeted

attacks. Of these attacks, Denial of Service (DoS)—or more importantly, Distributed Denial of Service

(DDoS)—attacks designed to inhibit use of such applications have evolved as technology evolved,

becoming much more sophisticated than early hacker methods.

The mobility of modern business, combined with distributed enterprise networking, demands VPNs with

secure access to resources. SSL VPNs establish connectivity at L4 & L5; information is encapsulated at L6

& L7. So, these VPNs—and other remote accessing sites to network resources—function in the top tiers

of the OSI Model, known as the Application Layers when translated into the broader TCP/IP Model.


52

Table 4. Translation of ISO/OSI layers to TCP/IP model.

Secure Socket Layer (SSL) traffic poses a challenge because legacy servers and load balancers cannot

manage increased loads caused by increased SSL traffic requiring decryptionscanreencryption in

order to detect potential malicious code attempting to sneak into the network in encrypted data

packets.

Scalability is the concept of enabling a system, network, or application to handle a growing volume of

work in an efficient manner or, if necessary, to be enlarged to accommodate growth. Scalability may be

accomplished through the use of hardware, software, or a combination of both, in order to improve

availability and reliability by:

Managing data flow and workload across multiple servers to increase capacity

Improve application response times by either hardware upgrades or software solutions

Reducing costs by optimizing resources through improved allocation

Allocating data across multiple data centers to facilitate redundancy and recovery

Application Layers: The OSI Model

The Open Systems Interconnection (OSI) model defines computer networks by functional levels. As the

level increases, so also increases the complexity and critical nature of the data contained therein. A

description of the OSI layers and their functions appear in Table 4.

Table 5. Function of network layers in OSI model.

7 Application Application and end-user processes. Application-specific data.

6 Presentation Translates between application and network formats (syntax layer).

5 Session Establishes, manages, terminates connections between applications.

4 Transport Transfer of data between end systems, error recovery, flow control.

3 Network Switching and routing—virtual circuits to transmit between nodes.

2 Data Link Data packets are encoded and decoded, transmission protocols.

1 Physical The bit stream mechanical and electrical level.


53

Applications are what allow users to accomplish tasks using computer systems and networks without

having to learn the complex languages of writing their own code. Many common applications include

word processing, spreadsheet, and graphics design programs, email applications, games, and media, and

may apply across platforms from wired desktop systems to smartphones and myriad others. Many of

these applications are now web-based, as discussed in the Module 1 section on Application Services

such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Application Vulnerabilities

Because threats are constantly evolving, network security technologies and methods must evolve also.

An important point about modern and emerging threats is that they have a heavy content component

focused beyond physical and data link layers (L1 & L2). These threats focused on content include such

current challenges as:

Bots Ransomware Advanced Persistent Threats (APT) Viruses Spam …and others…

In this context, “content” refers to packet payload analysis and how they are transported, particularly

focusing on layers 3, 4, & 7 of the OSI Model.

Widespread use of applications provides commonality between business users and private consumers,

making application threats a problem with the potential for repeated instances if such a threat infects

the systems of multiple private users who interface with organizational networks. This may occur from

innocuous sources such as customers, clients, or those using a BYOD model who fail to accomplish

regular security screenings on their equipment. They may also occur as a dedicated effort to adversely

affect the success of the organization by an outside competitor, malcontent, or hacker.

OWASP

Fortunately, a global project exists that assists application developers and system/network security

administrators in identifying and understanding the prevalent and emerging application security threats.

This project is the Open Web Application Security Project (OWASP) and is also supported by an OWASP

Foundation in the United States.

OWASP is an open community dedicated to enabling organizations to conceive, develop,

acquire, operate, and maintain applications that can be trusted. All of the OWASP tools,

documents, forums, and chapters are free and open to anyone interested in improving

application security… Our freedom from commercial pressures allows us to provide

unbiased, practical, cost-effective information about application security. OWASP is not

affiliated with any technology company, although we support the informed use of

commercial security technology. [14]

One of the primary studies accomplished by OWASP is cataloging and ranking of the most prevalent

threats in web applications. A comparative analysis between the 2010 and 2013 findings appears in

Table 6 [27].


54

Table 6. OWASP top 10 2010 vs. 2013 comparison.

Over the prior four years, OWASP found consistency among the top four application threats to system

and network security:

SQL Injection Cross-site Scripting (XSS) Broken Authentication & Session Mgmt Insecure Direct Object References

Of note, the OWASP analysis also provides information on which threats have increased and declined,

indicating trends that may assist security administrators in determining the most effective system and

network configurations.

SQL Injection. Insertion or injection of an SQL query via input data from the client to the application.

This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void

transactions of various types, enable complete disclosure of the system’s database—or destroy it or

make it unavailable, or even become a new database server administrator. Common with PHP and ASP

applications, less likely with J2EE and ASP.NET applications. Severity depends on the attacker’s creativity

and computer skills, but have the potential to be devastating. SQL Injection is a high impact threat.

Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into otherwise

benign and trusted web sites, generally used in the form of browser side scripts to be transmitted to end

users. Because the end user’s browser regards the site as trusted, it will execute the script, allowing

access to any cookies, session tokens, or other information retained by the browser and used with the

site. Some of these scripts are even capable of rewriting content on HTML pages.


55

Broken Authentication & Session Management. This area includes all aspects of user authentication

and active session management handling. Even robust authentication protocols may be undermined by

flawed credential management functions, such as password changing, “forgot my password” and

“remember my password” options, account update options, and other functions. The complexity for this

issue comes with the fact that many developers prefer to create their own session tokens—which may

not be properly protected, depending on the skill of the creator, steps may not be in place to protect

them throughout the application’s life cycle, and if not protected with SSL and against other flaws (such

as XSS), an attacker may hijack the user’s session and assume their identity.

Insecure Direct Object References. When an application provides direct access to objects because of

user-based inputs, attackers may bypass authorization and access resources in the system directly.

These resources may include valuable data such as databases and organizational files. Insecure Direct

Object References allow attackers to bypass authorization and gain access to resources by modifying

parameter values used to point directly to objects. These resources may be any type of information

stored on the system. This method simply takes the user’s supplied input and uses it to retrieve data as

though the attacker were the authorized user.

Individual, targeted attacks are often manageable and, in many cases, traceable. These attacks aim

increasingly at denying use of a network to outside users, known as Denial of Service (DoS). However,

with continued evolution of networking for both productive purposes as well as malicious intentions,

the prospect for coordinated networks attacks from multiple sources present an even more critical

challenge for continued secure and uninterrupted network operations. These simultaneous coordinated

attacks target a network from a number of outside systems, referred to as a Distributed Denial of Service

(DDoS), which will be addressed in the following section.

Distributed Denial of Service (DDoS)

A malicious act designed to deny access to a system, network, application, or information to a legitimate

user is called Denial-of-Service (DoS). In a Distributed Denial-of-Service (DDoS) attack, the malicious act

originates from a large number of systems. DDoS are most often launched from a single system, using a

large remote network to actually conduct the attack [15]. A basic DDoS method is called the Smurf

Attack, where the hacker sends a ping packet to a large network while spoofing the target system’s

source address to overload the target system. A more sophisticated DDoS method is the Low-Orbit Ion

Cannon (LOIC) that allows hackers to allow others to use their own systems temporarily as a slave in a

DDoS attack. More detailed discussion of DDoS attacks appear following the notional DDoS architecture

illustration in Figure 45.

Referring back to the classifications illustrated in Table 3 (page 50), attacks focusing on content

components of systems and networks focus on ISO/OSI Model layers 3, 4, and 7 application services.

Although layers 3, 4, and 7 are at risk from DDoS attacks, the attacks against layer 7 are often detected

through actions affecting the associated port in layer 4 as a method by which to sneak undetected into

layer 7 to accomplish its malicious task. As an analogy, one may think of it as the attack on layer 7 riding


56

like a signal on the carrier wave into layer 4. As a result, most recommended parameter adjustments

focus on layers 3 and 4, while events to watch include a broader range of indicators.

Figure 45. DDoS architecture.

DDoS attacks have a wide range of methods, from simple to complex, from a single hacker using a single

system to a network of hackers coordinating multiple systems. Common types of DDoS attacks include

the SYN flood, ICMP flood, and Zombie attack. In each case, the DDoS relies on overloading network

capability to process seemingly valid traffic, resulting in denial of service. These attacks are referred to

as volumetric attacks because of their focus on overloading the network in order to deny service.

SYN Flood. This attack consists of an excessive

number of packets directed to a specific TCP port. In

most cases, the source address is spoofed (Figure 46).

Figure 46. SYN Flood DDoS attack.


57

ICMP Flood. This attack results from an

excessive number of ICMP packets targeting the

network (Figure 47).

Figure 47. ICMP Flood DDoS attack.

Zombie Attack. This attack results when

too many legitimate IP sources send

valid TCP packets to the network (Figure

48).

Figure 48. Zombie DDoS attack.

The common thread in each of these DDoS attacks is the flooding of the network with seemingly valid

inputs in a way that slows, stalls, or shuts down the network’s ability to operate. For each of these

attacks, threshold monitoring and adjustments at layer 3 and 4 protocols, ports, and SYN may allow

network administrators to detect and counter DDoS efforts against layers 3, 4, and 7 and keep the

network from extended down times.

Even with the global trend toward increasing IPv6 traffic, DDoS attacks above the 50 Mbps benchmark

are rare. South Korea’s average network speed leads the world with 24.6 Mbps, with Hong Kong a

distant second at 15.7 Mbps. The US ranks 14th at 11.4 Mbps. As the shift from IPv4 to IPv6 traffic moves

forward, the incidences of DDoS attacks appear to be inversely proportional to IPv6 network growth

[16]. This may be an indicator that average network speeds available through IPv6 are making the cost

and coordination of DDoS more difficult—or prohibitively costly, in some cases.


58

Application Security Solutions

The Next Generation Firewall (NGFW) [Module 2] and Unified Threat Management (UTM) [Module 3]

brought enhanced capabilities to network security.

An important tool in protecting the network is Intrusion Prevention System (IPS), which looks beyond

port and protocol to examine the signature—or actual content—of network traffic to identify and stop

threats. FortiGate NGFW and UTM appliances, using enhanced capabilities such as Advanced Threat

Protection (ATP), protect the L3 & L4 regions of the network against DDoS attacks by combining

hardware and programmable software solutions to target modern and emerging threats. In addition to

protection against L3 & L4 threats, the enhanced NGFW and UTM capabilities also include L4 routing

and load balancing to increase efficiency and availability of application traffic in the network.

Beyond NGFW and UTM as stand-alone capabilities, using these appliances in concert with other

network security capabilities presents additional end-to-end protection that is both scalable and future-

ready. The capabilities discussed in the following sections add critical security solutions to protect

against DDoS attacks and protect L3, L4, and L7 functions.

Application Delivery Controllers (ADC)

Application Delivery Controllers (ADC) are network devices that manage client interfaces to complex

Web and enterprise applications—beyond the scope of SMB and home office applications. An ADC

functions primarily as a server load balancer, resulting in optimized end-user system performance and

reliability by increased Gbps of L4 throughput, accessibility to data center resources, and enterprise

application security. ADC controllers are deployed in data centers, strategically placed behind the

firewall and in front of application server(s), acting as the point of control for application security and

providing authentication, authorization, and accounting (AAA) [17].

Figure 49. Application Delivery Controller (ADC).

The ADC is part of a larger process that makes applications available, responsive, and secure for users.

This end-to-end model is called the Application Delivery Network (ADN), consisting of an application

delivery controller, firewall, and link load balancer. Figure 50 illustrates a typical ADN infrastructure.


59

Application Delivery Network (ADN)

The ADN is divided into three elements—a server side, security, and an outer perimeter. Each of these

elements performs functions that enable user access to applications (Figure 50):

Figure 50. Typical Application Delivery Network (ADN) infrastructure.

Server Side. When applications outgrow a single server, an ADC manages multiple servers to enable

applications beyond a single server—essentially creating a single virtual server. Once the ADC selects the

best server for the application, the ADC uses Connection Persistence to maintain a connection back to

the original server where the transaction began. The ADC routes traffic to the best available server

based on configurable rules, as well as providing options to offload encrypted traffic and conduct HTTP

compression for bandwidth reduction. SSL offloading does not protect against DDoS attacks; however,

the ADC may reduce the need for additional servers by as much as 25%.

Security Core. This element is where the tools and services to defend applications from threats reside.

Capabilities include a strong firewall, VPN, AV/antimalware scanning, and other security features, which

may include NGFW with IPS and deep packet scanning, application control, and user access policies to

enhance protection.

Outer Perimeter. Basic Link Load Balancing (LLB) manages bandwidth and redundancy using multiple

WAN links. If application use includes multiple data center access for operations such as disaster

recovery, Global Server Load Balancing (GSLB) uses a DNS-based resolution platform to route traffic

between multiple data centers, allowing either automatic or programmable data center routing based

on infrastructure performance needs.


60

ADC: Solutions and Benefits Part I

An advanced, modern ADC provides enhanced capabilities that provide both security and efficiency to

networks. The capabilities brought by ADCs to the Server Side of the ADN include:

Server Load Balancing. The ADC allows the use of software-based intelligent load balancing to enhance

performance over hardware-based simple load balancing. This not only provides a path to open server

capability, but also matches the best server for the incoming traffic based on programmed policies and

application-layer knowledge that supports business requirements (Figure 51).

Benefits. Because the ADC conducts continuous health checks of network servers, only routes

traffic to online devices, and routes to the best performing devices using intelligent load

balancing capability, Server Load Balancing provides a 25% increase in capacity and reduces

servers hardware requirements by 25% over traditional DNS round-robin configurations.

Figure 51. Intelligent Load Balancing.

L7 Content Routing. By designating different servers for different types of data functions, the ADC may

be configured to route traffic to the server(s) best configured to process applications based on their

specific needs (Figure 51).

Benefits. By using L7 content routing, the ADC can optimize data center resources while

protecting the network and applications from security threats.

Connection Persistence. This capability is critical to transaction-based applications. For example, if you

begin a transaction, add an item to your virtual shopping cart, and are then load balanced to a different

server for checkout without a persistent connection back to the original server, your cart will be empty

at checkout. The ADC uses session state with HTTP headers and cookies to ensure that users and servers

remain persistent throughout the transaction.

Benefits. By maintaining a persistent connection to the original server that started the

transaction, the transaction may be completed without loss of data or loss of connection.


61

SSL Offloading/Acceleration. SSL traffic may result in overloading servers, reducing capacity to a range

in the 100’s TPS. By offloading and accelerating SSL encryption, decryption, and certificate management

from servers, the ADC enables web and application servers to focus CPU and memory resources to

deliver application content, responding more quickly to user requests. This offloading boosts capacity up

to 10’s of 1,000’s TPS, pushes HTTPS to servers, and HTTPS to users (Figure 52).

Benefits. SSL offloading and acceleration provides a 100X increase in traffic flow, reducing the

need for additional servers in order to accommodate data volume.

Figure 52. SSL offloading and HTTP compression.

HTTP Compression. One of the challenges as the number of network users grow, application

programming becomes more complex, and data sets become larger, is concerns over bandwidth

limitations. One way that an ADC acts to reduce bandwidth constraints is through HTTP compression to

remove non-essential data from traversing network links between servers to user web browsers (Figure

52).

Benefits. By reducing bandwidth demands, HTTP compression creates increased throughput

capability, increasing data flow efficiency to the user.

In addition to the ADC, the ADN includes a firewall component that provides security for traffic flowing

between the server side and outer perimeter. To accomplish this function in a content-focused,

application-level environment, the Web Application Firewall (WAF).

Web Application Firewall (WAF) Characteristics

Essential for businesses that host web-based applications, Web Application Firewalls (WAFs) deployed in

the data center provide protection, load balancing, and content acceleration to and from web servers.

The primary use of WAFs is to protect web-based applications from attacks that attempt to exploit

vulnerabilities. They protect web applications and associated database content by WAF Vulnerability

Scanning, mitigating prevalent threats such as cross-site scripting (XSS), buffer overflows, denial of


62

service (DoS), SQL injection, and cookie poisoning, as well as focusing on the OWASP Top 10 web

application vulnerabilities [8]. The primary use of WAFs is to protect web-based applications from

attacks that attempt to exploit vulnerabilities (Figure 53).

Figure 53. Web Application Firewall (WAF).

The question may be asked why the NGFW or IPS cannot mitigate these threats. As discussed in modules

2 and 3, IPS signatures only detect known problem, may produce false positives, do not protect against

threats embedded in SSL traffic, and have no application or user awareness. Basic firewalls look for

network-based attacks, not at application-based attacks. For these reasons, the Web Application

Firewall (WAF) provides critical protections to the network security arsenal (Table 7).

Table 7. Web Application Firewall (WAF) application-level security measures.

Heuristics

One of the key features that enables WAFs to counter DDoS threats is heuristic—or behavior-based—

analysis. Behavior-based DDoS protection measures, however, require different mitigating parameters

than content-based protections. Some of these protection measures include configuring systems to

identify potential threats based on source volume (intent vs. content), ping rates (hardcoded vs.

custom), packet dimensions (coarse vs. granular), and trend-matching (fixed vs. adaptive). When using

these behavior-based DDoS protection measures—focusing on traffic characteristics rather than

content—policies do not require threat signature updates like content-based measures do.


63

WAFs and PCI DSS Compliance

In the increasingly more technology-driven and mobile lifestyle of the 21st Century, the ability to provide

secure data transactions is not limited to considerations of data and program corruption, throughput

limitations, or network operational parameters in the strict sense of providing digital pathways and

storage. Additional considerations regarding Personal Identifiable information (PII), credit security, and

other personal account and data safety are regulated from outside the technology sector. Payment Card

Industry Data Security Standards (PCI DSS) set requirements for security practices that apply to any

vendors or organizations that process, store, or transmit cardholder data. Regulated also by government

agencies and addressable by fines of up to $10,000 per breach, the PCI DSS program is a necessary

consideration for most of the technology industry.

PCI Data Security Standard consists of 12 requirements covering 6 common sense goals that reflect

security best practices. Table 8 depicts the current standards for PCI data security compliance [18]. Of

the 6 goals listed, goal number 3 most closely influences the ability of the network to maintain secure

operations and effective monitoring against DDoS and other malicious threats to network security. Of

course, all appliances, software, policy and processes within control of the network administrator should

be regularly monitored and updated against modern, advanced, and emerging complex threats.

Table 8: Payment Card Industry Data Security Standards (PCI DSS).


64

ADC: Solutions and Benefits Part II

While the modern ADC provides enhanced capabilities to the Server Side of the ADN, an ADC also

provides capabilities to the Outer Perimeter function of the ADN, which include:

Disaster Recovery. This capability of the ADC provides redundancy while scaling applications across

multiple data centers. This DNS-based function uses Global Server Load Balancing (GSLB) smart routing

between data centers using configurable business rules, with automatic response that switches between

data centers for disaster recovery contingency when a data center or connectivity link becomes

unavailable (Figure 54).

Benefits. The disaster recovery and GSLB feature provide important network security

capabilities. The automatic switching feature provides the ability to survive data center or

transmission link outages while ensuring data is automatically recovered. Because of intelligent

switching, users are rerouted to the next best data center for their needs, making the process

seamless to the end user.

Figure 54. Global Server Load Balancing (GSLB).

Mask Server IPs. A challenge to keeping individual servers secure from threats is to segregate them

from access by unauthorized users. One method to accomplish this is to mask the individual server ID by

rewriting content—such as headers and other identifying information—to a single IP address when data

is transmitted outside the internal network (Figure 55).

Benefits. By masking individual server IDs behind the ID of the ADC routing data to individual

servers, all data flows through the ADC, reducing chances for external threats to gain access to

individual servers without passing through network security inspections.


65

Figure 55. Server ID masking with ADC.

Quality of Service (QoS). One of the challenges to the seemingly constant increase in data traffic as

society becomes more mobile and more web- and application-enabled is identifying and prioritizing

important traffic over routine or less important traffic. QoS is managed by configuring rules and policies

for traffic policing, traffic shaping, and queuing that ensure the most important traffic for the

organization is prioritized above other data.

Benefits. QoS results in higher quality data flow for the most critical traffic based on

organization priorities, whether it be VoIP for sales and customer support, eCommerce

transactions, or corporate file transfers. By setting the appropriate rules and policies in the ADC,

organization and user quality of service—and efficiency and satisfaction—may be enhanced.

Link Load Balancing (LLB). LLB addresses the issues of bandwidth and redundancy by using multiple

WAN links. A link load balancer connects many WAN links to the network and routes inbound and

outbound traffic based on criteria like availability, performance, or business rules to use lowest-cost

links. If a link should fail, traffic is routed to others to ensure your application remains available to users.

Benefits. LLB provides redundancy to maintain application availability by rerouting traffic to

users via another available link. By selectively routing traffic over the most available and

appropriate links based on programmed rules and policies, LLB optimizes bandwidth use,

reducing bandwidth needs. These two features both serve to influence improved application

response times to users.


66

Summary

Because applications are a primary method by which users of all types create, access, transmit, and

store data, application security is a critical concern for modern and future technology—from personal to

corporate use, handheld to mainframes, and small to multinational global scopes. Application threats

evolve along with applications and technology. Complex threats—such as Distributed Denial of Service

(DDoS) attacks—require new and robust protections and countermeasures. Developments like IPv6,

Web Application Firewalls (WAF), and use of Application Delivery Controllers (ADC) in integrated

Application Delivery Networks (ADN) provide layered defenses to protect the integrity and operability of

application functions in OSI levels 3-7. Building on these protections and those discussed in previous

modules, the final module will focus on management of security apparatus and the importance of

analytics in network management.


67

Module 5: Management and Analytics Modules 1-4 provide insight into how hardware and software development work to protect systems and

networks from modern and emerging threats. This continued technology evolution allows users to

conduct business, participate in commerce, maintain communications across the globe, and manage

personal affairs with minimal interruption or threat of critical information vulnerability and loss. This

module provides discussion on how effective management through the use of analytic tools allows

system and network administrators to optimize the secure environment users have come to expect—

and upon which businesses and global commerce rely.

Security Management

Simply stated, security management exists at the region where the

scope of IT security and IT operations meet.

As organizational structures grow in size and complexity, the

tendency is for more network resources—machines, servers,

routers, etc.—to be deployed. As the network grows, so also does

the scope of potential threats to secure and efficient operation of

the network to meet organizational goals. With the global nature of

modern business and e-commerce, the sheer number of branch and remote locations—and managed

devices—make a consolidated network security management essential for effective IT administration.

To this end, the primary goal of security management is to reduce security risks by ensuring that

systems are properly configured—or hardened—to meet internal, regulatory, and/or compliance

standards. Security management is a software-based solution that integrates three primary elements:

Vulnerability Assessment. Network security analysis designed to identify critical IT security weaknesses

that a cyber-attacker could exploit.

Automated Remediation. Allows automated correction of faults or deficiencies—vulnerabilities—

identified in the assessment process. Provides reports and tools to track vulnerabilities that must be

remediated manually.

Configuration Management. Evaluates the security of a network’s critical servers, operating system,

application-level security issues, administrative and technical controls, and identifies potential and

actual weaknesses, with recommended countermeasures.

IT managers are faced with challenges that range from simple codes to threats hidden in secure packets

designed to target cloud-based applications. Modern and emerging future threats present dynamic and

potentially complex challenges to network security demanding comprehensive, complex security

solutions. Unfortunately, studies have shown that the more complex administrative functions become,

the less likely network administrators will spend the requisite amount of attention to the various

apparatus and displays. For this reason, consolidating security management into a single console

enabling monitoring and management of network security was developed. Through this integrated

monitoring and control solution, IT managers may address the following issues:


68

Device Configuration. Manages the configuration of each device on the network and maintains the

system-level configuration required to manage the network environment. This includes monitoring

device firmware to ensure it is kept up to date.

Firewall Policy. Provides viewing and modification of firewall configurations—access rules and

inspection rules—in the context of the interfaces whose traffic are filtered.

Content Security Policy. Computer security concept to prevent cross-site scripting (XSS) and related

application-level attacks. It provides a standard HTTP header allowing website administrators to

determine approved sources of content that browsers may load on designated pages. Covered types

include JavaScript, CSS, HTML frames, fonts, images, and embeddable objects like Java applets, ActiveX,

audio, and video files.

A conceptual diagram of security management is illustrated in Figure 56 below:

Figure 56. Security Management (SM) conceptual diagram

The primary goal is to provide high availability for the network, implying redundancy and fault tolerance

managed by the network security solution. In small and medium business (SMB) networks and many

large and distributed enterprise networks, network security may be provided by a managed security

service provider (MSSP) for a number of reasons—as discussed in Module 1. To facilitate effective

network security management, MSSPs and network administrators must have access to essential

features that enable them to provide protection to the network as a whole and the data contained

therein. Three principles drive these essential features: segmentation, scalability, and high performance.

Segmentation. Multi-tenancy architecture is one in which the single instance of a software application

serves multiple customers, with each customer being referred to as a tenant. The key purpose of multi-

tenancy is segmenting customers in a managed service provider environment. Tenants have limited

SM Analyst

SM Console

SM Database

SM – Monitored Devices


69

capabilities within the application, such as choosing interface colors or business rules, but have no

access to application code. Administrative domains (ADOMs) are virtual domains used to isolate devices

and user accounts. This enables regular user accounts visibility only into devices and data that are

specific to their ADOM, such as a geographic location or business division.

Scalability. Virtual firewall positioning & deployment. Very few organizations use 100% physical or 100%

virtual IT infrastructure, necessitating deployment of interoperable hardware and virtual appliances in

security strategies. For both of these firewall options, control through a centralized panel provides ease

of operation to security administrators while enabling the use of complex measures to counter modern

and emerging complex threats. Virtual domains (VDOMs) were introduced by Fortinet in 2004 and offer

virtualized security from SMB to large and distributed enterprise networks by rapid deployment within

existing virtual infrastructures. [8]

High Performance. Because security management spans the scope from home networks to SMB to large

and distributed enterprise networks, security management must be able to be customized to meet the

needs of each level of operation. For example, the Application Program Interface (API) specifies how

software components should interact and are used when programming the graphical user interface

(GUI), allowing visibility of the customized network functions. Automation is important especially for

large and distributed enterprise networks, providing an automated workflow enabling users to approve,

deny, defer, or even execute remediation of configuration errors, potentially saving considerable time

and effort.

Managing the Security Console

Network security management includes both hardware and software appliances and virtual machine

(VM) capabilities. They may be deployed as physical network security appliances, virtual appliances, or

software packages. Flexible interfacing allows IT administrators to address the management system via a

command line interface, web-based graphical user interface, or programmatically using JSON/XML

requests (scripting, customization, etc.). This provides network security flexibility for a wide range of

network sizes, from home networks and SMB up to large and distributed enterprise networks that are

geographically separated.

The most important function commonly associated with a security management solution

is maintaining firewall policies across a distributed enterprise. In large and distributed

enterprise environments, security management and reporting/compliance functions are

usually separated, with local personnel managing local nodes and a central site having

visibility over configuration compliance, generally from the data center at the corporate

headquarters or designated IT management division.

Because of the wide range of network security device deployment options, network security consoles

are typically licensed based on the number of devices they will be managing. This provides tailored,

flexible security options appropriate to organization requirements [8]. These security consoles are

enabled by use of simple network management protocol (SNMP), which provides administrators

capability to monitor and, when necessary, configure hosts on a network. This centralized ability to


70

configure network devices is referred to as device management, and is a critical capability in allowing IT

administrators to manage—monitor and configure—distributed enterprise networks.

Figure 57. Integrated security control console

Administrative Domains (ADOMs) provide the capability to organize better the network environment. A

domain is the equivalent of an organizational unit. The purpose of using ADOMs is:

Limiting administrative scope to specific devices

Segmenting tenants in a managed service provider environment

Administrative domains are further segregated into Accounts, each which must have at least one User.

However, permissions and policies must be set at the domain administrator and network administrator

levels. [8]

Policy and Security

Policy packages enable the addressing of specific needs for an organization’s different sites by creating a

tailored policy package for each site. Policy packages provide flexibility to administrators, because they

may be applied to individual or multiple devices. The advantage to using a policy package is that it

simplifies the installation of a set of firewall rules for sites. [8]

Object libraries contain the names and entry points of the code located in the library, as well as

a list of objects on which the applications or systems using the code require in order to run the

object. An example would be needing an application capable of reading a .jpg file in order to use

the object with a .jpg extension. Object libraries may be configured to direct which applications

are used to open or run which types of files besides the manufacturers’ default settings. Object

libraries may be dragged into policy packages to define actions for traffic meeting criteria

matching the identified object characteristics.


71

Figure 58. Policy Package example.

Global policy packages become increasingly important as network complexity, size, or distributed

configuration grow. Because large and distributed enterprise networks may delegate remote security

management to local administrators, as previously introduced in the previous slide, it is important for

central network administrators to have the ability to retain overall visibility and control of the entire

network. To this end, global policies allow administrators of large enterprises and MSPs to “bookend”

segmented/tenant firewall rules in order to ensure compliance with overall network policies and

operating regulations [8].

Figure 59. Global Policy “Bookend” flow.


72

Firewall rules (also called firewall policies) are a major challenge for network security administrators,

making it important for companies and organizations—especially distributed enterprise operations—to

have and implement a firewall policy management solution. Depending on the size of the operation and

network, this function may be accomplished by the network security administrator or, if a large enough

enterprise, a firewall administrator. But with the fast-paced and rapidly-evolving dynamics of technology

and its use, the threat of security gaps being created because of a disjointed firewall policy program is as

real as the threat from external sources.

To assist the network security administrator or firewall administrator in developing, implementing, and

monitoring firewall policy requirements and effectiveness, regular, systematic reviews of firewall

policies should be put in place. These reviews provide important benefits, mitigating challenges such as:

Mistakenly adding duplicate, similar, or overriding firewall policies

Missing the impact of corporate policy changes that may impact particular rules

Creation of policies that are too specific at the time of implementation and may need to be

broadened to be effective

Determining what/when policies should be implemented by a policy push—applying the new

policies to individual security devices

In order to facilitate inputs to the firewall policy development and review process, a firewall policy

workflow process should be established by which policy change recommendations are submitted,

approved, and implemented by IT staff, and then the document retained for archival purposes for later

analytic review. As these processes become institutionalized, the end result becomes not only more

effective firewall rules management, but efficiency that leads to rules reduction, or a decrease in firewall

rules via periodic reviews or automation.

Rules reduction through automation—this is where the technology of adept security change

management is necessary to improve probability that the network will remain secure. Security Change

Management is the industry term for the product or feature that seeks to reduce or optimize the

number of firewall rules and provides IT staff and network auditors with a clear picture of how changes

were implemented. With more complex firewalls incorporating more features—such as the Next

generation Firewall (NGFW)—simplification of user interfaces of complex processes increases the

likelihood that comprehensive security measures will be engaged, monitored, and updated as necessary

to keep up with emerging threats.

Auditing has important advantages in the security management environment. Because auditing is a

mechanism that records actions that occur on a system, the associated audit log(s) contain information

detailing the events (such as login, logout, file access, upload, download, etc.), who performed the

action and when it was accomplished, and whether the action was successful. Some important events

that should be logged include:

Login/Logoff (incl failed) Supervisor/administrator login & function

Network connections (incl failed) Sensitive file access


73

In the context of security management, auditing provides the following advantages:

Ensures that the organization maintains compliance with programs such as HIPAA and PCI

Helps track workflows/approvals for firewall policy changes

Associates security event logs with an individual owner for forensics

Analytics

Without applying analytics to future decisions, they cease to serve a vital function to administrators. The

most important function of analytics is to ensure security effectiveness and improvement while enabling

optimum system and network performance.

Analytic reporting is designed to provide end-to-end analysis of system and network performance. In the

context of security management, this analysis includes factors concerning potential impacts on

performance due to attempted or successful attacks, actions taken by preventative policies and

apparatus that detected and prevented intrusion, forensic records of user data for system and network

functions, and so forth.

Reporting is designed to be a cyclical process—not linear; that is, the data analyzed is used to inform

decisions regarding whether policies, programming, or apparatus need to be updated or may remain as

currently constituted. If updates are necessary, analytics inform decision-makers—such as corporate

compliance groups—in determining what updates or reconfigurations are the right ones to accomplish.

Security Information and Event Management

Security Information and Event Management (SIEM) [8] is a system that gathers security logs from

multiple sources and correlates logged events to be able to focus on events of importance. SIEM

ecosystem is designed to address the unique requirements of a wide range of customers, from large

enterprises to managed security service providers (MSSPs) that manage thousands of individual

customer environments.

Key features include near real-time visibility for threat detection and prioritization, delivering visibility

across the entire IT infrastructure. It reduces and prioritizes alerts to focus investigations on an

actionable list of suspected incidents, enabling more effective threat management while producing

detailed data access and user activity reports.

SIEM operates on the basis of what logs the administrator has authorized to be forwarded from the

Syslog to the SIEM. These logs may be tuned further to provide a minimum security level for log

forwarding, including (in order of severity from least):

Debugging Error

Information Critical

Notification Alert

Warning Emergency


74

SIEM provides three primary functions for network security:

Event logging. How systems and applications record and save data that shows what events

happened at what time and place with what results on the system, in the network, or in an

application.

Event correlation. Comparing of events indicated in the event and correlating like events together to

determine significant instances of repetitious or associated events.

Incident alerting. Provides alerts for security incidents on the network. [8]

Perhaps the most critical function upon which the SIEM concept depends is logging, because it forms the

basis for making decisions regarding system and network functions and potential anomalies. Logging is

how systems and applications record and save data that shows what events happened at what time and

place with what results on the system, in the network, or in an application. Logging is one of the forensic

tools that may be used to analyze successful attacks, malware infections, or attempted network

intrusions. This capability, although it becomes more complex as networks grow and become

geographically distributed, is important to networks of all sizes against modern and future network

threats.

In the 1980s, Syslog was developed as part of the Sendmail project, but proved so valuable a tool that it

began being used by other applications as well. In today’s IT world, Syslog is still the de facto industry

standard for security event logging. In fact, Syslog has become entrenched as the standard, such that

operating systems such as Windows and UNIX, as well as regulations such as SOX, PCI DSS, and HIPAA

either use Syslog format or have embedded capability for conversion to Syslog. [19]

Because is a necessity for networks of every size, the factor of resource balancing is an important

consideration. As with determining whether application services as IaaS, PaaS, or SaaS are best suited,

the most cost-effective logging/reporting method for SMB is cloud-based event logging. Similarly, some

organizations may opt for standalone logging/reporting solutions to more effectively manage logs

collected from multiple security devices.

Network Visibility

Network Visibility refers to the ability for administrators to know what type of traffic is crossing their

network, including Web, applications, email, etc. It allows optimization of bandwidth for business critical

applications. Because modern and emerging threats are able to take advantage of different traffic types

in different ways, network visibility is a key capability in the administrator’s arsenal, providing the

opportunity to achieve:

Network monitoring and faster troubleshooting

Application monitoring and profiling

Capacity planning and network trends

Detection of unauthorized WAN traffic


75

Figure 60. Network visibility benefits.

Network visibility is of the utmost importance to security administrators. This includes visibility of every

component of the network, including remote components geographically separated as part of a large

distributed enterprise network. In order to adequately monitor system and network security events, the

security administrator must have access to logging from across the entire infrastructure, including

firewalls, email gateways, endpoint devices, and other network components, both physical and virtual.

Network visibility must be treated as a cyclical process in order to be effective. As illustrated in Figure

60, network visibility provides a wealth of information about many facets of network operations. All of

this data, however, is lost if not used to inform analyses that may improve further network operations

and security. For this reason, network visibility data should be used to inform reporting on network

operations and be used in developing future plans and policy.


76

Summary

Security management provides vulnerability assessment, automated remediation, and configuration

assessment in and environment providing complex protection with simplified administration. The goal

of security management is to reduce security risks through proper configuration and compliance.

Across all sizes and types of networks, security management provides customization and automation to

assist network security administrators through administrative domains to segment users, firewall &

global policy packages enabling reduction and optimization of rules, and auditing that provides oversight

of compliance, workflow, approvals, and forensic tracing.

Security Information and Event Management (SIEM) provides a wide range of administrator services in

managing logged events and analysis to correlate and determine the most appropriate security

measures, policy updates, and reactions to network incidents.

Network visibility provides administrators with the necessary end-to-end monitoring, troubleshooting,

profiling, and analysis tools to plan and address modern and emerging threats to the network. Adept

management, using the right analytics to inform decisions and actions, are key to establishing and

maintaining an efficient and secure network environment.


77

Key AcronymsAAA Authentication, Authorization, and Accounting

AD Active Directory

ADC Application Delivery Controller

ADN Application Delivery Network

ADOM Administrative Domain

AM Antimalware

API Application Programming Interface

APT Advanced Persistent Threat

ASIC Application-Specific Integrated Circuit

ASP Analog Signal Processing

ATP Advanced Threat Protection

AV Antivirus

AV/AM Antivirus/Antimalware

BYOD Bring Your Own Device

CPU Central Processing Unit

DDoS Distributed Denial of Service

DLP Data Leak Prevention

DNS Domain Name System

DoS Denial of Service

DPI Deep Packet Inspection

DSL Digital Subscriber Line

FTP File Transfer Protocol

FW Firewall

Gb Gigabyte

GbE Gigabit Ethernet

Gbps Gigabits per second

GSLB Global Server Load Balancing

GUI Graphical User Interface

HTML Hypertext Markup Language

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

IaaS Infrastructure as a Service

ICMP Internet Control Message Protocol

ICSA International Computer Security Association

ID Identification

IDC International Data Corporation

IDS Intrusion Detection System

IM Instant Messaging

IMAP Internet Message Access Protocol

IMAPS Internet Message Access Protocol Secure

IoT Internet of Things

IP Internet Protocol

IPS Intrusion Prevention System

IPSec Internet Protocol Security

IPTV Internet Protocol Television

IT Information Technology

J2EE Java Platform Enterprise Edition

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

LLB Link Load Balancing

LOIC Low Orbit Ion Cannon

MSP Managed Service Provider

MSSP Managed Security Service Provider

NGFW Next Generation Firewall

NSS NSS Labs

OSI Open Systems Infrastructure


78

OTS Off the Shelf

PaaS Platform as a Service

PC Personal Computer

PCI DSS Payment Card Industry Data Security Standard

PHP PHP Hypertext Protocol

POE Power over Ethernet

POP3 Post Office Protocol (v3)

POP3S Post Office Protocol (v3) Secure

QoS Quality of Service

Radius Protocol server for UNIX systems

RDP Remote Desktop Protocol

SaaS Software as a Service

SDN Software-Defined Network

SEG Secure Email Gateway

SFP Small Form-Factor Pluggable

SFTP Secure File Transfer Protocol

SIEM Security Information and Event Management

SLA Service Level Agreement

SM Security Management

SMB Small & Medium Business

SMS Simple Messaging System

SMTP Simple Mail Transfer Protocol

SMTPS Simple Mail Transfer Protocol Secure

SNMP Simple Network Management Protocol

SPoF Single Point of Failure

SQL Structured Query Language

SSL Secure Socket Layer

SWG Secure Web Gateway

SYN Synchronization packet in TCP

Syslog Standard acronym for Computer Message Logging

TCP Transmission Control Protocol

TCP/IP Transmission Control Protocol/Internet Protocol (Basic Internet Protocol)

TLS Transport Layer Security

TLS/SSL Transport Layer Security/Secure Socket Layer Authentication

UDP User Datagram Protocol

URL Uniform Resource Locator

USB Universal Serial Bus

UTM Unified Threat Management

VDOM Virtual Domain

VM Virtual Machine

VoIP Voice over Internet Protocol

VPN Virtual Private Network

WAF Web Application Firewall

WANOpt Wide Area Network Optimization

WLAN Wireless Local Area Network

WAN Wide Area Network

XSS Cross-site Scripting


79

References 1. StrataIT. Did you leave your backdoor open over the holidays? 2012 [cited 2014 October 20];

Image: Fortinet UTM vs. Adhoc Network Security Model]. Available from:

http://www.stratait.com/content/did-you-leave-your-backdoor-open-over-holidays.

2. UAB, M., Fortinet Secure Gateways, Firewalls. 2013.

3. Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.

4. Bray, G., SaaS vs PaaS vs IaaS. 2010, Stack Exchange.

5. Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.

6. Gartner, Magic Quadrant for Enterprise Network Firewalls. 2008.

7. Gartner, Defining the Next Generation Firewall. 2009.

8. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.

9. Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.

10. Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.

11. Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential

Guide, 2014.

12. Janssen, C., Quality of Service (QoS), in Techopedia.com. n.d.

13. Rischbeck, T. XML Appliances for Service-Oriented Architectures. SOA Magazine, 2010.

14. OWASP. About the Open Web Application Security Project. 2014 [cited 2014 October 31];

Available from: https://www.owasp.org/index.php/About_OWASP.

15. Maiwald, E., Network Security: A Beginner's Guide. 3rd ed. 2013, New York, NY: McGraw-Hill.

16. Nichols, S. Peak IPv4? Global IPv6 traffic is growing, DDoS dying, says Akamai. The Register,

2014.

17. Rouse, M. Application Delivery Controller. Essential Guide 2013 [cited 2014 October 15];

Available from: http://searchnetworking.techtarget.com/definition/Application-delivery-

controller.

18. Council, P.S.S., PCI Quick Reference Guide. 2008.

19. Gerhards, R., The Syslog Protocol.

http://www.stratait.com/content/did-you-leave-your-backdoor-open-over-holidays

https://www.owasp.org/index.php/About_OWASP

http://searchnetworking.techtarget.com/definition/Application-delivery-controller

http://searchnetworking.techtarget.com/definition/Application-delivery-controller

january 1 2015 - j2aztech.com · modern network security: study guide for nse 1 2015 1 modern...

Documents