modern network security nse1 study guide ebook

8/20/2019 Modern Network Security NSE1 Study Guide eBook

1/79

Modern Network Security: Study Guide for NSE 1 2015

1

Modern

NetworkSecurity:Study Guide

for NSE 1

January 1

2015This Study Guide is designed to provide information for the FortinetNetwork Security Expert Program – Level 1 curriculum. Each chapterin the study guide corresponds to a module in the NSE level 1curriculum and examinations. The study guide presents discussionson concepts and equipment necessary as a foundationalunderstanding for modern necessary security prior to taking moreadvanced and focused NSE program levels.

FortinetNetworkSecuritySolutions


2/79


2

Introduction ............................................................................................................................................ 8

Infrastructure Evolution .......................... ......................... ........................... ......................... ................ 9

Threat Landscape .............................................................................................................................. 10

Threat Timeline ............................................................................................................................. 11

Advanced Threats .......................................................................................................................... 11

Advanced Threats and Network Security: Continuing Evolution .................................. ....................... 12

Module 1: Data Center Firewalls .......................... ......................... .......................... .......................... ..... 13

Data Center Evolution........................................................................................................................ 13

Market Trends Affecting Data Centers .......................... ......................... .......................... .................. 13

Infrastructure Integration ................................... ........................... .......................... ...................... 14

Edge vs. Core Data Center Firewalls .......................... ......................... .......................... .................. 14

Data Center Firewall Characteristics ................................ ........................... ......................... .............. 16

Virtual Firewalls ............................................................................................................................. 19

Data Center Network Services ........................ .......................... .......................... .......................... ..... 21

Application Systems ........................ .......................... ......................... .......................... .................. 21

Application Services ........................ .......................... ......................... .......................... .................. 22

Summary ........................................................................................................................................... 24

Module 2: Next Generation Firewall (NGFW) ........................ .......................... ......................... .............. 25

Technology Trends ............................................................................................................................ 25

NGFW Characteristics: Fundamental Changes ........................... .......................... .......................... ..... 26

NGFW Evolution ............................................................................................................................ 27

Traditional NGFW Capabilities ........................................................................................................... 28

NGFW Functions ............................................................................................................................ 32

Extended NGFW Capabilities ............................................................................................................. 33

Sandboxes and APT ......................... .......................... ......................... .......................... .................. 36

Advanced Persistent Threats (APT) ........................... ......................... .......................... .................. 37

Advanced Threat Protection (ATP) ........................... .......................... ......................... ....................... 38

NGFW Deployment ........................ .......................... .......................... ......................... ....................... 38

Edge vs. Core ................................................................................................................................. 38

NGFW vs. Extended NGFW ............................................................................................................ 39


3/79


3

Summary ........................................................................................................................................... 40

Module 3: Unified Threat Management (UTM) ......................... .......................... .......................... ......... 41

The Key to UTM: Consolidation ........................ .......................... ......................... .......................... . 41

UTM Features .................................................................................................................................... 41UTM Distributed Enterprise Advanced Features ......................... .......................... ......................... . 43

Extended UTM Features .................................................................................................................... 44

Evolving UTM Features .................................................................................................................. 45

UTM Functions .................................................................................................................................. 47

Where UTM Fits In… .......................................................................................................................... 48

UTM: Scalable Deployment .......................... ......................... .......................... .......................... ..... 49

Summary ........................................................................................................................................... 50

Module 4: Application Security ........................ ......................... .......................... ......................... .......... 51

Application Challenges to Meeting User Needs ......................... .......................... .......................... ..... 51

Application Layers: The OSI Model ....................... .......................... ......................... ....................... 52

Application Vulnerabilities ........................... ......................... .......................... ......................... .......... 53

OWASP .......................................................................................................................................... 53

Distributed Denial of Service (DDoS) ........................ .......................... ......................... ....................... 55

Application Security Solutions............................................................................................................ 58

Application Delivery Controllers (ADC) .......................... .......................... ......................... .............. 58Application Delivery Network (ADN) ......................... ......................... .......................... .................. 59

ADC: Solutions and Benefits Part I......................................... ......................... ........................... ......... 60

Web Application Firewall (WAF) Characteristics ........................ .......................... .......................... ..... 61

Heuristics ....................................................................................................................................... 62

WAFs and PCI DSS Compliance ......................... .......................... ......................... .......................... . 63

ADC: Solutions and Benefits Part II........................................ ......................... ........................... ......... 64

Summary ........................................................................................................................................... 66

Module 5: Management and Analytics .................................................................................................. 67

Security Management ....................................................................................................................... 67

Managing the Security Console ........................ .......................... ......................... .......................... . 69

Policy and Security............................................................................................................................. 70

Analytics ............................................................................................................................................ 73


4/79


4

Security Information and Event Management ....................... .......................... .......................... ..... 73

Network Visibility .......................................................................................................................... 74

Summary ........................................................................................................................................... 76

Key Acronyms ....................... .......................... .......................... ......................... ........................... ......... 77References ............................................................................................................................................ 79


5/79


5

Figure 1. From closed networks to Global Information Grid ........................................ .......................... ... 9

Figure 2. The scope of modern global network users. ........................ .......................... ......................... ... 9

Figure 3. Fortinet UTM versus traditional ad hoc model..................... ......................... .......................... . 10

Figure 4. Chronology of major networks attacks since October 2013. ................................. ................... 11

Figure 5. Advanced Threat Protection (ATP)...................... ......................... .......................... .................. 11

Figure 6. Notional edge firewall configuration. ...................................... .......................... ...................... 15

Figure 7. Notional data center firewall deployment. .......................... .......................... ......................... . 15

Figure 8. Data center firewall adaptability to evolving capabilities. .......................................... .............. 16

Figure 9. Data center in a distributed enterprise network. .......................... ......................... .................. 17

Figure 10. Data center core firewall. ........................ .......................... ......................... .......................... . 19

Figure 11. North-South (Physical) vs. East-West (Virtual) traffic. ............................. .......................... ..... 20

Figure 12. Notional network. ........................... ......................... .......................... ......................... .......... 22

Figure 13. Differences between IaaS, PaaS, and SaaS. ..................................... .......................... ............. 23

Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models. ....................... .................. 24

Figure 15. Bring Your Own Device (BYOD) practices in 2011. ........................... ......................... .............. 26

Figure 16. Edge firewall vs. NGFW traffic visibility. ........................ .......................... .......................... ..... 26

Figure 17. Traditional port configuration example. ....................... .......................... .......................... ..... 27

Figure 18. NGFW configuration example by application, user ID. .................... ......................... .............. 27

Figure 19. NGFW evolution timeline. ........................... .......................... ......................... ....................... 28

Figure 20. Intrusion Prevention System (IPS)......................... .......................... ......................... .............. 28

Figure 21. Deep Packet Inspection (DPI)............................................ .......................... ........................... 29

Figure 22. Network application identification and control. .......................... ......................... .................. 29

Figure 23. Access enforcement (User identity). ......................... .......................... .......................... ......... 30

Figure 24. NGFW distributed enterprise-level capability. ................... ......................... .......................... . 30

Figure 25. Extra-firewall intelligence IP list assignment. ......................... ......................... ....................... 31

Figure 26. Notional network with managed security (MSSP). ............................... ......................... ......... 31

Figure 27. Application awareness: The NGFW application monitoring feature. ........... .......................... . 32Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP). ................................ ..... 33

Figure 29. Authentication functions integrated into NGFW. ........................................ .......................... . 34

Figure 30. Web filtering profile control. ....................... .......................... ......................... ....................... 35

Figure 31. FortiGate antivirus/malware. .................. ......................... .......................... ........................... 35

Figure 32. FortiGuard Anti-botnet protection. ...................... .......................... ......................... .............. 36


6/79


6

Figure 33. FortiGate Web filtering capability. ........................ .......................... ......................... .............. 36

Figure 34. Sandbox deployed with NGFW Solution. ...................... .......................... .......................... ..... 37

Figure 35. The NGFW three-step approach to APT. ....................... .......................... .......................... ..... 37

Figure 36. Fortinet Advanced Threat Protection (ATP) model.............................. .......................... ......... 38

Figure 37. NGFW deployment to edge network .............................................. ......................... .............. 39

Figure 38. Current NGFW vs. Extended NGFW capabilities. ......................... ......................... .................. 39

Figure 39. Legacy network security add-ons vs. UTM architecture ................................................ ......... 41

Figure 40. Unified Threat Management (UTM)................................................ ......................... .............. 42

Figure 41. LAN control. .......................................................................................................................... 45

Figure 42. Typical Power over Ethernet (POE) cable configuration. ......................... .......................... ..... 46

Figure 43. UTM scalability. .......................... ......................... ........................... ......................... .............. 48

Figure 44. Fortinet’s concept of “Connected UTM.” ........................... .......................... ......................... . 50

Figure 45. DDoS architecture. .......................... ......................... .......................... ......................... .......... 56

Figure 46. SYN Flood DDoS attack. ................................................ ......................... ........................... ..... 56

Figure 47. ICMP Flood DDoS attack. ......................... .......................... ......................... .......................... . 57

Figure 48. Zombie DDoS attack. ........................... ......................... .......................... .......................... ..... 57

Figure 49. Application Delivery Controller (ADC). .......................... .......................... .......................... ..... 58

Figure 50. Typical Application Delivery Network (ADN) infrastructure. ......................... ......................... . 59

Figure 51. Intelligent Load Balancing. ................. .......................... ......................... ........................... ..... 60

Figure 52. SSL offloading and HTTP compression. .............................. .......................... ......................... . 61

Figure 53. Web Application Firewall (WAF). ........................................... ......................... ....................... 62

Figure 54. Global Server Load Balancing (GSLB). ........................... .......................... .......................... ..... 64

Figure 55. Server ID masking with ADC. ............................ .......................... ......................... .................. 65

Figure 56. Security Management (SM) conceptual diagram ........................ ......................... .................. 68

Figure 57. Integrated security control console .................................. ........................... .......................... 70

Figure 58. Policy Package example. .......................... .......................... ......................... .......................... . 71

Figure 59. Global Policy “Bookend” flow. ............................................................................................... 71Figure 60. Network visibility benefits. .......................... .......................... ......................... ....................... 75


7/79


7

Table 1. Comparative security features of edge firewalls vs. NGFW. ............... ......................... .............. 27

Table 2. Comparison between flow-based and proxy-based inspections .......................... ...................... 40

Table 3. Comparative models for layers, protocols, and devices.............................. .......................... ..... 51

Table 4. Translation of ISO/OSI layers to TCP/IP model. .............................. ......................... .................. 52

Table 5. Function of network layers in OSI model. ........... .......................... ........................... ................. 52

Table 6. OWASP top 10 2010 vs. 2013 comparison. ...................... .......................... .......................... ..... 54

Table 7. Web Application Firewall (WAF) application-level security measures. ......................... .............. 62

Table 8: Payment Card Industry Data Security Standards (PCI DSS). ......................................... .............. 63


8/79


8

Introduction

Welcome to the fascinating world of network security…

…or, on second thought, should we be letting you in?

That is the question around which this primer was written —helping you learn the background,processes, capabilities, and questions to consider when configuring your systems and networks to helpanalyze, identify, and either allow or block traffic from entering or leaving your computer network in thedynamic 21 st Century information technology environment. In other words —modern network security.

Modern network security is comprised of many facets, some of which are in your control, others whichmay not be. In an increasingly mobile world, traditional network security measures focused on desktop

platforms and “dumbphones” are no longer relevant to the world of tablets, phablets, and smartphones.Because of the constantly changing landscape of network environments, organizations of all sizes andcomplexities face challenges in keeping pace with change, developing counters to emerging threats, andcontrolling network and security policies. Once the realm of the highly trained and richly resourced,development of malicious code has become widespread to the degree that school children have beenknown to compete with each other in hacking contests. To meet modern and emerging threats,companies and organizations must adopt dynamic network security programs that keep pace withchanging trends and activities.

Back to the opening question: Should we be letting you in? People —or the man-machine interface —isthe weakest link in any security process. People are easily lulled into a false sense of security about theeffectiveness of passwords and access codes, identity verification, and policies regarding the use ofinformation technology (IT) systems and networks. It takes just one careless moment to potentiallybreach the integrity of protected information and systems —if network security user policies andprotocols are too complicated, compliance is less likely. Because of this human factor it is important toensure that network security schema are clear and simple for network administrators and users tooperate, with the necessary complexity to identify, deter, or contain threats being embedded in state-of-the-art hardware and software solutions that are nearly transparent to internal network users.

But a note of caution — just as every organization is not alike, neither will their networks, hardware,software, or needs be alike. Each organization needs a customized strategic network security programtailored to balance its needs against its operating environment, perceived threats, and operatingbudget. Of course, the best network security program would be an end-to-end, 24/7 monitored programwith regular analytics informing plan effectiveness and potential enhancements —this would be the holygrail of network security. Systems like Fortinet’s Unified Threat Management (UTM) provide the abilityto balance needs, capabilities, and resources to secure networks while maintaining the ability of theorganization to operate. In essence, this book will help you learn about how to take steps to mitigatebest the threats to your network and optimize network security while balancing those factors.


9/79


9

Infrastructure EvolutionIn a world growing ever more complex with network portability being built into an increasing number ofdevices of varying capabilities, network security continues to evolve in complexity —and importance. Inthe 1980’s a transition from early closed networks to a broader Internet o ccurred, with the advent of

Ethernet, Bitnet, TCP/IP, SMTP, DNS, and in 1985 —the first .com domain name registration. It was notuntil six years later, in 1991, that the Worldwide Web (WWW) came into existence; by 1995, what weknow now as the modern Internet became established as a fixture in how business —and the world —would communicate in the future (Figure 1).

Figure 1. From closed networks to Global Information Grid

No longer was high-tech the sole domain of major companies, organizations, and government agencies,but the global information network became the domain of everyone from multi-billion dollarinternational conglomerates to grade school children (Figure 2). As technologies developed, the industryresponse was typically the addition of new stand-alone, single- or dual-purpose hardware or integratedhardware-software packages designed to address newly identified threats. This resulted in a constantstate of expensive upgrades that added network complexity, integration of new devices and scrubbingand repurposing or disposing of legacy hardware, new policy development and new managementconsoles. This served to increase workload, retraining, and complexity for network administrators andend users, exacerbating the balancing problem between security and productivity.

Figure 2. The scope of modern global network users.

Because new products were not always able to integrate fully into existing systems, the piecemealapproach to network development and security led to potential blind spots that threats may exploitundetected. In order to solve this growing challenge, a move toward more strategic solutions to networksecurity were needed —not new stand-alone systems addressing individual threat vectors; rather,strategic systems and processes designed to protect networks comprised of systems-of-systems. Fromthis problem developed the Unified Threat Management (UTM) concept, which goes beyond a system-of-systems approach to integrate individual system characteristics into strategic systems (Figure 3) [1].


10/79


10

Figure 3. Fortinet UTM versus traditional ad hoc model.

Threat LandscapeOne may view the threat landscape much the same as law enforcement views threats using threeprimary characteristics —motive, means, and opportunity. In terms of technology threats, these termsare translated into motivation (motive), knowledge (means), and access (opportunity). Motivation maybe as simple as a student trying to get into protected information or as malicious as a competitor tryingto delay or disable a company ’s ability to reach the market. Knowledge on networks— and hacking —iswidespread, with books and guides availableglobally through the Internet and often at little or

no cost. As for access, this is the area where theveracity of your network security will pay off —identifying potential threats, analyzing them, andeither determining validity or cataloging andrejecting them as a threat.

Contemporary and future threat landscapes are dynamic and often include unforeseen technologicaladvances. Devices and applications are under development and appear on the market at more rapidly —and with those new technologies come new threats. Not only companies and organizations, but

individual users of less expensive technology such as smartphones, tablets, and laptop computers whoare novices where information security is concerned must deal with optimizing their devices andapplications while blocking potential threats. With the explosion of social media as the primary source ofconnectivity for so many people internationally, addressing the hidden threats from social media sites isa continuing challenge…and more cross -platform sharing and integration will continue to make deviceand network security an evolving challenge at all levels.


11/79


11

Threat TimelineSince the last quarter of 2013, major network attacks have affected large companies and billions ofconsumers. These attacks not only affected business systems, but also had the ability to infect personalsystems and mobile devices, such as the Heartbleed and Find My iPhone attacks. Figure 4 below

chronicles these threats and the targets affected by them.

Figure 4. Chronology of major networks attacks since October 2013.

Advanced ThreatsExperienced hackers or groups of hackers possessing significant resources pose an increased threat tosystems and networks, including developing and implementing techniques not previously used tocompromise, gain control of, or shut down service. Advanced Threat Protection —also referred to as

Advanced Persistent Threat Protection —provides integrated measures to detect and block advancedthreats. These measures include botnet and phishing antivirus profiling, as well as zero-day threatprotection using sandboxing to analyze, identify, and block suspicious code and add the suspicious codeprofile to the ATP signature database.

Figure 5. Advanced Threat Protection (ATP).


12/79


12

Advanced Threats and Network Security: Continuing EvolutionThe early days of personal computer availability to consumers and the advent of the Internet andWorldwide Web are behind us. These events were followed by parallel development of more powerfulhardware appliances and more complex applications for those machines. Unfortunately, with those

developments also came a thriving developmental path for malware and other methods by which tobreach system and network security to obtain data from or deny use of targeted platforms. This ModernNetwork Security Primer presents current and future appliances, applications, and concepts to providethe options to keep pace with emerging capabilities and threats —and maintain the safety and securityof your system and network.


13/79


13

Module 1: Data Center FirewallsData centers have become abundant in the increasingly technology-based business environment of the21 st Century. Because of this growth, data centers provide a new field for trends in computing andnetworking driving revisions to IT infrastructure strategies and, along with new strategies, new methods

to bolster network security. Presented in this module are characteristics and functions of data centerfirewalls as they apply to networks and applications.

Data Center EvolutionA common notion in today’s business environment is that “Nomatter what business you are in, you are a technologybusiness.” In the 21 st Century, this is not only true of largebusinesses, but also applies to successful small and mediumbusinesses (SMB). Modern data centers typically contain aservers with a variety of purposes, including web, application,

and database servers.

Along with growing use of technology came a need to not only develop more specialized applicationsbut also develop innovative ways to store ever-increasing volumes of digital data. This growing storagerequirement spurred a new sector in the technology operations —the Data Center. As new technologiesfor end users of computing platforms evolve, so must security measures for the data centers they willaccess for operations such as email, social media, banking, shopping, education, and myriad otherpurposes. Developing strategies to keep pace with the accelerating integrated and distributed nature oftechnology has become a critical industry in protecting personal, business, and organizational data andcommunications from legacy, advanced, and emerging threats.

Market Trends Affecting Data CentersAs mentioned previously, consumer trends influenced data center development; however, the businesssector was also instrumental in spurring on this development. As technology evolved, businesseslearned to step to the leading edge of innovation in order to get ahead —or stay ahead —of competingenterprises. To this end, changes in business practices that influenced data center developmentincluded:

Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,network or even an operating system where the framework divides the resource into one or moreexecution environments.

Cloud Computing. Computing in which large groups of remote servers are networked to allow thecentralized data storage, and online access to computer services or resources. Clouds can beclassified as public, private or hybrid.Software-Defined Networks (SDN). An approach to networking in which control is decoupled fromhardware and given to a software application called a controller. Dynamic, manageable, cost-effective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today'sapplications.


14/79


14

BYOD. Refers to employees taking their own personal device to work, whether laptop, smartphoneor tablet, in order to interface to the corporate network. According to a Unisys study conducted byIDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by the employee.Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to

process using traditional databases and software techniques. In many enterprise scenarios, the datais too big, moves too fast, or exceeds current processing capacity.The Internet of Things (IoT). The [once future] concept that everyday objects have the ability toconnect to the Internet & identify themselves to other devices. IoT is significant because an objectthat can represent itself digitally becomes something greater that the object by itself. When manyobjects act in unison, they are known as having “ambient intelligence.”

Infrastructure IntegrationMeeting the challenge of data center growth while maintainingthroughput capability requires the use of technology integration toreduce potential for signal loss and speed reduction because ofbridging and security barriers between ad hoc arrangements ofindependent appliances. There are definitely two camps on whatshould be at the heart of a modern firewall, with two types ofhybrid design being prevalent:

CPU + OTS ASIC. A design whereby a general purpose central processing unit (CPU) is augmented byan off the shelf (OTS) processor.

CPU + Custom ASIC. Most difficult but best design, bringing together a general CPU linked closely toa number of custom built application-specific integrated circuits (ASICs). By matching ASICs that are

designed to handle the specific tasks for which the processor and device is intended, the ability toprocess data is enhanced and system performance is optimized.

On one side, there are vendors who want to use off-the-shelf (OTS) central processing unit (CPU) design.This is the simplest design but suffers from performance degradation. On the other side are thoseadvocating the use of hybrid designs, merging CPUs with application-specific integrated circuits (ASIC),which are more efficient and may provide the necessary infrastructure to meet the demand forthroughput, growth, and security.

Edge vs. Core Data Center FirewallsEdge Firewall. Implemented at the edge of a network in order to protect the network against potential

attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall —the gatekeeper. In addition to gatekeeper duties, the edge firewall may have capabilities added as othersecurity appliances are linked to the firewall. This method, however, leads to a complex architecturethat results in complex network —and security —controls. A typical edge firewall is depicted in Figure 6.


15/79


15

Figure 6. Notional edge firewall configuration.

Data Center Firewall. In addition to being a gatekeeper , data center firewalls serve a number offunctions. Depending on network size and configuration, the data center firewall may also provideadditional security functions, such as segregating internal resources from access by malicious insiders,and ensuring compliance with regulations protecting consumer, patient, and other sensitive user data.These functions are referred to as Multi-Layered Security , and may include:

IP Security (IPSec) Firewall Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Antivirus/Antispyware Web Filtering Antispam Traffic Shaping [2]

These functions work together, providing integrated security for the data center, concurrently providingconsolidated, clear control for administrators while presenting complex barriers to potential threats.Figure 7 shows a notional data center firewall deployment, providing gatekeeper duty, integratedsecurity solutions (as depicted in Figure 6, above), with simplified control and complex protection.

Figure 7. Notional data center firewall deployment.


16/79


16

Data Center Firewall CharacteristicsAs end user devices and activities evolve, data centers must evolve to ensure both service and securitykeep pace. Some market trends affecting data centers include increasing use of mobile devices,employee device portability —or BYOD, data center consolidation through server virtualization, cloud

computing, and software-defined networking.

The key benefit of a data center network core firewall configuration with high-speed, high-throughput,low-latency is the ability to evolve as technology develops.

Throughput speeds have potential to double every 18 months High-speed 40/100 GbE ports are already going into existing systems External users moving from Internet Protocol version 4 (IPv4) to IPv6

Figure 8 illustrates how the data center firewall is adaptable to evolving technology and user trends.

Figure 8. Data center firewall adaptability to evolving capabilities.

Size Matters. Historically, a determining factor in network firewall selection included considerationbased on the size of users —both internal and external —accessing the network or its components. Usingdata center firewalls in small and medium businesses (SMB) makes sense, because modern data centerfirewall systems provide higher throughput speeds, higher connectivity (port capacity), and a highercapacity for concurrent sessions.

As a business or organization grows and network access begins to grow into multiple locations andthousands of users, the option to consider using an enterprise campus firewall may become a necessaryinvestment. While the capacity to handle thousands of users and multiple locations may beaccomplished with enterprise firewalls, the trade-off is in the need for redundancy to ensure reliability —resulting in significantly higher costs and equipment complexity —and the need for extensive training ifan organization intends to self-manage the enterprise firewall. Because of these complexities, enterprise


17/79


17

data centers may reside on-premises at a company site, in a dedicated co- location space in a provider’sdata center facility, or as an outsource service in a multi-tenant provider cloud environment.

Figure 9. Data center in a distributed enterprise network.

Because of the increasing size and complexity of data center operations and needs of external users —aswell as the increased costs associated with enterprise firewall equipment and training needs —companies may decide to outsource data center security operations to a third party, or ManagedSecurity Service Provider (MSSP). A growing market along with evolving technologies, MSSPs provide awide range of network security services, from one-time services —such as configuring routers —toongoing services such as network monitoring, upgrade, and configuration. This provides small andmedium businesses (SMB) enhanced capabilities without having to increase technical staff, whileproviding large and high-visibility businesses with supplemental protection beyond their technical staff.

When deciding on whether to engage an MSSP for network security operations, a number ofconsiderations must be taken into account. From the most basic perspective, the MSSP should align withyour business and security philosophy. Will they sign a non-disclosure agreement, so details about yourcompany’s security will be secure? The MSSP needs to be highly available to you, espe cially if you run24/7 operations and reach a global audience (and who on the Internet doesn’t these days?). It is worth avisit to their facility to check out their operations and talk with staff. The MSSP’s service must besustainable —what are their redundancy capabilities in case of primary system failures or disaster; whatis the likelihood they may go out of business (the market is still maturing and the current failure rate ishigh). Identify clearly the level of serviceability you can expect from the MSSP —demand a strong service

level agreement (SLA) spelling out all roles and responsibilities for both parties. These requirements arefoundational to success with using an MSSP to manage data center security.

As cloud services and software-defined networks (SDNs) became prevalent, network functionsvirtualization (NFV) such as VMware NSX and Cisco ACI also began to take the place of physical devices,encapsulating appliances such as firewalls, load balancers, and switches as scalable virtual applianceswithin the same physical devices. The emergence of OpenFlow from behind the research lab walls and


18/79


18

into mainstream management in cellular, TELCO, and data center operations has brought major networkoperators and manufacturers onboard in making OpenFlow the standard protocol for communicationsbetween controllers and network switches in the SDN —or virtual —environment. The OpenFlowprotocol abstracts the network control plane from the data control plane in order to program network

traffic flows to be more dynamic and automated.

As virtualization and SDN deployment expanded, the practice became available for implementation byprivate individuals and organizations outside traditional boundaries of those with large amounts ofavailable capital and resources. With broad availability of open-source software enabling low-costnetwork development, cloud computing has reached into the realm of private and personal clouds. Onepopular open-source platform for cloud computing is OpenStack, which provides capability to developand manage private and public clouds, even providing compatibility with popular enterprise and open-source technologies for controlling large pools of data center computing, storage, and networkingresources.

By designing and implementing network infrastructures combining high throughput with a dynamicsoftware-defined network (SDN), the data center firewall provides the capability to evolve withconsumer and industry trends. To accomplish this, data center firewalls must focus on three primaryareas as foundations for security: performance, segmentation, and simplification.

Performance. As the need for network speeds to accelerate continues, the data center will be at theforefront of network design enabling higher performance through high-speed, high-capacity, and lowlatency firewalls. Currently, the minimum required throughput of a data center firewall is 10 Gbps, withan expectation by large company data center users that throughput may be increased up to anaggregate 100+ Gbps. Similarly, enabling high throughput requires a minimum port size connectivity of

10 Gigabits for Ethernet ports on the data center firewall, with some capabilities already expanding inthe 40-100 Gigabit range.

Segmentation. With the evolution of IT devices and evolving network threats, organizations using datacenters have adopted network segmentation as a best practice to isolate critical data against potentialthreats. Common data isolation criteria include applications, user groups, regulatory requirements,business functions, trust levels, and locations. To support the use of network segmentation in networksecurity schema, data center firewalls must provide high density and logical abstraction supporting bothphysical and virtual segmentation clouds. Benefits include keeping sensitive data partitioned fromunauthorized access for security and compliance purposes, limiting lateral movement of advanced

threats that gain initial footholds in the network, and ensure employees and users have access to onlythe services and applications for which they are authorized.

Simplification. Because data centers extend to external users of varying trust levels, the need to extenda “Zero -Trust” model for data access beyond the traditional data center edge and into the segmentationthroug hout the network’s core. This requires a consolidated —simplified —security platform that canmanage multiple functions while supporting high speed network operations. In order to further simplydata center firewall operations, integration of network routing and switching functions into firewall


19/79


19

controls provides added centralized visibility and control to network functions and security monitoring.Consolidation may also be accomplished by putting multiple physical server workloads onto a sharedphysical host by using virtual machines on a hypervisor.

A good example of a data center core firewall that incorporates all the requirements of low-latency, highthroughput, and high performance is the FortiGate platform line. These firewalls includes models thatdeliver over 100 Gbps performance with less than 5 µs latency (Figure 10).

Figure 10. Data center core firewall requirements.

One of the benefits to a data center network core firewall configuration as illustrated in Figure 10 is theability to evolve as trends in technology develop. With an estimated potential for throughput speeds todouble every 18 months, and adoption of high-speed network interfaces such as 40/100Gb Ethernetports into existing architectures, data center firewalls will need to be ready for the challenge. With thesedevelopments, and as external users move from transmitting traffic using Internet Protocol version 4(IPv4)—which currently carries over 95% of the world’s Internet traffic— to IPv6, firewalls such as theFortiGate line provide ability to keep pace and maintain data center service and security.

Virtual FirewallsTraditional firewalls protect physical computer networks —those running on physical hardware and

cabling. As such, the most effective means of security was and still is a physical, locked, fire door. This isalso referred to as “North -South” traffic. Unlike physical machines and networks, virtual machinesoperate in a virtual environment, isolated on a host but acting as though it were an independent systemor network. Even as a virtual reality, however, the network may be subject to threats and intrusion fromexternal sources. Virtual traffic —that traffic moving laterally between servers without leaving the datacenter —is refe rred to as “East -West” traffic (Figure 11).


20/79


20

Today, 60-70% of traffic is E-W because of the trend in virtualization and consolidation – which is why virtual networks are of vital importance in the emergence of data centersand need for reliable and adaptable data center security in modern networks.

Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physicalswitch —to secure data being transmitted between virtual machines in a virtual network, the virtual

firewall was developed. A virtual firewall is simply a firewall service running entirely within the virtualenvironment, providing the typical packet filtering and monitoring that would be expected when using aphysical device in a physical network. The virtual firewall may take a number of forms: it may be loadedas a traditional software firewall on the virtual host machine, it can be built into the virtual environment,it can be a virtual switch with additional capabilities, or it can be a managed kernel process within thehost hypervisor for all virtual machine activity.

Figure 11. North-South (Physical) vs. East-West (Virtual) traffic.

Virtual firewalls may operate in one of two modes, depending how they are deployed, either bridgemode or hypervisor mode . A virtual firewall operating in bridge mode acts like a physical firewall,normally situated at an inter-network switch or bridge to intercept network traffic needing to travel

over the bridge. In this way, the virtual firewall may decide to allow passage, drop, reject, forward, ormirror the packet. This was the standard for early virtual networks and some current networks stillretain this model.

In hypervisor mode the virtual firewall is not actually part of the virtual network at all; rather, it residesin the host virtual machine —or hypervisor —in order to capture and analyze packets destined for thevirtual network. Since virtual firewalls operating in hypervisor mode are not part of the virtual network


21/79


21

in a virtual machine, they are able to run faster within the kernel at native hardware speeds. Examplesof popular hypervisors on the market include VMware vSphere, Citrix Xen, and Microsoft HyperV.

As these developments in virtual capabilities occurred, they necessarily gave way to a new paradigm bywhich to consider the definition of the data center itself. Instead of the need for a traditional physicalinfrastructure that defines the data center —such as a building or a server room within a structure —what if the paradigm shifted to a data center that resided within a software-defined space? Because ofcontinued evolution of virtual technology, this capability is a reality. The software-defined data center(SDDC) presents a paradigm that infrastructure such as servers, network, and storage can be logicallyand dynamically orchestrated without the need for adding or configuring new physical appliances orexpanding into new facilities. Because of the virtual nature of these SDDCs, the emergence of on-demand data centers was enabled that provided benefits to small consumers and SMBs, such as pay-as-you-use infrastructure, delivery on demand without extended provisioning times, and no requirementfor long-term obligations or contracts. In other words, the emergence of SDDCs provided new paths foreconomical flexibility in data center definition and operation.

In summary, the flexible deployment capability for data center firewalls provides for targeting of thethreats identified as most important to the network or system. Deploying the firewall at the networkedge is effective to block external intrusions from accessing the network. Deploying the firewall at thenetwork core provides segmentation in the event that an external threat gains access to the network. Atthe virtual layer, the firewall is able to monitor traffic between virtual machines (VM).

Data Center Network ServicesAs technology evolved, more and more services moved from running as physically resident to virtual orcloud-based applications to reduce bottlenecks, increase throughput, and optimize data sharing, among

other benefits. Data center traffic has increased because of factors such as the increased number ofusers depending on mobile applications to access data anytime and anyplace, businesses aggregatingand storing increasing amounts of data to enable analytics, and increased use of SaaS cloud storage overlocal physical drive storage appliances. Because of these shifts, networks from distributed enterprisesdown to SMB and home businesses began to depend on virtual and cloud applications for remote andmobile capability. This led to a parallel focus on development of threats to the application layers of theOpen Systems Infrastructure (OSI), which will be discussed later in this book. The remainder of thismodule will focus on how the data center serves to facilitate the use of applications in the modernmobile, virtual and cloud-based technology environment.

Application SystemsApplication systems typically consist of user interfaces, programming (logic), and databases. A userinterface is the control or method by which the user interacts with the computer, system, or network,often consisting of screens, web pages, or input devices. Some application systems have non-visualinterfaces that exchange data electronically with other systems in a network. Figure 12 illustrates anotional network.


22/79


22

Programming consists of the scripts or computer instructions used to validate data, performcalculations, or navigate users through application systems. Many large computers use more than onecomputer language to drive the system and connect with networks. This allows linking of systemsperforming specialized functions into a centrally-manageable network.

Figure 12. Notional network.

Databases are simply electronic repositories of data used to store information for the organization in astructured, searchable, and retrievable format. Most databases are configured to facilitate access for

downloading, updating, and —when applicable —sharing with other authorized network users.

Computer systems are simply sets of components that are assembled into an integrated package. Theheart of a computer system is the central processing unit (CPU), around which various othercomponents such as data storage, drives, displays, memory, input devices, and other peripherals arebuilt. Computer system components may vary in size and complexity and can be designed for single ormultiple purposes.

Control is accomplished through user interfaces. The level of application control found in NextGeneration Firewalls (NGFWs) is not generally necessary as a data center core firewall, primarilybecause of the lack of end-users running in the data center itself. Typically data center applications areaccessed and used as cloud services or database information, rather than platforms for writing andexecution of programming by external users.

Application ServicesWith increasing use of “the cloud” to enable mobile— even global —use of applications and access toorganization databases, technology services designed to fulfill the needs of various industries from SMBto large international corporations developed. In today’s market— and the foreseeable future —cloud


23/79


23

services continue to grow quickly. Integral to this broad range of services are three primarycomponents: infrastructure (IaaS), platforms (PaaS), and software (SaaS) as services. The primarydifference between models rests in responsibility tradeoffs between developer (user) and vendor(provider), as illustrated in Figure 13 [3].

Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The serviceprovider creates the infrastructure, which becomes a self-service platform for the user for accessing,monitoring, and managing remote data center services. The benefit to IaaS is that the user does nothave to invest large amounts into infrastructure and ongoing upgrades and service, while retainingoperational flexibility. The down side is that this model requires the user to have a higher degree oftechnical knowledge —or at least know or employ someone who does. Examples of businesses using theIaaS model appear in Figure 14.

Figure 13. Differences between IaaS, PaaS, and SaaS.

Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyondthe IaaS model. In this model, the provider not only builds the infrastructure, but also providesmonitoring and maintenance services for the user. Users of PaaS cloud services have access to“middleware” to assist with application development, as well as inherent characteristics includingscalability, high availability, multi-tenancy, SaaS enabling, and other features. This allows the user tofocus on what is most important to their business —their application(s). In particular, businesses large or

complex enough to employ an enterprise data center model benefit greatly from PaaS because itreduces the amount of coding necessary and automate business policy. Examples of businesses usingthe PaaS model appear in Figure 14.

Software as a Service (SaaS). The SaaS model represents the largest cloud market and continues togrow. This model takes the final step of bringing the actual software application into the set of functionsmanaged by the provider, with the user having a client interface. Because the application resides in thecloud itself, most SaaS applications may be operated through a web browser without the need to


24/79


24

download or install resident software on individual physical systems. This allows businesses to developsoftware and operational requirements, but to have those requirements written and fulfilled by a thirdparty vendor —although such designs typically involve customization of pre-existing softwareapplications, because SaaS does not provide the broad flexibility of software development options

available in the SaaS model. Examples of businesses using the IaaS model appear in Figure 14 [4].

Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models.

The Shared Security Responsibility (SSR) Model. When using application services —“the cloud”— forapplications and access to databases, these services come with a shared responsibility for security andoperations split between the cloud provider and the cloud tenant. Depending upon which model ischosen for operations —IaaS, PaaS, or SaaS —your level of security responsibility changes in magnitude.Referring back to Figure 13, as you relinquish more control of operations and decision-making/configuration to the vendor/provider, such as with the SaaS model, your degree of securityresponsibility also declines. Conversely, if you decide to retain more management, such as in the IaaSmodel, your security responsibility increases in magnitude.

SummaryFrom an introduction to the current status of computer network options and configurations, to thechallenges posed by evolving technologies and advanced threats, this module has prepared a foundationfor more focused discussion on emerging threats and the development of network security technologiesand processes designed to provide organizations with the tools necessary to defend best against those

threats and continue uninterrupted, secure operations. The next module will focus on the NextGeneration Firewall (NGFW), an evolving technology in network security.


25/79


25

Module 2: Next Generation Firewall (NGFW)Just because you’re paranoid that hackers are trying to steal your data…

…doesn’t mean they’re not really out to get you !

Early firewalls acted much like a fire door in a building —if something bad was happening in the hallway,it protected what was in your room and other parts of the building. As personal computers becamemore affordable and digital portable devices became more widespread, system and network threatsevolved as well, creating a need for protection technology able to evolve along with —or ahead of —advanced threats. Legacy firewalls operated on the basis of port access, using source/destination IPaddresses or TCP/UDP port data to discern whether packets should be allowed to pass betweennetworks or be blocked or rejected. Most firewall configurations allowed all traffic from trustednetworks to pass through to untrusted networks, unless policy exceptions were implemented. In closednetworks and the early days of the Internet, this was a viable option —this predominantly static firewallconfiguration model no longer provides adequate protection against advanced and emerging system

and network threats to large, distributed enterprise businesses and organizations having to servecustomers, clients, and employees in an ever-evolving mobile environment.

Technology TrendsTrends in information technology development and employment over the last 15 years have led to aneed to rethink the methodology behind modern network security. To further exacerbate this challenge,these trends occurred simultaneously across major industry, all levels of business, and personalconsumer environments.

Consumerization of IT has resulted in IT-enabled devices —such assmartphones, digital music and video players, recorders, cameras,

and others —becoming so commonplace in the market that theirlower pricing resulted in an explosion of individual consumersacquiring technology-enabled devices for personal use. This extendsbeyond the obvious devices listed above. IT-enabled devices nowinclude such appliances as refrigerator/freezers, home security systems, personal home networks thatinclude WiFi- enabled televisions, stereos, and even the automated “smart house.” In other words, whatwe have to be mindful of today is the Internet of Things (IoT) when we acquire devices and appliances.

Because consumers have embraced technology devices for both communication and informationsharing, Social Media enterprise has been embraced at the business level as a way to reach consumer

markets and supplement Web and traditional marketing and communication pathways. With so manyapplications —especially social media —being cloud based, the challenge of network security expandsbeneath the surface of traffic and into substance.

With the proliferation of inexpensive, technology-enabled devices interacting with business networks —including both external users and those using personal devices for work purposes ( Bring Your OwnDevice – BYOD), the question becomes one of how to provide security, network visibility, control, anduser visibility simultaneously without an exponential increase in required resources (Figure 15).


26/79


26

Figure 15. Bring Your Own Device (BYOD) practices in 2011.

NGFW Characteristics: Fundamental ChangesThe primary benefits of NGFW is visibility and control of traffic entering the firewall ports. In legacyfirewalls, ports were opened and closed, or protocols allowed or disallowed without consideration

beyond basic characteristics.

Figure 16. Edge firewall vs. NGFW traffic visibility.

With NGFW, administrators are provided finer granularity that provides deeper insight into the trafficattempting to access the network (Figure 16). This includes deeper visibility of users and devices, as wellas the ability to allow or limit access based on specific applications and content rather than accepting orrejecting any traffic using a particular transmission protocol. This is the primary difference thatseparates traditional and next generation firewalls (NGFW).

With a traditional firewall, traffic is accepted based on identification criteria of designated port and IPaddress. Conversely, traffic is accepted with NGFW based on user ID (not port) and both the IP addressand traffic content. The diagrams in Figures 17 and 18 illustrate better the visibility and controlcapability provided when NGFW is integrated into the network security architecture, supplanting thelegacy edge firewall.


27/79


27

When comparing the granularity in howtraditional and legacy firewalls assess data,note that in NGFW the ports are identified withtraffic flowing through them as well as specific

information about the user sending the traffic,traffic origin, and the type (content) of trafficbeing received. This information goes beyondthe basic link level and brings security into OSIlevels 3 & 4 (application security capability).

Figure 17. Traditional port configuration example.

Figure 18. NGFW configuration example by application, user ID.

In addition to enhanced visibility over traffic, NGFW provides enhancements in both complex securityprotection and administrator control simplicity over traditional firewalls, as compared in Table 1.

Table 1 . Comparative security features of edge firewalls vs. NGFW.

Ed e Firewall NGFW

Gatekee er Gatekee erISO/OSI L4 Port Protocol A lication-Centric Content Flow Protocol

Basic Securit + Add-ons Inte rated Securit Solutions

Com lex Architecture Inte rated Architecture

Com lex Control Sim lified Control

Sim le – Moderate Securit Inte rated Com lex Securit

NGFW EvolutionReferring to an evolving technology offering high-performance protection, Next Generation Firewalls(NGFW) provide solutions against a wide range of advanced threats against applications, data, andusers. Going beyond standard firewall protections, NGFW integrate multiple capabilities to combatadvanced and emerging threats. These capabilities include intrusion prevention system (IPS), deeppacket scanning, network application identification and control, and access enforcement based on useridentity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector,persistent network or system attacks against large and distributed enterprise networks.


28/79


28

The concept of NGFW was first coined by Gartner in 2004 in their paper discussing the need forintegrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities intofirewalls [5]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level firewallwith integrating IPS or Deep Packet inspection, Application Identification, and “extra -firewall”

intelligence (such as Web Content Filter), but allowing for interoperability with third-party rulemanagement technology [6]. In 2009, Gartner published a new definition of NGFW, defining thecharacteristics as including VPN, integrated IPS interoperability with firewall components, applicationawareness, and “extra -firewall” intelligence [7].

Figure 19. NGFW evolution timeline.

Traditional NGFW CapabilitiesTraditional NGFW provides solutions against a wide range of advanced threats against applications,data, and users. Traditional enterprise network security solutions such as legacy firewalls and stand-alone intrusion detection/ prevention systems (IPS) are no longer adequate to protect against today’ssophisticated attacks. In order to defend networks against the latest threats, NGFWs should include, at aminimum, the ability to identify and control applications running over a network, an integrated intrusionprevention system (IPS) with deep packet scanning capabilities, and the ability to verify a user ordevice’s identity and enforce access policies accordingly.

However, advanced threats require advanced protection. Some NGFW devices —such as the Fortigateline—include additional technologies that provides you with a real-time ranking of the security risk of

devices on your network and cloud-based threat detection and prevention. Traditional NGFW integratesmultiple capabilities to combat emerging threats.

Figure 20. Intrusion Prevention System (IPS).

Intrusion Prevention System (IPS). Sometimes called integrated IDS/IPS. Monitors network and directsfirewall to allow or block traffic. Intrusion Detection System (IDS) detects threats but does not alert thefirewall to take action against identified threats or unknown traffic. IDS is integrated into IPS technology.IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more


29/79


29

effective to tie it into network segregation, enabling protection against both internal and externalattacks against critical servers [8].

Figure 21. Deep Packet Inspection (DPI).

Deep Packet Inspection (DPI). Examining the payload or data portion of a network packet as it passesthrough a firewall or other security device. DPI identifies and classifies network traffic based onsignatures in the payload [9]. Examines packets for protocol errors, viruses, spam, intrusions, or policy

violations.

Figure 22. Network application identification and control.

Network Application Identification & Control. Traditional firewall protection detects and restrictsapplications by port, protocol and server IP address, and cannot detect malicious content or abnormalbehavior in many web-based applications. Next Generation Firewall technology with Application Controlallows you to identify and control applications on networks and endpoints regardless of port, protocol,and IP address used. It gives you unmatched visibility and control over application traffic, even unknownapplications from unknown sources and inspects encrypted application traffic. Protocol decoders

normalize and discover traffic from applications attempting to evade detection via obfuscationtechniques. Following identification and decryption, application traffic is either blocked, or allowed andscanned for malicious payloads. In addition, application control protocol decoders detect and decrypttunneled IPsec VPN and SSL VPN traffic prior to inspection, ensuring total network visibility. Applicationcontrol even decrypts and inspects traffic using encrypted communications protocols, such as HTTPS,POP3S, SMTPS and IMAPS.


30/79


30

Figure 23. Access enforcement (User identity).

Access Enforcement (User Identity). When a user attempts to access network resources, NextGeneration Firewalls allow identification of the user from a list of names, IP addresses and ActiveDirectory group memberships that it maintains locally. The connection request will be allowed only ifthe user belongs to one of the permitted user groups, and the assigned firewall policy will be applied to

all traffic to and from that user.

Figure 24. NGFW distributed enterprise-level capability.

Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks. The foundation of the enterprise campus offering is a high performance next generation firewall (NGFW)that adds intrusion prevention, application control and antimalware to the traditional firewall/VPNcombination. In particular, Fortinet NGFWs:

Provide fine-grained, user- or device-based visibility and control over more than 3000 discreteapplications to establish/enforce appropriate policies.

Include powerful intrusion prevention, looking beyond port and protocol to actual content of

your network traffic to identify and stop threats. Leverage top rated antimalware to proactively detect malicious code seeking entry to thenetwork.

Deliver actionable application and risk dashboards/reports for real-time views into networkactivity.

Run on purpose-built appliances with Custom ASICs for superior, multi-function performance,even over encrypted traffic.


31/79


31

Figure 25. Extra-firewall intelligence IP list assignment.

“Extra -firewall” Intellig ence. This provides the ability to create lists for access or denial of externaltraffic to the network. These lists may be designates by IP address List types include:

White List. Designated sources considered trusted and will be allowed access to the network. Black List. Designated sources considered not trusted and will be denied access to the network.

A key point to this function is that the source is based on an address, therefore, access does not relateto any specific type of information that may be carried on traffic from that source. This is a surfacescreening rather than a content screening function.

Figure 26. Notional network with managed security (MSSP).

Interoperable with Third-Party Management. Enterprise-class appliances deliver the comprehensivesecurity solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the fullsuite of ASIC-accelerated security modules for customizable value-added features for specific customers.FortiGate NGFW appliances include the ability to create multi-tenant virtual security networks,supporting up to 5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integratedmanagement applications —including granular reporting features —offer unprecedented visibility intothe security posture of customers while identifying their highest risks.

VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communicationsand data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPNprotocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and


32/79


32

decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections —including antivirus, intrusion prevention, application control, email filtering and web filtering —can beapplied and enforced for all content traversing the VPN tunnel.

Figure 27. Application awareness: The NGFW application monitoring feature.

Application Awareness. While establishing port and protocol are important first steps in identifyingtraffic, positive identification of application traffic is an important capability added by NGFW, requiring a

multi-factor approach independent of port, protocol, encryption, or evasive measures. Applicationawareness includes protocol detection and decryption, protocol decoding, signature identification, andheuristics (behavioral analyses). [10]

NGFW FunctionsTwo important functions of NGFW is to detect threats and prevent them from exploiting system ornetwork vulnerabilities. The best way to detect threats is to deploy an Intrusion Detection System (IDS)as part of the network architecture. In order to prevent identified threats from exploiting existingvulnerabilities, an Intrusion Prevention System (IPS) should be deployed. The purpose of IPS is to react todetected threats to a network in order to block intrusion by traffic attempting to take advantage of

system vulnerabilities, deviations from standard protocols, or attacks generated by trusted sources [8].NGFW appliances, such as the FortiGate line of network hardware, provide integrated capability for IDSand IPS to both detect and prevent intrusion and exploitation of protected networks.

Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This typeof inspection protects endpoint clients as well as Web and application servers from potentially hiddenthreats. SSL Inspection intercepts and inspects encrypted traffic for threats before routing it to itsdestination and can be applied to client-oriented traffic, such as users connected through a cloud-based


33/79


33

site, or to Web and application server traffic. Using SSL inspection allows policy enforcement onencrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. Likeother inspection protocols, however, the tradeoff to enabling SSL inspection is a decrease in throughputspeed.

Extended NGFW CapabilitiesBeyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced andemerging threats are clearly needed. Particularly within enterprise network security infrastructure, theneed to protect against new and evolving classes of highly targeted and tailored attacks designed tobypass common defenses is needed. Because of these advanced and evolving threats, additionaldefenses —referred to by Fortinet as Advanced Threat Protection (ATP) —include anti-virus/malware,anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional capabilitiesappear in Figure 28.

Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP).

When integrated with NGFW, capabilities of ATP enhance security by providing additional protectionsagainst evolving threats, including:

Dual-level sandboxing, allowing code activity examination in simulated and virtual environmentsto detect previously unidentified threats.

Detailed reporting on system, process, file, and network behavior, including risk assessments. Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing

communications with malicious sites and IPs. Option to share identified threat information and receive updated in-line protections. Option to integrate with other systems to simplify network security deployment.


34/79


35/79


35

Figure 30. Web filtering profile control.

Antivirus/malware. Responsible for detecting, removing, and reporting on malicious code. Byintercepting and inspecting application-based traffic and content, antivirus protection ensures thatmalicious threats hidden within legitimate application content are identified and removed from datastreams before they can cause damage. Using AV/AM protection at client servers/devices adds anadditional layer of security.

Figure 31. FortiGate antivirus/malware.

Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or othercoordinated network attacks. Organizations may prevent, uncover, and block botnet activities usingAnti-Bot traffic pattern detection and IP regulation services supplied in real-time. This capability isimportant in detecting and reacting to Distributed Denial of Service (DDoS) or other coordinatednetwork attacks.


36/79


36

Figure 32. FortiGuard Anti-botnet protection.

Web filtering. Function that allows or blocks Web traffic based on type of content, commonly definedby categories. Web filtering protects endpoints, networks and sensitive information against Web-basedthreats by preventing users from accessing known phishing sites and sources of malware.

Figure 33. FortiGate Web filtering capability.

Code emulation. Allows testing of unknown or potentially malicious traffic ina virtual environment by emulating the actual environment to which thetraffic was addressed.

Sandboxing. Isolating unknown or potentially malicious codes to fully execute all functions beforeallowing the traffic to download into the network. Sandboxing has a unique capability to detect zero-dayexploits that other security solutions cannot identify. If malicious activity is discovered, Advanced ThreatProtection (ATP) can block it.

Sandboxes and APTYou might be thinking whether this is Back to the Future ? After all, sandbox technology is old, havinglong been a standard safety isolation to analyze code. So why would sandboxes be important whenexamining the implications of Advanced Persistent Threats (APT)?


37/79


37

Sandboxes were initially developed for executable files. Now they run application data that may containmalicious code, like Adobe Reader or JavaScript, which sandbox identified malicious code before it caninfect your operating system. Modern sandbox technology can help detect and identify new threats —such as old legacy threats in new veneers, by emulating endpoint device environments to analyze how

the potential threat behaves. In this way, relatively unknown malware —constantly being developed atall levels of complexity —and APTs may be detected, identified, cataloged, and blocked by the NGFW(Figure 34). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic isforwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.

Figure 34. Sandbox deployed with NGFW Solution.

Advanced Persistent Threats (APT)Since widespread availability of computer technology —especially since introduction of affordablepersonal computing platforms and open availability of computer training —people have used software to

target systems and networks to damage, steal, or deny access to data. Modern and future challenges —or Advanced Persistent Threats —present a more daunting sophistication of malware, attack vectors, andperseverance by which they mount offensives against their targets. Just as APT uses multiple attacklayers and vectors to enhance chances of success, network security administrators must also design andimplement a multi-layered defense to protect against these threats. It is critical to understand that nosingle network security feature will stop an APT. Simplified, a three-step approach to how NGFWaddresses APTs appears in Figure 35, below.

Figure 35. The NGFW three-step approach to APT.


38/79


38

Advanced Threat Protection (ATP)In order to protect against modern and emerging future threats, adaptive defense tools like ATP arebeing incorporated into network security infrastructures at an increasing pace. This level of protectionprovides increased security across all network sizes from SMB to large enterprises. Critical capabilities

brought to bear by ATP include:

Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,antimalware.Threat Detection. “Sandboxing,” botnet detection, client reputation, network behavior analysis. Incident Response. Consolidated logs & reports, professional services, user/device quarantine,threat prevention updates.Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.

The continuous nature of ATP protection is illustrated in Figure 36, below:

Figure 36. Fortinet Advanced Threat Protection (ATP) model.

NGFW Deployment

Edge vs. CoreWhen deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFWbrings a unique combination of hardware- and software-related segmentation capabilities that allowisolation of critical network sections, such as data centers. Deploying NGFW into an Edge Networkaccomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 37).


39/79


39

Figure 37. NGFW deployment to edge network

NGFW vs. Extended NGFW

Another consideration that must be made is what NGFW capabilities are needed —or desired —for thenetwork being protected. A consideration whether to deploy extended NGFW capabilities depends onthe nature of what functions will be accomplished both internally and external to the network. Inparticular, with movement to more cloud-based and web applications, the benefits of extended NGFWmay be best suited. As illustrated in Figure 38, Extended NGFW incorporates the capabilities of currentNGFW plus enhanced features that make it more capable against modern and emerging threats.

Figure 38. Current NGFW vs. Extended NGFW capabilities.

One of the characteristics of most technologies is that with added capabilities comes concomitant trade-offs. In the case of NGFW, the addition of inspection functions such as web filtering —or anti-malware —presents options that balance capabilities and protection levels versus traffic processing speed. The twomethods used to inspect traffic are Flow-based and Proxy-based inspections. In flow-based inspection,the NGFW performs a “string comparison” to examine patterns in the traffic without breaking theconnection, resulting in a small portion of the traffic stream being inspected but with a trade-off offaster throughput. In proxy-based inspection, the entire traffic stream is analyzed, breaking theconnection and reestablishing it after analysis, resulting in slower throughput.


40/79


40

Table 2. Comparison between flow-based and proxy-based inspections

Type of Inspection Flow-based Proxy-basedSpeed/Performance Resources Faster Slower

Security Analysis MethodComparing traffic to database ofknown bad situations

Conducting specific analysis onrelevant information

TCP Transparency TCP flow not broken. Only packetheaders changed if necessary.

TCP convention broken, TCP sequencenumbers changed.

Protocol Awareness Not required Understands protocol being analyzed

File size limits Only during scanningYes, when buffering, based on availableNGFW memory

Features supported Antivirus, IPS, Application Control, WebContent Filtering

Antivirus, DLP, Web Content Filtering,AntiS

modern network security nse1 study guide ebook

Documents