A next-generation firewall (NGFW) is a part of the third generation of firewall technology that is implemented in either hardware or software and is capable of detecting and blocking sophisticated attacks by enforcing security policies at the application, port and protocol levels.
NGFWs typically feature advanced functions including:
• Application awareness;
• Integrated intrusion prevention systems (IPS);
• Identity awareness -- user and group control;
• Bridged and routed modes; and
• The ability to use external intelligence sources.
Of these offerings, most next-generation firewallsintegrate at least three basic functions: enterprise firewall capabilities, an intrusion prevention system (IPS) and application control.
Like the introduction of stateful inspection in traditional firewalls, NGFWs bring additional context to the firewall's decision-making process by providing it with the ability to understand the details of the web application traffic passing through it and to take action to block traffic that might exploit vulnerabilities.
Next-generation firewall features
NGFWs combine many of the capabilities of traditional firewalls -- including packet filtering, network address translation (NAT) and port address translation (PAT), URL blocking, and virtual private networks (VPNs) -- with quality of service (QoS) functionality and other features that are not found in traditional firewalls. These include intrusion prevention, SSL and SSH inspection, deep-packet inspection, and reputation-based malware detection, as well as application awareness.
These application-specific capabilities are meant to thwart the growing number of application attacks taking place at Layers 4-7 of the OSI network stack.
Benefits of Next-generation firewalls
The different features of next-generation firewalls combine to create unique benefits for users. NGFWs are often able to block malware before it enters a network, something that wasn't previously possible.
NGFWs are also better equipped to address advanced persistent threats (APTs) because they can be integrated with threat intelligence services. NGFWs can also offer a low-cost option for companies trying to improve basic device security through the use of application awareness, inspection services, protection systems and awareness tools.
Web Security products allow organizations to secure Web traffic effectively while still enabling the latest Web-based tools and applications. These products analyze Web traffic in real-time, instantly categorizing new sites and dynamic content, proactively discovering security risks, and blocking dangerous malware. They also protect against spyware, malicious mobile code, phishing attacks, bots, keylogger backchannel communications from reaching host servers and other threats. They also help in filtering and controlling the content that can be viewed on a network.
A few benefits of using these products are listed below:
• Improved network and cost efficiency – Increase bandwidth and reduce administrative time while keeping email policy control within the network.
• Mitigate risk and realize ROI – Definitive levels of protection and visibility with drill-down, delegated policy and user-based reporting.
• Use a single trusted vendor – Consolidate Email Security through Websense and receive support from a single point of contact.
Data loss prevention is the keyword today in most organizations since it is the key to competitive advantage in today’s world. Securing data from internal threats is the utmost concern today for organizations. DLP is nothing but the use of various techniques to prevent critical data from unnecessarily leaving the organization.
DLP products can be defined as:
“Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use, through deep content analysis.”
Some of the most common techniques used in these products to detect and prevent unauthorized extrusion of data are:
1. Rule bases/ Regular expressions.
2. Database fingerprinting.
3. Exact File Matching.
4. Partial Document Matching.
5. Statistical Analysis.
7. Predefined Categorization.
SSL-VPN stands for Secure Socket Layer Virtual Private Network. It is a term used to refer to any device that is capable of creating a semi permanent encrypted tunnel over the public network between two private machines or networks to pass non-protocol specific, or arbitrary traffic. This tunnel can carry all forms of traffic between these two machines meaning it is encrypting on a link basis, not on a per application basis.
Benefits of using SSL VPN:
• Improves work force productivity since Employees and contractors can perform tasks even when not physically present in their usual work facilities.
• Easy deployment since it does not require any special client software to be installed.
• Provides more security options.
• Improved manageability due to highly configurable access control capabilities, health checks etc.
• Lowers costs because of the Increased self-service capabilities for conducting business with outside parties such as suppliers and customers. Employees can work remotely on a regular basis (e.g., IT consulting) thereby allowing the organization to maintain less office space (and save money).
• Increased self-service capabilities for suppliers improve their efficiency, yielding better-negotiated service/product rates.
• If remote access is used as part of business-continuity strategy, fewer seats may be necessary at disaster-recovery/business-continuity facilities than if all workers must work at the secondary site.
End Point (Next generation Antivirus)
Modern attacks such as ransomware and advanced phishing are becoming more prevalent each year. "Next-generation" attacks require next-generation antivirus (NGAV), which can stop more attacks, see more threats and close more security gaps than traditional AV. NGAV solutions that are purpose-built to utilize cloud-based analytics enable an even more dynamic, proactive approach to endpoint security. In this webcast, SANS will discuss how cloud-based analytics can assist organizations in managing the security of their endpoints and function with NGAV to improve protection and simplify operations.
Next-Generation Antivirus solutions prevent all types of attacks, known and unknown, by monitoring, responding to attacker tactics, techniques and procedures (TTPs), and providing security administrators with real-time response capabilities, data science, predictive analytics, and threat intelligence.
Next-Generation Antivirus takes traditional antivirus software to a new, advanced level of endpoint security protection. It goes beyond known file-based malware signatures and heuristics because it’s a system-centric, cloud-based approach. It uses predictive analytics driven by machine learning and artificial intelligence and combines with threat intelligence to:
• Detect and prevent malware and fileless non-malware attacks
• Identify malicious behavior and TTPs from unknown sources
• Collect and analyze comprehensive endpoint data to determine root causes
• Respond to new and emerging threats that previously go undetected.
Why Traditional Antivirus Software No Longer Works
Today’s attackers know exactly where to find gaps and weaknesses in an organization’s network perimeter security – and they penetrate these in ways that easily bypass traditional antivirus software. These attackers use highly developed tools to target vulnerabilities that leverage:
• Memory-based attacks
• PowerShell scripting language
• Remote logins
• Macro-based attacks
And because traditional AV only focuses on signature file- or definition-based threats, it cannot detect any of these environments from modern threats that do not introduce new files to the system.
However, NGAV focuses on events – files, processes, applications, and network connections – to see how actions, or event streams, in each of these areas are related. Analysis of event streams can help identify malicious intent, behaviors, and activities – and once identified, the attackers can be blocked.
EDR: A Foundational Must for NGAV
According to its 2017 Market Guide for Endpoint Detection and Response Solutions, Gartner now considers endpoint detection and response (EDR) as a foundational security capability. When it is combined with NGAV, companies can more accurately identify suspicious and unauthorized activities, preventing many of these behaviors outright and enabling the capabilities to respond and remediate advanced malicious threats faster and better than ever before.
To help NGAV solutions identify threats that slip past traditional AV, EDR provides a holistic approach to data collection, which in turn powers machine learning, predictive analytics, and behavior monitoring with a complete picture of the environment. Together, these technologies help companies monitor events and identify patterns that may be suspicious, turning them into attack visualizations that can be easily consumed by administrators and responders.
EDR can help discover even the most minute changes in files, registries, and networks that help security teams uncover malicious activity hidden in plain sight. From there, EDR helps responders contain the identified threats and block emerging, never-been-seen-before attacks that otherwise can slip through most NGAV solutions.