Upload
simon-bennett
View
604
Download
0
Embed Size (px)
Citation preview
Next Generation (NG) Firewalls
• Firewall history
• But what about???
• Complexity creep
• NG firewalls
Firewall history
• Routers
• Access control lists (non-stateful)
• Firewalls
• Stateful firewalls appeared mid 90s
• Fairly simple databases (state tables)
• NAT/PAT complicates things (state tables + src & dst ports)
• Work at Layer 4 in the OSI 7 layer model
3. Network (IP/ICMP)
4. Transport (host-to-host flow control TCP/UDP)
• From wikipedia (sorry!):
“Early attempts at producing firewalls operated at the Application Layer, which is the very top of the seven-layer OSI model. This method required exorbitant amounts of computing power and is rarely used in modern implementations.”
But what about???
• AKA functionality creep
• Intrusion Detection/Prevention Systems
• Virtual Private Networks (S2S, C2S)
• Application control
• Web Proxy
• Anti-virus/malware
• Identity awareness
Complexity creep
• All separate devices – creates problems…
• Network throughput
• Resilience
• Cost (Capital and Revenue)
• Complexity
• Troubleshooting
• Down-time
NG Firewalls
• Massively powerful switch/routers
• Massively powerful analysis engines
• Architected to analyse multiple of 10Gigabits of traffic in real-time• The type of access-list is entirely different
• Instead of:• [IP Address A] can access [IP Address B] on [Port Y]
• We can write: • [Users] in the [Finance Group] can access [Finance systems] during
[08.00 until 18.00]
• [All Students] on [IT Suite PCs] can only access [Social networking sites] between [17.00 and 09.00]
• [Anyone] using [bittorrent] can only [upload] at [50kpbs]
• [Anyone] using [www] (if not previously known) must [authenticate]