Traditional firewalls that had UTM-type functionality (e.g. Web filtering, Intrusion Prevention, Antivirus) often suffered from poor performance; low throughput, latency and inconsistent accuracy. As firewall technology evolved, as did the performance and scanning capabilities. The Next Generation Firewall (NGFW) term was coined to define a firewall that met the following criteria:
- Application and Layer-7 awareness (e.g. DPI – Deep Packet Inspection). The ability to identify applications and protocols by payload and not just the IP header. This often includes SSL inspection.
- Intrusion Prevention System (IPS) capabilities. Where the firewall can identify malicious traffic, data breach attempts, anomalous patterns and DOS attacks. This can often include DLP (Data Leakage Prevention).
- High Performance. A NGFW must carry out its functions at near wire-speed, enabling multi-gigabit performance without slow-down.
- External Threat Intelligence. In order to receive updated threat intelligence, IP reputation insight and attack signatures, the NGFW must communicate with a threat intelligence network (e.g. FortiLabs).
These characteristics effectively define what qualifies a NGFW. The exact definition can vary depending on the analyst, vendor or industry commentator; but those four items are consistent across most definitions.
NGFWs are often deployed within carrier or service provider networks, the datacentre environment, virtual and cloud environments or at the enterprise-network edge.
Internal Network Firewall (INFW)
The Internal Network Firewall (INFW) is not necessarily a new technology, but a specific application of the Next Generation Firewall (NGFW) platform. In most IT or hosted environments, the traffic patterns can broadly be described as:
- North to South – Traffic going from the LAN to the Interent, and vice-versa.
- East to West – Traffic internal to the organisation, routing server-to-server, server-to-client or client-to-client but not leaving the organisation. This can be between IP subnets or routed VLAN interfaces (typical in many enterprises with L3 switches).
The exact ratio of north to south and east to west will vary from business to business and it will depend on the exact IT environment. Figures from Gartner suggest 77% of traffic is East to West, whilst 17% is North to South (The remaining 6% is between sites).
These statistics set out the reason for an Internal Network Firewall (INFW); most traffic in an organisation or virtualised environment is East to West, that comes as no surprise. One of the key topics I have discussed in previous articles and is a recurring theme with our clients is the safeguarding against data leaks, data theft, data breaches, malware and APT (advanced persistent threats) – all of which can fall under the umbrella of cyber-security.
The most common location for a firewall is at the network-edge, NGFW devices deployed in this manner can identify north-to-south threats, viruses and data breaches. The type of threat could include “Botted hosts” trying to phone home (identified through DNS traffic, IPS signatures or IP reputation patterns). It could be a user accessing a website trying to exploit a bug in Adobe Acrobat, the possibilities are literally endless, and ever-growing by the day. Modern threats are intelligent, they can use methods such as stenography, encryption and obfuscation to hide their presence. An innocent looking JPEG image being posted to a website could contain corporate data. The threat landscape has changed.
What about the internal traffic?
Perimeter devices may identify external threats, what about those moving or probing within your internal network? Moving between sites or subnets, in your virtualised networks and server-farms, on your virtualised LAN segment! The infection vector could have been USB, a mobile device, a laptop or an exploit bundled in with custom software.
The enumeration of your systems, data assets and network topology will all take place within your internal network environment. This surveillance process could be automated and undertaken by the malware or equally, it could be performed by a rogue employee or an individual with (unauthorised) access to your network or systems.
If this traffic does not traverse your edge security device – how can you detect them?
The internal border-crossing of your network
The ideal place for an INFW is literally in the middle of your network or networks. There are a number of deployment methods, the most suitable method will depend on your network topology and your network throughput. MTG design and deploy service provider and enterprise networks so we are often involved in the design and configuration of networks.
- Transparent Bridge / Inline. This mode offers the best balance of security and simplicity from a network reconfiguration standpoint. In this scenario the firewall is connected between network segments transparently. This could be using 1GE, 10GE and 40GE interfaces, with the respective fibre/copper derivatives where appropriate. Network security policies can be enforced, even in L2 operation. With inline operation, the device can intervene, block and alert you to risky traffic patterns or data leak attempts.
- Sniffer Mode. Your network switches can be configured to mirror VLANs or interfaces and send this mirrored traffic to the firewall similar in operation to an IPS probe. The disadvantage of this mode is it cannot intervene with the traffic flow, just observe and alert.
- Active Deployment. This mode has the highest levels of security, visibility and enforcement – but requires a level of network reconfiguration. The firewall can replace your SVI/VLAN interfaces on your switching fabric, it can partake in your L3 routing protocols (e.g. BGP/OSPF) or provide physical interfaces and routing between subnets. Network security policies can be applied to interfaces (VLAN or physical) and all traffic can be scanned.
Once an INFW has been deployed, your business can be safe in the knowledge its internal (east to west) traffic is scanned for threats, viruses, intrusion attempts and data leakage activity.
An enterprise can opt for centralised deployment mode, clustered deployments or distributed environments (a device per site).
The INFW can also integrate with our range of endpoint protection and Sandboxing solutions, for advanced payload analysis.
Speak to MTG about INFW
If your business has a requirement for an INFW speak to MTG. Our team of network and security engineers can design and implement an INFW solution for your network environment. Key capabilities include:
- Network integration options.
- 1GE, 10GE and 40GE network support.
- Copper, optical and VLAN interfaces.
- High throughout (from 100Mbps to 40Gbps+).
- Transparent, sniffer and active deployment mode.
- IPS (Intrusion Prevention)
- Antivirus and Sandboxing
- DLP (Data Leakage Prevention)
- Traffic shaping and QOS
- Application control and reporting
- IP Reputation and threat intelligence