NGFW -Next Generation Firewall-
The term Next Generation Firewall term was coined by Gartner.
Gartner argue that the NGFW is the evolution of the enterprise firewall market, while UTM is aimed at the SMB/branch market. Some UTM vendors disagree and state that their gear is capable of serving enterprises.
An NGFW…
combines the capabilities of first-generation firewalls and IPS.
is a single-pass engine to integrates security services (such as IPS, antivirus, anti-spam-anti-spyware & etc.) , does not merely collocate under a single appliance like UTM.
provides application control meaningless of port and protocol.
provides user control.
NGFW infrastructure:
If L7 Application Filter will be removed from an NGFW, what remains is an UTM.
If AV-virus, Anti-spyware, Anti-spam, URL filter and IPS features will be removed from an UTM, what remains is an Stateful Firewall.
If the firewall feature will be removed from an Stateful Firewall, what remains is an Layer-3 Switch.
L7 Application Control
UTM
Stateful Firewall
L3 Switch
NGFW
Some examples to using NGFW in all networks
Very Small Networks
Small Networks
Small/Medium Networks
Enterprise Networks
• In this example an ISP provides internet by using radio configured in NAT mode and PPPoE connection.
• An NGFW placed inline acts as switch.
• Of course in addition to switching, the NGFW presents other security services such as IPS, Anti-virus, Anti-Spyware, Anti-Spam and URL Filtering.
• And then, outgoing traffic from the firewall send to a LAN device such as access point.
1) A Very Small Network (with NATed Traffic)
NG-FirewallAct as an Switch
ISP
NAT Radio
Layer-2 mode
81.91.100.1/30
Layer-2 mode PPPoE EnabledDHCP Server Enabled
192.168.11.254
Access Point
192.168.11.0/24
IPSAnti-virus
Anti-SpywareAnti-Spam
URL Filteringswitching
A Very Small Network
• Another example is when an ISP provides internet by using radio configured in bridge mode.
• PPPoE connection is defined at a NGFW.
• The NGFW acts as modem.
• NGFW is NAT Enabled (Dynamic-SNAT-Many:1)
• Of course in addition to switching, the NGFW presents other security services such as IPS, Anti-virus, Anti-Spyware, Anti-Spam and URL Filtering.
2) A Very Small Network
NG-FirewallAct as Modem
(Gateway)
ISPIPS, Anti-virus, Anti-Spyware, Anti-Spam, URL Filtering
PPPoE EnabledDHCP Client EnabledDHCP Server Enabled
NAT Enabled (Dynamic-SNAT-Many:1)VPN Enabled
Proxy EnabledSSL Decryption Enabled
192.168.11.254
LANAccess Point
192.168.11.0/24
Layer-3 mode
81.91.100.285
Layer-2 mode
with PPPoE
A Very Small Network
BridgeRadio
• Internal network is including two or more segments with different ranges of IP addresses.
• PPPoE connection is defined at a NGFW.
• The NGFW acts as modem and router.
• NGFW is NAT Enabled (Dynamic-SNAT-Many:1 or Many:Many)
• Other security services.
3) A Small Network
ISPIPS, Anti-virus, Anti-Spyware, Anti-Spam, URL Filtering
PPPoE EnabledDHCP Client EnabledDHCP Server Enabled
NAT Enabled (Dynamic-SNAT-Many:1)VPN Enabled
Proxy EnabledSSL Decryption Enabled
192.168.11.254Layer-3 mode
81.91.100.285
LANAccess Point
192.168.11.0/24
LANAccess Point
192.168.12.0/24
A Small Network
192.168.12.254Layer-3 mode
BridgeRadio
Layer-2 mode
with PPPoE
• NGFW is NAT and PPPoE Enabled
• NGFW provides VLANing the zones and networks to managing them easier.
• For each Ethernet port configured as a Layer 2 interface, users can define a VLAN interface (Logical Interface) to allow routing of the VLAN traffic to Layer 3 destinations outside the VLAN.
• To configure connectivity on the NG-Firewall between the VLAN and other networks, a VLAN interface must be created. This is not a physical interface. It is a construct used to add a Layer 3-type interface to a Layer 2 VLAN.
• Other security services.
4) A Small/Medium Network
IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringPPPoE Enabled
DHCP Client EnabledDHCP Server Enabled
NAT Enabled (Dynamic-SNAT-Many:1)VPN Enabled
Proxy EnabledSSL Decryption Enabled
192.168.11.254Layer-3 mode
ISPLANAccess Point
192.168.11.0/24
Access Point
A Small/Medium Network
Layer-2 mode
VLAN-12Access Point
La
ye
r-2
mo
de
VLAN-int-2192.168.12.254
VLAN-12
BridgeRadio
Layer-2 mode
with PPPoE
• NGFW is NAT and PPPoE Enabled
• NGFW provides VLANing the zones and networks to managing them easier.
• Internal network is including two or more zones and a zone named DMZ is considered as SF (Server Farm) zone. This zone is accessible from external zone (internet) but these accesses limited by policies.
• In this example the NGFW has some types of interface modes such as Layer-2, Layer-3,Vlan Interface and so on. Also the NGFW might be PPPoE enabled.
• Other security services.
5) A Small/Medium Network with DMZ
IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringPPPoE Enabled
DHCP Client EnabledDHCP Server Enabled
NAT Enabled (Dynamic-SNAT-Many:1)VPN Enabled
Proxy EnabledSSL Decryption Enabled
192.168.11.254Layer-3 mode
ISP
La
ye
r-3
mo
de
19
2.1
68
.17
.1
LANAccess Point
192.168.11.0/24
Access Point
A Small/Medium Network
Layer-2 mode
VLAN-12Access Point
La
ye
r-2
mo
de
VLAN-int-2192.168.12.254
VLAN-12
DMZ
192.168.17.0/24
BridgeRadio
Layer-2 mode
with PPPoE
• A switch might be inline to switch the traffic between zones.
• A mirror link (in this example considered 10 Gbps) is implemented to send a copy of determined traffics from switch to the NGFW. Then the port in switch that connected to the NGFW must be in SPAN mode and the vis-a-vis port on the NGFW must be in TAP mode.
(This mode is used when a switch placed between internet and internal network and a SPAN port on the switch send a copy of the packet to the firewall. Then the firewall could be aware of all transmitted traffic through the Layer 2 switch. In This state, all the traffic received is never sent out of the firewall. Basically the firewall ingests mirrored packets via one of its interfaces being out-of-path.)
• NGFW provides NAT, VLANing, PPPoE connection and other security services.
• Internal network is including two or more zones and a zone named DMZ is considered as SF (Server Farm) zone. This zone is accessible from external zone (internet) but these accesses limited by policies.
• In this example the NGFW has some types of interface modes such as Layer-2,Layer-3,Vlan Interface and so on. Also the NGFW might be PPPoE enabled.
6) A Small/Medium Network with a NGFW in TAP mode
IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL Filtering
PPPoE Enabled
DHCP Client Enabled
DHCP Server Enabled
NAT Enabled (Dynamic-SNAT-Many:1)
VPN Enabled
Proxy Enabled
SSL Decryption Enabled
192.168.11.254
ISP
192.168.18.1Layer-3 mode
La
ye
r-3
mo
de
19
2.1
68
.17
.1
Trunk
LANAccess Point
192.168.11.0/24
Access Point
A Small/Medium Network
Layer-2 mode
VLAN-12Access Point
La
ye
r-2
mo
de
VLAN-12
DMZ
192.168.17.0/24
SPAN
Tap Mode10 Gbps
Switch L3
Out-of-path traffic inspection and analysis
NAT Radio
• The network is included too many zones and managing them by previous methods are difficult.
• Then we consider two links between the switch and firewall. One of them allowed internal VLAN tags (11 to 17) and another link is allowed internet VLAN tags (18 to 20).
• For this reason, we considered some VLAN interfaces in the NGFW to route their traffic (Inter-VLAN routing). With these VLAN interfaces, the NG-Firewall now don't need to route or switch packets between different VLANS by using router and its sub interfaces.
• VLAN interfaces are created virtually inside of the NG-Firewall and routing is done inside the NG-Firewall routing engine. This is efficient than rather using routers.
7) A Small/Medium Network with too many zones
IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringDHCP Server Enabled
VPN EnabledProxy Enabled
SSL Decryption EnabledLayer-3 Subinterface Defined
Routing EnabledISP
NAT Radio
192.168.18.1Layer-3 mode
Layer-3 mode
192.168.17.1
Allowed VLAN 18
192.168.11.0/24
A Small/Medium Network
VLAN-15
VLAN-11
DMZ
192.168.17.0/24
VLAN-14VLAN-12 VLAN-13
192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24
Firewall
Switch L3
192.168.14.1192.168.13.1
VLAN Interfaces
192.168.17.1192.168.15.1
192.168.11.1 192.168.12.1
VLAN-18
VLAN-17
SupportSalesTechnicalFinancial
Management
Allowed VLANs
11,12,13,14,15,17
• The network is included too many zones and three internet connection from three different ISPs (MultiWAN).
• MultiWAN is designed to provide redundancy and load balancing WAN traffics and to decrease downtime of the internet connection.
• Then we consider two links between the switch and firewall. One of them allowed internal VLAN tags (11 to 17) and another link is allowed internet VLAN tags (18 to 20). In this case, every internet connection is placed within a separated zone.
• For this reason, we considered some VLAN interfaces in the NGFW to route internal and internet VLAN traffics.
8) A Small/Medium Network with MultiWAN connections
IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringDHCP Server EnabledVPN EnabledProxy EnabledSSL Decryption EnabledVLAN Interface DefinedRouting Enabled
ISP1
NAT Radio
192.168.18.1
Layer-3 mode
Layer-3 mode
192.168.17.1
Allowed VLANs
18,19 & 20
192.168.11.0/24
A Small/Medium Network
VLAN-15
VLAN-11
DMZ
192.168.17.0/24
VLAN-14VLAN-12 VLAN-13
192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24
Firewall
Switch
192.168.14.1192.168.13.1
VLAN Interfaces
192.168.17.1192.168.15.1
192.168.11.1 192.168.12.1
VLAN-18
VLAN-17
SupportSalesTechnicalFinancial
Management
Allowed VLANs
11,12,13,14,15,17 ISP2
ISP3
192.168.20.1
192.168.19.1
192.168.19.1
VLAN Interfaces
192.168.20.1
192.168.18.1
• The NGFW is placed instead of the Core Switch and play as edge layer-3 network device.
• In addition, we can replace the switch after the NGFW with a router to route these traffic to the NGFW with a routing protocols such as RIP or OSPF.
• The network is included too many zones and three internet connection from three different ISPs (MultiWAN).
• Then we consider two trunk links between the switch and NGFW.
• For this reason, we should considered some VLAN interfaces in the NGFW to route internal and internet VLAN traffics.
9) A Small/Medium Network with MultiWAN connections
IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringDHCP Server Enabled
VPN EnabledProxy Enabled
SSL Decryption EnabledLayer-3 Subinterface Defined
Routing Enabled
ISP1
192.168.18.1
Layer-3 mode
192.168.17.1
Trunk
192.168.11.0/24
A Small/Medium Network
VLAN-15
VLAN-11
DMZ
192.168.17.0/24
VLAN-14VLAN-12
VLAN-13
192.168.12.0/24192.168.13.0/24 192.168.14.0/24 192.168.15.0/24
Firewall
Switch
192.168.14.1192.168.13.1
VLAN Interfaces
192.168.17.1192.168.15.1
192.168.11.1 192.168.12.1
VLAN-18
VLAN-17
SupportSalesTechnicalFinancial
Management
ISP2
ISP3
192.168.20.1
192.168.19.1
192.168.19.1
VLAN Interfaces
192.168.20.1
192.168.18.1
Switch
Trunk
NAT Radio
IPS, Anti-virus, Anti-Spyware, Anti-Spam, URL FilteringDHCP Server Enabled
VPN EnabledProxy Enabled
SSL Decryption EnabledLayer-3 Subinterface Defined
Routing Enabled
ISP1
192.168.18.1
Layer-3 mode
192.168.17.1
OSPF
192.168.11.0/24
A Small/Medium Network
VLAN-15
VLAN-11
DMZ
192.168.17.0/24
VLAN-14VLAN-12
VLAN-13
192.168.12.0/24192.168.13.0/24 192.168.14.0/24 192.168.15.0/24
Firewall
Edge Router
192.168.14.1192.168.13.1
VLAN Interfaces
192.168.17.1192.168.15.1
192.168.11.1 192.168.12.1
VLAN-18
VLAN-17
SupportSalesTechnicalFinancial
Management
ISP2
ISP3
192.168.20.1
192.168.19.1
Switch
Trunk
NAT Radio