http://seclists.org/educause/2011/q1/194

Our next-generation firewall is a true revolution in network security and administration.

http://www.mcafee.com/OverhaulYourFirewall

I wonder if this is just a reworked Sidewinder or something totally different.

(Link: Fortinet)

In the paper, Gartner states that an NGFW should at least:

• support bump-in-the-wire configuration
• act as a platform for network traffic inspection and network policy enforcement with the following minimum features:
• standard first-generation firewall capabilities: packet filtering, NAT, stateful inspection, VPN, etc.
• integrated IPS and threat prevention (not colocated like a UTM)
• application awareness
• Extrafirewall intelligence: Bring information from sources outside the firewall to make improved blocking decisions, or have an optimized blocking rule base. Examples include using directory integration to tie blocking to user identity, or having blacklists and whitelists of addresses.
• Support upgrade paths for integration of new information feeds and new technigques to address future threats.

The “Extrafirewall intelligence” paragraph is a long-winded way of saying URL filtering and LDAP integration.

Compare this to Gartner’s definition of a Secure Web Gateway from 2008:

Secure Web Gateway’s must, at a minimum, include URL filtering, malicious-code detection and filtering and application controls for popular Web-based applications, such as instant messaging (IM) and Skype.

and their SWG definition from the NGFW paper:

These focus on enforcing outbound user access control and inbound malware prevention during HTTP browsing over the Internet, through integrated URL filtering and through Web Antivirus. They implement more user-centric Web security policy, not network security policy, on an “any source to any destination using any protocol” basis.

The only difference that is that Gartner doesn’t explicitly call for URL filtering or user-centric policy control in their NGFW definition opting for a jargony paragraph on “extrafirewall intelligence” that readers will forget.

I don’t know why. Perhaps if they did, it would be harder to justify the SWG as anything other than a because-your-firewall-should-do-it-but-can’t solution.

NGFWs like Palo Alto Networks are not only replacing firewalls, but also SWGs like Blue Coat. This indicates that at least some customers view SWGs as superfluous in an NGFW environment. Time will tell whether or not SWGs have any merit in a network that is protected by an NGFW. I’m sure there are customers with workflows and requirements specific to URL/web access that could only be addressed by an SWG type solution but the number of customers that opt for SWGs is sure to dwindle in my view.

Download the Garnter NGFW Research Note

I was wrong by 4 months. FortOS 4.0, with SSL inspection, was released today. It boasts:

• Application Control
• SSL Inspection
• Data Leakage Prevention (DLP)
• WAN Optimization

The first three are to catch up with Palo Alto, but WAN optimization puts them ahead in the feature set.

Apparently they are doing this using SSL inspection (outbound SSL proxy) as opposed to using application signatures. Outbound SSL proxies introduce a new range of hassles. It would be better if they could detect the application (ahem) and block it that way:

The new filtering engine of Astaro’s version 7.4 also allows users to filter and control secure web traffic (HTTPS). With inferior web security solutions, users can circumvent the security policy simply by accessing sites over HTTPS, which encrypts the session between the client browser and the target destination. Astaro’s version 7.4 intercepts encrypted HTTPS traffic and examines the content for malware, stops spyware infections, and controls what types of sites can be accessed.

In addition to (instead of?) of blocking Ultrasurf at the network level, one could control such applications at the desktop level. Sophos does this with panache. Using a whitelisting program like Bit9 or Lumension also turns this into a non-issue. If there are other ways to solve this problem, let me know.

This ebook provides a brief introduction to the limitations of traditional port-blocking firewalls and explains how Palo Alto Networks resolves these problems.

There is an in-depth product demo here.

More discussion on the topic at What is a Firewall.

Via Nir Zuk responds | ThreatChaos

If you think the word “firewall” as strictly denoting the function of stateful inspection, then you’ll agree with Mike. If you think the word “firewall” is the box you put at the edge of your network to keep the nasty stuff out, you’ll agree with Richard. I think the market will come to agree with Richard. They buy the firewall to keep the crap out and they don’t care how it does it. The trend of combining features in a more manageable platform is innovation – it is marketing and design innovation, if not “firewall” innovation.

Palo Alto Networks was mentioned often in the discussion. It is interesting to note that PAN has intentionally avoided the term UTM. It is a term of derision for them. “UTM just means a bunch of bolt on junk. Our stuff is integrated!” They have tried to change the common usage of the firewall term to mean more than just stateful inspection. “We apply rules based on users and applications rather than just port and protocol.” “Next-generation firewall” is what their marketing team came up with and, to Hoff’s dismay, it is starting to catch. Secure Computing and Fortinet have used either “next generation firewall” or “new generation firewall” in their marketing recently.

Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:

1. Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
2. Application object type must be “Custom object”
3. Match Type must be “Exact Match”
4. Input Representation must be “Hexadecimal”
5. Then add Content “140300000101″

Then go to Object Policy/Application Firewall Policy Settings:

1. Policy name: write whatever you want
2. Policy type “Custom Policy”
3. Adress Source “Any”, Destionation “Any”
4. Service Source “Any”, Destionation “Any”
5. Exclusion Adrsss “None”
6. Application Object “Ultra Object” **Select the object which you write in the first section
7. Action “Reset/Drop”
8. Users/Group Included “All”, Excluded “None”
9. Schedule “Always On”
10. Enable loging “Check”
11. Redundancy Filters “Use Global settings checked”
12. Connection Side “Client Side”
13. Direction “Basic” Both

Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies.