Using NGFW In All Network Sizes

By Keivan Beigi@ March 2014

NGFW -Next Generation Firewall-

The term Next Generation Firewall term was coined by Gartner.

Gartner argue that the NGFW is the evolution of the enterprise firewall market, while UTM is aimed at the SMB/branch market. Some UTM vendors disagree and state that their gear is capable of serving enterprises.

An NGFW…

combines the capabilities of first-generation firewalls and IPS.

is a single-pass engine to integrates security services (such as IPS, antivirus, anti-spam-anti-spyware & etc.) , does not merely collocate under a single appliance like UTM.

provides application control meaningless of port and protocol.

provides user control.

UTM and NGFW face to face

NGFW infrastructure:

If L7 Application Filter will be removed from an NGFW, what remains is an UTM.

If AV-virus, Anti-spyware, Anti-spam, URL filter and IPS features will be removed from an UTM, what remains is an Stateful Firewall.

If the firewall feature will be removed from an Stateful Firewall, what remains is an Layer-3 Switch.

L7 Application Control

UTM

Stateful Firewall

L3 Switch

NGFW

Some examples to using NGFW in all networks

Very Small Networks

Small Networks

Small/Medium Networks

Enterprise Networks

• In this example an ISP provides internet by using radio configured in NAT mode and PPPoE connection.

• An NGFW placed inline acts as switch.

• Of course in addition to switching, the NGFW presents other security services such as IPS, Anti-virus, Anti-Spyware, Anti-Spam and URL Filtering.

• And then, outgoing traffic from the firewall send to a LAN device such as access point.

1) A Very Small Network (with NATed Traffic)

NG-FirewallAct as an Switch

ISP

NAT Radio

Layer-2 mode

81.91.100.1/30

Layer-2 mode PPPoE EnabledDHCP Server Enabled

192.168.11.254

Access Point

192.168.11.0/24

IPSAnti-virus

Anti-SpywareAnti-Spam

URL Filteringswitching

A Very Small Network

• Another example is when an ISP provides internet by using radio configured in bridge mode.

• PPPoE connection is defined at a NGFW.

• The NGFW acts as modem.

• NGFW is NAT Enabled (Dynamic-SNAT-Many:1)

• Of course in addition to switching, the NGFW presents other security services such as IPS, Anti-virus, Anti-Spyware, Anti-Spam and URL Filtering.

2) A Very Small Network

NG-FirewallAct as Modem

(Gateway)

ISPIPS, Anti-virus, Anti-Spyware, Anti-Spam, URL Filtering

PPPoE EnabledDHCP Client EnabledDHCP Server Enabled

NAT Enabled (Dynamic-SNAT-Many:1)VPN Enabled

Proxy EnabledSSL Decryption Enabled

192.168.11.254

LANAccess Point

192.168.11.0/24

Layer-3 mode

81.91.100.285

Layer-2 mode

with PPPoE

A Very Small Network

BridgeRadio

• Internal network is including two or more segments with different ranges of IP addresses.

• PPPoE connection is defined at a NGFW.

• The NGFW acts as modem and router.

• NGFW is NAT Enabled (Dynamic-SNAT-Many:1 or Many:Many)

• Other security services.

3) A Small Network

ISPIPS, Anti-virus, Anti-Spyware, Anti-Spam, URL Filtering

PPPoE EnabledDHCP Client EnabledDHCP Server Enabled

NAT Enabled (Dynamic-SNAT-Many:1)VPN Enabled

Proxy EnabledSSL Decryption Enabled

192.168.11.254Layer-3 mode

81.91.100.285

LANAccess Point

192.168.11.0/24

LANAccess Point

192.168.12.0/24

A Small Network

192.168.12.254Layer-3 mode

BridgeRadio

Layer-2 mode

with PPPoE

• NGFW is NAT and PPPoE Enabled

• NGFW provides VLANing the zones and networks to managing them easier.

• For each Ethernet port configured as a Layer 2 interface, users can define a VLAN interface (Logical Interface) to allow routing of the VLAN traffic to Layer 3 destinations outside the VLAN.

• To configure connectivity on the NG-Firewall between the VLAN and other networks, a VLAN interface must be created. This is not a physical interface. It is a construct used to add a Layer 3-type interface to a Layer 2 VLAN.

• Other security services.

4) A Small/Medium Network

IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringPPPoE Enabled

DHCP Client EnabledDHCP Server Enabled

NAT Enabled (Dynamic-SNAT-Many:1)VPN Enabled

Proxy EnabledSSL Decryption Enabled

192.168.11.254Layer-3 mode

ISPLANAccess Point

192.168.11.0/24

Access Point

A Small/Medium Network

Layer-2 mode

VLAN-12Access Point

La

ye

r-2

mo

de

VLAN-int-2192.168.12.254

VLAN-12

BridgeRadio

Layer-2 mode

with PPPoE

• NGFW is NAT and PPPoE Enabled

• NGFW provides VLANing the zones and networks to managing them easier.

• Internal network is including two or more zones and a zone named DMZ is considered as SF (Server Farm) zone. This zone is accessible from external zone (internet) but these accesses limited by policies.

• In this example the NGFW has some types of interface modes such as Layer-2, Layer-3,Vlan Interface and so on. Also the NGFW might be PPPoE enabled.

• Other security services.

5) A Small/Medium Network with DMZ

IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringPPPoE Enabled

DHCP Client EnabledDHCP Server Enabled

NAT Enabled (Dynamic-SNAT-Many:1)VPN Enabled

Proxy EnabledSSL Decryption Enabled

192.168.11.254Layer-3 mode

ISP

La

ye

r-3

mo

de

19

2.1

68

.17

.1

LANAccess Point

192.168.11.0/24

Access Point

A Small/Medium Network

Layer-2 mode

VLAN-12Access Point

La

ye

r-2

mo

de

VLAN-int-2192.168.12.254

VLAN-12

DMZ

192.168.17.0/24

BridgeRadio

Layer-2 mode

with PPPoE

• A switch might be inline to switch the traffic between zones.

• A mirror link (in this example considered 10 Gbps) is implemented to send a copy of determined traffics from switch to the NGFW. Then the port in switch that connected to the NGFW must be in SPAN mode and the vis-a-vis port on the NGFW must be in TAP mode.

(This mode is used when a switch placed between internet and internal network and a SPAN port on the switch send a copy of the packet to the firewall. Then the firewall could be aware of all transmitted traffic through the Layer 2 switch. In This state, all the traffic received is never sent out of the firewall. Basically the firewall ingests mirrored packets via one of its interfaces being out-of-path.)

• NGFW provides NAT, VLANing, PPPoE connection and other security services.

• Internal network is including two or more zones and a zone named DMZ is considered as SF (Server Farm) zone. This zone is accessible from external zone (internet) but these accesses limited by policies.

• In this example the NGFW has some types of interface modes such as Layer-2,Layer-3,Vlan Interface and so on. Also the NGFW might be PPPoE enabled.

6) A Small/Medium Network with a NGFW in TAP mode

IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL Filtering

PPPoE Enabled

DHCP Client Enabled

DHCP Server Enabled

NAT Enabled (Dynamic-SNAT-Many:1)

VPN Enabled

Proxy Enabled

SSL Decryption Enabled

192.168.11.254

ISP

192.168.18.1Layer-3 mode

La

ye

r-3

mo

de

19

2.1

68

.17

.1

Trunk

LANAccess Point

192.168.11.0/24

Access Point

A Small/Medium Network

Layer-2 mode

VLAN-12Access Point

La

ye

r-2

mo

de

VLAN-12

DMZ

192.168.17.0/24

SPAN

Tap Mode10 Gbps

Switch L3

Out-of-path traffic inspection and analysis

NAT Radio

• The network is included too many zones and managing them by previous methods are difficult.

• Then we consider two links between the switch and firewall. One of them allowed internal VLAN tags (11 to 17) and another link is allowed internet VLAN tags (18 to 20).

• For this reason, we considered some VLAN interfaces in the NGFW to route their traffic (Inter-VLAN routing). With these VLAN interfaces, the NG-Firewall now don't need to route or switch packets between different VLANS by using router and its sub interfaces.

• VLAN interfaces are created virtually inside of the NG-Firewall and routing is done inside the NG-Firewall routing engine. This is efficient than rather using routers.

7) A Small/Medium Network with too many zones

IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringDHCP Server Enabled

VPN EnabledProxy Enabled

SSL Decryption EnabledLayer-3 Subinterface Defined

Routing EnabledISP

NAT Radio

192.168.18.1Layer-3 mode

Layer-3 mode

192.168.17.1

Allowed VLAN 18

192.168.11.0/24

A Small/Medium Network

VLAN-15

VLAN-11

DMZ

192.168.17.0/24

VLAN-14VLAN-12 VLAN-13

192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24

Firewall

Switch L3

192.168.14.1192.168.13.1

VLAN Interfaces

192.168.17.1192.168.15.1

192.168.11.1 192.168.12.1

VLAN-18

VLAN-17

SupportSalesTechnicalFinancial

Management

Allowed VLANs

11,12,13,14,15,17

• The network is included too many zones and three internet connection from three different ISPs (MultiWAN).

• MultiWAN is designed to provide redundancy and load balancing WAN traffics and to decrease downtime of the internet connection.

• Then we consider two links between the switch and firewall. One of them allowed internal VLAN tags (11 to 17) and another link is allowed internet VLAN tags (18 to 20). In this case, every internet connection is placed within a separated zone.

• For this reason, we considered some VLAN interfaces in the NGFW to route internal and internet VLAN traffics.

8) A Small/Medium Network with MultiWAN connections

IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringDHCP Server EnabledVPN EnabledProxy EnabledSSL Decryption EnabledVLAN Interface DefinedRouting Enabled

ISP1

NAT Radio

192.168.18.1

Layer-3 mode

Layer-3 mode

192.168.17.1

Allowed VLANs

18,19 & 20

192.168.11.0/24

A Small/Medium Network

VLAN-15

VLAN-11

DMZ

192.168.17.0/24

VLAN-14VLAN-12 VLAN-13

192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24

Firewall

Switch

192.168.14.1192.168.13.1

VLAN Interfaces

192.168.17.1192.168.15.1

192.168.11.1 192.168.12.1

VLAN-18

VLAN-17

SupportSalesTechnicalFinancial

Management

Allowed VLANs

11,12,13,14,15,17 ISP2

ISP3

192.168.20.1

192.168.19.1

192.168.19.1

VLAN Interfaces

192.168.20.1

192.168.18.1

• The NGFW is placed instead of the Core Switch and play as edge layer-3 network device.

• In addition, we can replace the switch after the NGFW with a router to route these traffic to the NGFW with a routing protocols such as RIP or OSPF.

• The network is included too many zones and three internet connection from three different ISPs (MultiWAN).

• Then we consider two trunk links between the switch and NGFW.

• For this reason, we should considered some VLAN interfaces in the NGFW to route internal and internet VLAN traffics.

9) A Small/Medium Network with MultiWAN connections

IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringDHCP Server Enabled

VPN EnabledProxy Enabled

SSL Decryption EnabledLayer-3 Subinterface Defined

Routing Enabled

ISP1

192.168.18.1

Layer-3 mode

192.168.17.1

Trunk

192.168.11.0/24

A Small/Medium Network

VLAN-15

VLAN-11

DMZ

192.168.17.0/24

VLAN-14VLAN-12

VLAN-13

192.168.12.0/24192.168.13.0/24 192.168.14.0/24 192.168.15.0/24

Firewall

Switch

192.168.14.1192.168.13.1

VLAN Interfaces

192.168.17.1192.168.15.1

192.168.11.1 192.168.12.1

VLAN-18

VLAN-17

SupportSalesTechnicalFinancial

Management

ISP2

ISP3

192.168.20.1

192.168.19.1

192.168.19.1

VLAN Interfaces

192.168.20.1

192.168.18.1

Switch

Trunk

NAT Radio

IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringDHCP Server Enabled

VPN EnabledProxy Enabled

SSL Decryption EnabledLayer-3 Subinterface Defined

Routing Enabled

ISP1

192.168.18.1

Layer-3 mode

192.168.17.1

OSPF

192.168.11.0/24

A Small/Medium Network

VLAN-15

VLAN-11

DMZ

192.168.17.0/24

VLAN-14VLAN-12

VLAN-13

192.168.12.0/24192.168.13.0/24 192.168.14.0/24 192.168.15.0/24

Firewall

Edge Router

192.168.14.1192.168.13.1

VLAN Interfaces

192.168.17.1192.168.15.1

192.168.11.1 192.168.12.1

VLAN-18

VLAN-17

SupportSalesTechnicalFinancial

Management

ISP2

ISP3

192.168.20.1

192.168.19.1

Switch

Trunk

NAT Radio

The End.