Next Generation (NG) Firewalls

• Firewall history

• But what about???

• Complexity creep

• NG firewalls

Firewall history

• Routers

• Access control lists (non-stateful)

• Firewalls

• Stateful firewalls appeared mid 90s

• Fairly simple databases (state tables)

• NAT/PAT complicates things (state tables + src & dst ports)

• Work at Layer 4 in the OSI 7 layer model

3. Network (IP/ICMP)

4. Transport (host-to-host flow control TCP/UDP)

• From wikipedia (sorry!):

“Early attempts at producing firewalls operated at the Application Layer, which is the very top of the seven-layer OSI model. This method required exorbitant amounts of computing power and is rarely used in modern implementations.”

But what about???

• AKA functionality creep

• Intrusion Detection/Prevention Systems

• Virtual Private Networks (S2S, C2S)

• Application control

• Web Proxy

• Anti-virus/malware

• Identity awareness

Complexity creep

• All separate devices – creates problems…

• Network throughput

• Resilience

• Cost (Capital and Revenue)

• Complexity

• Troubleshooting

• Down-time

NG Firewalls

• Massively powerful switch/routers

• Massively powerful analysis engines

• Architected to analyse multiple of 10Gigabits of traffic in real-time• The type of access-list is entirely different

• Instead of:• [IP Address A] can access [IP Address B] on [Port Y]

• We can write: • [Users] in the [Finance Group] can access [Finance systems] during

[08.00 until 18.00]

• [All Students] on [IT Suite PCs] can only access [Social networking sites] between [17.00 and 09.00]

• [Anyone] using [bittorrent] can only [upload] at [50kpbs]

• [Anyone] using [www] (if not previously known) must [authenticate]