module 2 -nse1---ngfw

8/16/2019 Module 2 -NSE1---NGFW

1/30

Study Guide for NSE 1: Next Generation Firewall

(NGFW)

2016

i

Study Guide

for NSE 1:

Next

Generation

Firewall

(NGFW)

February 1

2016

This Study Guide is designed to provide information for the Fortinet

Network Security Expert Program – Level 1 curriculum. The study

guide presents discussions on concepts and equipment necessary as a

foundational understanding for modern network security prior to

taking more advanced and focused NSE program levels.

Fortinet

Network

Security

Solutions


2/30


(NGFW)

2016

ii

Contents

Figures ..................................................................................................................................................... iii

Tables ...................................................................................................................................................... iv

Next Generation Firewall (NGFW) ................................................................................................................ 1

Technology Trends .................................................................................................................................. 1

NGFW Characteristics: Fundamental Changes ...................................................................................... 2

NGFW Evolution .................................................................................................................................... 4

Traditional NGFW Capabilities ............................................................................................................... 4

NGFW Functions ................................................................................................................................. 10

Extended NGFW Capabilities ................................................................................................................ 10Sandboxes and APT ............................................................................................................................. 15

Advanced Persistent Threats (APT) ..................................................................................................... 16

Advanced Threat Protection (ATP)...................................................................................................... 17

NGFW Deployment ................................................................................................................................ 18

Edge vs. Core ....................................................................................................................................... 18

NGFW vs. Extended NGFW ................................................................................................................. 18

Summary ................................................................................................................................................ 20

Key Acronyms .............................................................................................................................................. 21

Glossary ....................................................................................................................................................... 23

References .................................................................................................................................................. 26


3/30


(NGFW)

2016

iii

Figures

Figure 1. Bring Your Own Device (BYOD) practices in 2011. ......................................................................... 2

Figure 2. Edge firewall vs. NGFW traffic visibility. ........................................................................................ 2

Figure 3. Traditional port configuration example. ........................................................................................ 3

Figure 4. NGFW configuration example by application, user ID. .................................................................. 3

Figure 5. NGFW evolution timeline. .............................................................................................................. 4

Figure 6. Intrusion Prevention System (IPS). ................................................................................................ 5

Figure 7. Deep Packet Inspection (DPI). ........................................................................................................ 5

Figure 8. Network application identification and control. ............................................................................ 6

Figure 9. Access enforcement (User identity). .............................................................................................. 6

Figure 10. NGFW distributed enterprise-level capability. ............................................................................ 7

Figure 11. Extra-firewall intelligence IP list assignment. .............................................................................. 8

Figure 12. Notional network with managed security (MSSP). ...................................................................... 8

Figure 13. Application awareness: The NGFW application monitoring feature. .......................................... 9

Figure 14. Extending NGFW with Advanced Threat Protection (ATP). ....................................................... 11

Figure 15. Authentication functions integrated into NGFW. ...................................................................... 12

Figure 16. Web filtering profile control. ..................................................................................................... 13

Figure 17. Antivirus/malware. .................................................................................................................... 14Figure 18. Anti-botnet protection. .............................................................................................................. 14

Figure 19. Web filtering capability. ............................................................................................................. 15

Figure 20. Sandbox deployed with NGFW Solution. ................................................................................... 16

Figure 21. The NGFW three-step approach to APT..................................................................................... 17

Figure 22. Advanced Threat Protection (ATP) model. ................................................................................ 17

Figure 23. NGFW deployment to edge network ......................................................................................... 18

Figure 24. Current NGFW vs. Extended NGFW capabilities. ....................................................................... 19


4/30


(NGFW)

2016

iv

Tables

Table 1. Comparative security features of edge firewalls vs. NGFW. ........................................................... 3

Table 2. Comparison between flow-based and proxy-based inspections .................................................. 19


5/30


(NGFW)

2016

1

Next Generation Firewall (NGFW)Just because you’re paranoid that hackers are trying to steal your data…

…doesn’t mean they’re not really out to get you!

Early firewalls acted much like a fire door in a building—if something bad was happening in the hallway,

it protected what was in your room and other parts of the building. As personal computers became

more affordable and digital portable devices became more widespread, system and network threats

evolved as well, creating a need for protection technology able to evolve along with—or ahead of —

advanced threats. Legacy firewalls operated on the basis of port access, using source/destination IP

addresses or TCP/UDP port data to discern whether packets should be allowed to pass between

networks or be blocked or rejected. Most firewall configurations allowed all traffic from trusted

networks to pass through to untrusted networks, unless policy exceptions were implemented. In closed

networks and the early days of the Internet, this was a viable option—this predominantly static firewall

configuration model no longer provides adequate protection against advanced and emerging system

and network threats to large, distributed enterprise businesses and organizations having to serve

customers, clients, and employees in an ever-evolving mobile environment.

Technology Trends

Trends in information technology development and employment over the last 15 years have led to a

need to rethink the methodology behind modern network security. To further exacerbate this challenge,

these trends occurred simultaneously across major industry, all levels of business, and personal

consumer environments.

Consumerization of IT has resulted in IT-enabled devices—such

as smartphones, digital music and video players, recorders,

cameras, and others—becoming so commonplace in the market

that their lower pricing resulted in an explosion of individual

consumers acquiring technology-enabled devices for personal

use. This extends beyond the obvious devices listed above. IT-

enabled devices now include such appliances as

refrigerator/freezers, home security systems, personal home networks that include WiFi-enabled

televisions, stereos, and even the automated “smart house.” In other words, what we have t o be

mindful of today is the Internet of Things (IoT) when we acquire devices and appliances.

Because consumers have embraced technology devices for both communication and information

sharing, Social Media enterprise has been embraced at the business level as a way to reach consumer

markets and supplement Web and traditional marketing and communication pathways. With so many

applications—especially social media—being cloud based, the challenge of network security expands

beneath the surface of traffic and into substance.


6/30


(NGFW)

2016

2

With the proliferation of inexpensive, technology-enabled devices interacting with business networks—

including both external users and those using personal devices for work purposes (Bring Your Own

Device – BYOD), the question becomes one of how to provide security, network visibility, control, and

user visibility simultaneously without an exponential increase in required resources (Figure 1).

Figure 1. Bring Your Own Device (BYOD) practices in 2011.

NGFW Characteristics: Fundamental Changes

The primary benefits of NGFW is visibility and control of traffic entering the firewall ports. In legacy

firewalls, ports were opened and closed, or protocols allowed or disallowed without consideration

beyond basic characteristics.

Figure 2. Edge firewall vs. NGFW traffic visibility.

With NGFW, administrators are provided finer granularity that provides deeper insight into the traffic

attempting to access the network (Figure 2). This includes deeper visibility of users and devices, as well

as the ability to allow or limit access based on specific applications and content rather than accepting or

rejecting any traffic using a particular transmission protocol. This is the primary difference that

separates traditional and next generation firewalls (NGFW).


7/30


(NGFW)

2016

3

With a traditional firewall, traffic is accepted based on identification criteria of designated port and IP

address. Conversely, traffic is accepted with NGFW based on user ID (not port) and both the IP address

and traffic content. The diagrams in Figures 3 and 4 illustrate better the visibility and control capability

provided when NGFW is integrated into the network security architecture, supplanting the legacy edge

firewall.

When comparing the granularity in how

traditional and legacy firewalls assess data,

note that in NGFW the ports are identified with

traffic flowing through them as well as specific

information about the user sending the traffic,

traffic origin, and the type (content) of traffic

being received. This information goes beyond

the basic link level and brings security into OSIlevels 3 & 4 (application security capability).

Figure 3. Traditional port configuration example.

Figure 4. NGFW configuration example by application, user ID.

In addition to enhanced visibility over traffic, NGFW provides enhancements in both complex security

protection and administrator control simplicity over traditional firewalls, as compared in Table 1.

Table 1. Comparative security features of edge firewalls vs. NGFW.

Edge Firewall NGFW

Gatekeeper Gatekeeper

ISO/OSI L4 Port Protocol Application-Centric (Content Flow) Protocol

Basic Security + Add-ons Integrated Security Solutions

Complex Architecture Integrated Architecture

Complex Control Simplified Control

Simple – Moderate Security Integrated Complex Security


8/30


(NGFW)

2016

4

NGFW Evolution

Referring to an evolving technology offering high-performance protection, Next Generation Firewalls

(NGFW) provide solutions against a wide range of advanced threats against applications, data, and

users. Going beyond standard firewall protections, NGFW integrates multiple capabilities to combat

advanced and emerging threats. These capabilities include intrusion prevention system (IPS), deep

packet scanning, network application identification and control, and access enforcement based on user

identity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector,

persistent network or system attacks against large and distributed enterprise networks.

The concept of NGFW (Figure 5) was first coined by Gartner in 2004 in their paper discussing the need

for integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities

into firewalls [1]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level

firewall with integrating IPS or Deep Packet inspection, Application Identification, and “extra-firewall”

intelligence (such as Web Content Filter), but allowing for interoperability with third-party rulemanagement technology [2]. In 2009, Gartner published a new definition of NGFW, defining the

characteristics as including VPN, integrated IPS interoperability with firewall components, application

awareness, and “extra-firewall” intelligence [3].

Figure 5. NGFW evolution timeline.

Traditional NGFW CapabilitiesTraditional NGFW provides solutions against a wide range of advanced threats against applications,

data, and users. Traditional enterprise network security solutions such as legacy firewalls and stand-

alone intrusion detection/prevention systems (IPS) are no longer adequate to protect against today’s

sophisticated attacks. In order to defend networks against the latest threats, NGFWs should include, at a

minimum, the ability to identify and control applications running over a network, an integrated intrusion

prevention system (IPS) with deep packet scanning capabilities, and the ability to verify a user or

device’s identity and enforce access policies accordingly.

However, advanced threats require advanced protection. Some NGFW devices—such as the FortiGate

line—include additional technologies that provides you with a real-time ranking of the security risk of

devices on your network and cloud-based threat detection and prevention. Traditional NGFW integrates

multiple capabilities to combat emerging threats.


9/30


(NGFW)

2016

5

Figure 6. Intrusion Prevention System (IPS).

Intrusion Prevention System (IPS). Sometimes called integrated IDS/IPS. Monitors network and directs

firewall to allow or block traffic. Intrusion Detection System (IDS) detects threats but does not alert the

firewall to take action against identified threats or unknown traffic. IDS is integrated into IPS technology.

IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more

effective to tie it into network segregation, enabling protection against both internal and external

attacks against critical servers(Figure 6) [4].

Figure 7. Deep Packet Inspection (DPI).

Deep Packet Inspection (DPI). Examining the payload or data portion of a network packet as it passes

through a firewall or other security device (Figure 7). DPI identifies and classifies network traffic based

on signatures in the payload [5]. Examines packets for protocol errors, viruses, spam, intrusions, or policy

violations.


10/30


(NGFW)

2016

6

Figure 8. Network application identification and control.

Network Application Identification & Control. Traditional firewall protection detects and restricts

applications by port, protocol and server IP address, and cannot detect malicious content or abnormal

behavior in many web-based applications (Figure 8). Next Generation Firewall (NGFW) technology with

Application Control allows you to identify and control applications on networks and endpoints

regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over

application traffic, even unknown applications from unknown sources and inspects encrypted

application traffic. Protocol decoders normalize and discover traffic from applications attempting to

evade detection via obfuscation techniques. Following identification and decryption, application traffic

is either blocked, or allowed and scanned for malicious payloads. In addition, application controlprotocol decoders detect and decrypt tunneled IPsec VPN and SSL VPN traffic prior to inspection,

ensuring total network visibility. Application control even decrypts and inspects traffic using encrypted

communications protocols, such as HTTPS, POP3S, SMTPS and IMAPS.

Figure 9. Access enforcement (User identity).


11/30


(NGFW)

2016

7

Access Enforcement (User Identity). When a user attempts to access network resources, Next

Generation Firewalls (NGFW) allow identification of the user from a list of names, IP addresses and

Active Directory (AD) group memberships that it maintains locally. The connection request will be

allowed only if the user belongs to one of the permitted user groups, and the assigned firewall policy

will be applied to all traffic to and from that user (Figure 9).

Figure 10. NGFW distributed enterprise-level capability.

Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks.

The foundation of the enterprise campus offering is a high performance next generation firewall (NGFW)

that adds intrusion prevention, application control and antimalware to the traditional firewall/VPN

combination (Figure 10). In particular, Fortinet NGFWs:

Provide fine-grained, user- or device-based visibility and control over more than 3000 discrete

applications to establish/enforce appropriate policies.

Include powerful intrusion prevention, looking beyond port and protocol to actual content of

your network traffic to identify and stop threats.

Leverage top rated antimalware to proactively detect malicious code seeking entry to the

network.

Deliver actionable application and risk dashboards/reports for real-time views into network

activity.

Run on purpose-built appliances with Custom ASICs for superior, multi-function performance,

even over encrypted traffic.


12/30


(NGFW)

2016

8

Figure 11. Extra-firewall intelligence IP list assignment.

“Extra-firewall” Intelligence. This provides the ability to create lists for access or denial of external

traffic to the network. These lists may be designated by IP address List types include:

White List. Designated sources considered trusted and will be allowed access to the network.

Black List. Designated sources considered not trusted and will be denied access to the network.

A key point to this function is that the source is based on an address, therefore, access does not relate

to any specific type of information that may be carried on traffic from that source. This is a surface

screening rather than a content screening function.

Figure 12. Notional network with managed security (MSSP).


13/30


(NGFW)

2016

9

Interoperable with Third-Party Management. Enterprise-class appliances deliver the comprehensive

security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full

suite of ASIC-accelerated security modules for customizable value-added features for specific customers.

NGFW appliances include the ability to create multi-tenant virtual security networks, supporting up to5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated management

applications—including granular reporting features—offer unprecedented visibility into the security

posture of customers while identifying their highest risks (Figure 12).

VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications

and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN

protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and

decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections—

including antivirus, intrusion prevention, application control, email filtering and web filtering—can be

applied and enforced for all content traversing the VPN tunnel.

Figure 13. Application awareness: The NGFW application monitoring feature.

Application Awareness. While establishing port and protocol are important first steps in identifying

traffic, positive identification of application traffic is an important capability added by NGFW, requiring a

multi-factor approach independent of port, protocol, encryption, or evasive measures (Figure 13).

Application awareness includes protocol detection and decryption, protocol decoding, signature

identification, and heuristics (behavioral analyses). [6]


14/30


(NGFW)

2016

10

NGFW Functions

Two important functions of NGFW is to detect threats and prevent them from exploiting system or

network vulnerabilities. The best way to detect threats is to deploy an Intrusion Detection System (IDS)

as part of the network architecture. In order to prevent identified threats from exploiting existing

vulnerabilities, an Intrusion Prevention System (IPS) should be deployed. The purpose of IPS is to react to

detected threats to a network in order to block intrusion by traffic attempting to take advantage of

system vulnerabilities, deviations from standard protocols, or attacks generated by trusted sources [4].

NGFW appliances provide integrated capability for IDS and IPS to both detect and prevent intrusion and

exploitation of protected networks.

Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type

of inspection protects endpoint clients as well as Web and application servers from potentially hidden

threats. SSL Inspection intercepts and inspects encrypted traffic for threats before routing it to its

destination and can be applied to client-oriented traffic, such as users connected through a cloud-basedsite, or to Web and application server traffic. Using SSL inspection allows policy enforcement on

encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. Like

other inspection protocols, however, the tradeoff to enabling SSL inspection is a decrease in throughput

speed.

Extended NGFW Capabilities

Beyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced and

emerging threats are clearly needed. Particularly within enterprise network security infrastructure, the

need to protect against new and evolving classes of highly targeted and tailored attacks designed to

bypass common defenses is needed. Because of these advanced and evolving threats, additional

defenses—referred to by Fortinet as Advanced Threat Protection (ATP)—include anti-virus/malware,

anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional capabilities

appear in Figure 14.


15/30


(NGFW)

2016

11

Figure 14. Extending NGFW with Advanced Threat Protection (ATP).

When integrated with NGFW, capabilities of ATP enhance security by providing additional protections

against evolving threats, including:

Dual-level sandboxing, allowing code activity examination in simulated and virtual environments

to detect previously unidentified threats.

Detailed reporting on system, process, file, and network behavior, including risk assessments.

Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing

communications with malicious sites and IPs.

Option to share identified threat information and receive updated in-line protections.

Option to integrate with other systems to simplify network security deployment.


16/30


(NGFW)

2016

12

With continued shift toward mobile and BYOD practices, integrated user authentication takes on

increased importance in visibility and control of applications being employed by network users. With the

sophistication of advanced and evolving threats, use of two-factor—or “strong”—authentication has

become more prevalent. In addition to the capabilities discussed previously as additive measures to the

NGFW, a number of strong authentication factors may also be enabled:

Hardware, software, email, and SMS tokens

Integration with LDAP, AD, and RADIUS

End user self-service

Certificate Authority

Single sign on throughout the network

Illustration of authentication functions integrated into NGFW appear in Figure 15.

Figure 15. Authentication functions integrated into NGFW.

While the Application Control feature of the extended NGFW serves to identify network users, monitor

applications employed by those users, and block applications representing a risk to the organization, this

feature differs from how the Web Filtering function of ATP operates. Unlike Application Control that

focuses on the actual content of the accessed site, Web Filtering focuses on the Internet Sites (URLs)

based on a categorization of the site, or type of content [4]. This allows the NGFW to block web sites

known to host malicious content. An example of how Web Filtering categorizes site appears in Figure 16.


17/30


(NGFW)

2016

13

Figure 16. Web filtering profile control.

Antivirus/malware. Responsible for detecting, removing, and reporting on malicious code. By

intercepting and inspecting application-based traffic and content, antivirus protection ensures that

malicious threats hidden within legitimate application content are identified and removed from data

streams before they can cause damage. Using AV/AM protection at client servers/devices adds an

additional layer of security.


18/30


19/30


(NGFW)

2016

15

Web filtering. Function that allows or blocks Web traffic based on type of content, commonly defined

by categories. Web filtering protects endpoints, networks and sensitive information against Web-based

threats by preventing users from accessing known phishing sites and sources of malware.

Figure 19. Web filtering capability.

Code emulation. Allows testing of unknown or potentially malicious traffic in

a virtual environment by emulating the actual environment to which the

traffic was addressed.

Sandboxing. Isolating unknown or potentially malicious codes to fully execute all functions before

allowing the traffic to download into the network. Sandboxing has a unique capability to detect zero-day

exploits that other security solutions cannot identify. If malicious activity is discovered, Advanced Threat

Protection (ATP) can block it.

Sandboxes and APT

You might be thinking whether this is Back to the Future? After all, sandbox technology is old, having

long been a standard safety isolation to analyze code. So why would sandboxes be important when

examining the implications of Advanced Persistent Threats (APT)?


20/30


(NGFW)

2016

16

Sandboxes were initially developed for executable files. Now they run application data that may contain

malicious code, like Adobe Reader or JavaScript, which sandbox identified malicious code before it can

infect your operating system. Modern sandbox technology can help detect and identify new threats—

such as old legacy threats in new veneers, by emulating endpoint device environments to analyze howthe potential threat behaves. In this way, relatively unknown malware—constantly being developed at

all levels of complexity—and APTs may be detected, identified, cataloged, and blocked by the NGFW

(Figure 20). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic is

forwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.

Figure 20. Sandbox deployed with NGFW Solution.

Advanced Persistent Threats (APT)

Since widespread availability of computer technology—especially since introduction of affordable

personal computing platforms and open availability of computer training—people have used software to

target systems and networks to damage, steal, or deny access to data. Modern and future challenges—

or Advanced Persistent Threats—present a more daunting sophistication of malware, attack vectors, and

perseverance by which they mount offensives against their targets. Just as APT uses multiple attacklayers and vectors to enhance chances of success, network security administrators must also design and

implement a multi-layered defense to protect against these threats. It is critical to understand that no

single network security feature will stop an APT. Simplified, a three-step approach to how NGFW

addresses APTs appears in Figure 21.


21/30


(NGFW)

2016

17

Figure 21. The NGFW three-step approach to APT.

Advanced Threat Protection (ATP)

In order to protect against modern and emerging future threats, adaptive defense tools like ATP are

being incorporated into network security infrastructures at an increasing pace. This level of protection

provides increased security across all network sizes from SMB to large enterprises. Critical capabilities

brought to bear by ATP include:

Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.

Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,

antimalware.

Threat Detection. “Sandboxing,” botnet detection, client reputation, network behavior analysis.

Incident Response. Consolidated logs & reports, professional services, user/device quarantine,

threat prevention updates.

Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.

The continuous nature of ATP protection is illustrated in Figure 22, below:

Figure 22. Advanced Threat Protection (ATP) model.


22/30


(NGFW)

2016

18

NGFW Deployment

Edge vs. Core

When deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFWbrings a unique combination of hardware- and software-related segmentation capabilities that allow

isolation of critical network sections, such as data centers. Deploying NGFW into an Edge Network

accomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 23).

Figure 23. NGFW deployment to edge network

NGFW vs. Extended NGFW

Another consideration that must be made is what NGFW capabilities are needed—or desired—for the

network being protected. A consideration whether to deploy extended NGFW capabilities depends on

the nature of what functions will be accomplished both internally and external to the network. In

particular, with movement to more cloud-based and web applications, the benefits of extended NGFW

may be best suited. As illustrated in Figure 24, Extended NGFW incorporates the capabilities of current

NGFW plus enhanced features that make it more capable against modern and emerging threats.


23/30


(NGFW)

2016

19

Figure 24. Current NGFW vs. Extended NGFW capabilities.

One of the characteristics of most technologies is that with added capabilities comes concomitant trade-

offs. In the case of NGFW, the addition of inspection functions such as web filtering—or anti-malware—

presents options that balance capabilities and protection levels versus traffic processing speed. The two

methods used to inspect traffic are Flow-based and Proxy-based inspections. In flow-based inspection,

the NGFW performs a “string comparison” to examine patterns in the traffic without breaking the

connection, resulting in a small portion of the traffic stream being inspected but with a trade-off of

faster throughput. In proxy-based inspection, the entire traffic stream is analyzed, breaking theconnection and reestablishing it after analysis, resulting in slower throughput.

Table 2. Comparison between flow-based and proxy-based inspections

Type of Inspection Flow-based Proxy-based

Speed/Performance Resources Faster Slower

Security Analysis MethodComparing traffic to database of

known bad situations

Conducting specific analysis on

relevant information

TCP TransparencyTCP flow not broken. Only packet

headers changed if necessary.

TCP convention broken, TCP sequence

numbers changed.

Protocol Awareness Not required Understands protocol being analyzed

File size limits Only during scanningYes, when buffering, based on available

NGFW memory

Features supportedAntivirus, IPS, Application Control, Web

Content Filtering

Antivirus, DLP, Web Content Filtering,

AntiSpam

Because Flow Mode does not unpack compressed files or email/FTP attachments, deploying anti-

malware in Flow Mode may result in decreased detection rate.


24/30


(NGFW)

2016

20

SummaryThe concept of Next Generation Firewalls developed to address evolving threats as technology itself

evolved. With the rapid rise of technology integration, portability and BYOD models in business,

education, and other environments, combined with more widespread ability for hackers from novices to

experts to develop malicious code, a system deriving from the initial premise of NGFW needed to

develop for the future.

Because of these capabilities and the flexibility to proactively address modern and developing threat

environments across networks of varying sizes, NGFW will be the standard in network firewall

protection at least through 2020…


25/30


(NGFW)

2016

21

Key AcronymsAAA Authentication, Authorization, and

Accounting

AD Active Directory

ADC Application Delivery Controller

ADN Application Delivery Network

ADOM Administrative Domain

AM Antimalware

API Application Programming Interface

APT Advanced Persistent Threat

ASIC Application-Specific Integrated Circuit

ASP Analog Signal Processing

ATP Advanced Threat Protection

AV Antivirus

AV/AM Antivirus/Antimalware

BYOD Bring Your Own Device

CPU Central Processing Unit

DDoS Distributed Denial of Service

DLP Data Leak Prevention

DNS Domain Name System

DoS Denial of Service

DPI Deep Packet Inspection

DSL Digital Subscriber Line

FTP File Transfer Protocol

FW Firewall

Gb Gigabyte

GbE Gigabit Ethernet

Gbps Gigabits per second

GSLB Global Server Load Balancing

GUI Graphical User Interface

HTML Hypertext Markup LanguageHTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

IaaS Infrastructure as a Service

ICMP Internet Control Message Protocol

ICSA International Computer Security

Association

ID Identification

IDC International Data Corporation

IDS Intrusion Detection System

IM Instant Messaging

IMAP Internet Message Access Protocol

IMAPS Internet Message Access Protocol

Secure

IoT Internet of Things

IP Internet Protocol

IPS Intrusion Prevention System

IPSec Internet Protocol Security

IPTV Internet Protocol Television

IT Information Technology

J2EE Java Platform Enterprise Edition

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

LLB Link Load Balancing

LOIC Low Orbit Ion Cannon

MSP Managed Service Provider

MSSP Managed Security Service Provider

NGFW Next Generation Firewall


26/30


27/30


(NGFW)

2016

23

GlossaryAnti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other

coordinated network attacks.

APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access to

a network and stays there undetected for a long period of time. The intention of an APT attack is to steal

data rather than to cause damage to the network or organization. APT attacks target organizations in

sectors with high-value information, such as national defense, manufacturing and the financial industry.

ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular

use, as opposed to a general-purpose device.

ATP. Advanced Threat Protection relies on multiple types of security technologies, products, and

research -- each performing a different role, but still working seamlessly together -- to combat these

attacks from network core through the end user device. The 3-part framework is conceptually simple—

prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for

network, application and endpoint security, threat detection, and mitigation.

AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of

malware attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and

reporting on malicious code. By intercepting and inspecting application-based traffic and content,

antivirus protection ensures that malicious threats hidden within legitimate application content are

identified and removed from data streams before they can cause damage. Using AV/AM protection at

client servers/devices adds an additional layer of security.

Botnet. A botnet (also known as a zombie army) is a number of Internet computers that, although their

owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to

other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer

"robot" or "bot" that serves the wishes of some master spam or virus originator.

BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,

whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a

Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were

owned by the employee.

Code Emulation. A virtual machine is implemented to simulate the CPU and memory management

systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the

scanner, and no actual virus code is executed by the real processor.

Cloud Computing. Computing in which large groups of remote servers are networked to allow the

centralized data storage, and online access to computer services or resources. Clouds can be classified

as public, private or hybrid.


28/30


(NGFW)

2016

24

Data Center Firewall. In addition to being a gatekeeper , data center firewalls serve a number of

functions, including:

IP Security (IPSec)

Firewall

Intrusion Detection System/Intrusion

Prevention System (IDS/IPS)

Antivirus/Antispyware

Web Filtering

Antispam

Traffic Shaping [7]

Edge Firewall. Implemented at the edge of a network in order to protect the network against potential

attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall—

the gatekeeper.

Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to

the Internet & identify themselves to other devices. IoT is significant because an object that can

represent itself digitally becomes something greater that the object by itself.

IDS. Intrusion Detection System (IDS) detects threats but does not alert the firewall to take any action

against identified threats or unknown traffic.

IPS. Intrusion Prevention System protects networks from threats by blocking attacks that might

otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide

range of features that can be used to monitor and block malicious network activity including: predefined

and custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode, similar to IDS),

packet logging, and IPS sensors. IPS can be installed at the edge of your network or within the network

core to protect critical business applications from both external and internal attacks.

NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall

appliance instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities

of a traditional firewall with advanced features including:

Intrusion Prevention (IPS) Deep Packet Inspection

(DPI)

Network App ID & Control

Access Enforcement Distributed Enterprise

Capability

“Extra Firewall” Intelligence

Third Party Management

Compatibility

VPN Application Awareness

Sandbox. A sandbox is a security mechanism for separating running programs. It is typically used toexecute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users,

and untrusted websites, in an area segmented off from the device/network operating system and

applications.


29/30


(NGFW)

2016

25

VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the

Internet — to connect to a private network, such as a company's internal network. VPNs use

encryption and other security mechanisms to ensure that only authorized users can access the network

and that the data cannot be intercepted.

Web Filtering. Web Filtering technology gives you the option to explicitly allow web sites, or to pass web

traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most

advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control

perimeter web traffic at a granular level. Using web content filtering technology, these appliances can

classify and filter web traffic using multiple pre-defined and custom categories.

http://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/N/network.htmlhttp://www.webopedia.com/TERM/N/network.html


30/30


(NGFW)

2016

References1. Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.

2. Gartner, Magic Quadrant for Enterprise Network Firewalls. 2008.

3. Gartner, Defining the Next Generation Firewall . 2009.

4. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.

5. Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.

6. Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.

7. UAB, M., Fortinet Secure Gateways, Firewalls. 2013.

module 2 -nse1---ngfw

Documents