Next Generation Firewalls


Author: Luciano D'Amico

A next generation firewall is the convergence of an intrusion prevention system and new firewall technologies such as deep packet inspection [3]. The Next Generation Firewall accomplishes all of the functionality of a traditional firewall, and adds more robust security to help prevent against malicious users. By combining the functionality of an intrusion prevention system, the firewall has the ability to identify attacks in real time [1]. The deep packet inspection allows the firewall to gain more information from the incoming packets which allows more intelligent filtering rules.



Contents
  1. Traditional Firewalls
  2. Deep Packet Inspection
  3. Intrusion Prevention Systems
  4. References
  5. See Also
  6. External Links


Traditional Firewalls



The fundamental role of a firewall is to control traffic between two parts of a network [2]. It is a crucial component of an organizations security policy since it determines which packets are allowed to enter and leave the internal network. Firewalls can be hardware or software based, and many organizations employ a combination of both types [2]. Like many other types of technologies, firewall technology has been increasing rapidly. To this point there are three distinct generations of firewall technology [2].


First Generation Firewalls

The first generation of firewalls is the simplest and is often referred to as packet filter firewalls [2]. These work by inspecting the individual packets that are sent or received. The packets are then compared to a set of defined rules. If the packet matches a rule it is either dropped or rejected [2]. The disadvantage of this scheme is that it does not take into consideration whether a packet is part of an existing stream of traffic [2]. By looking at the information contained in a packet, filters can be based on source and destination addresses, protocol and port number.

Second Generation Firewalls

The next generation of firewalls builds on the packet filtering concepts and also adds the concept of state. These firewalls are also known as circuit level firewalls or stateful firewalls [2]. These work by maintaining records of all connections passing through the firewall [2]. This allows the firewall to determine if an incoming packet is part of a new connection or an existing one. This helps to prevent attacks which exploit existing connections.

Third Generation Firewalls

This generation is also known as an application layer firewall [2]. These firewalls build on the technology in previous generations. The advantage to the application layer firewall is that it can understand certain applications and protocols such as FTP or HTTP [2]. This allows the firewall to detect if a protocol is trying to be sent to a nonstandard port. It also allows the firewall to detect if a protocol is being used in a known harmful way.



Deep Packet Inspection


Deep packet inspection is a form of computer network packet filtering that examines the data part of a through-passing packet to determine if the packet can pass [4]. This is in contrast to shallow packet inspection (usually called just packet inspection) which just checks the header portion of a packet [4]. Using deep packet inspection, a firewall has the ability to look at layer 2 through layer 7 of the OSI model [4]. These are the data link, network, transport, session, presentation, and application layers. This allows the firewall to inspect the headers of the packets as well as the data protocol structures. Regular firewalls can only drop or reject a packet. With next generation firewalls a packet can be redirected, marked/tagged, blocked, rate limited, and reported to a reporting agent in the network [4].



Intrusion Prevention Systems


An intrusion prevention system is a computer security device that exercises access control to protect computers from exploitation [1]. The latest Next Generation Firewalls leverage their existing deep packet inspection engine by sharing this functionality with an intrusion prevention system [1]. Intrusion prevention systems were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line [1]. Intrusion prevention systems make access control decisions based on application content, rather than IP address or ports as traditional firewalls do. Different types of intrusion prevention systems include content based, protocol analysis and rate based [1].

Content Based

A content based intrusion prevention system inspects the content of network packets for unique sequences, called signatures, to detect and hopefully prevent known types of attacks [1].

Protocol Analysis

Protocol analyzers can natively decode application-layer network protocols, such as HTTP or FTP [1]. The analysis engine can evaluate different parts of the protocol for anomalous behavior or exploits. For example, the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion.

Rate Based

This method is primarily intended to prevent denial of service attacks [1]. Rate based intrusion prevention works by monitoring and learning normal network behaviours. Through real-time traffic monitoring and comparison with stored statistics, this method can identify abnormal rates for certain types of traffic [1]. The disadvantage of this is that unusual but legitimate traffic patterns will cause false alarms.



References


[1] Intrusion Prevention Systems
[2] Firewalls
[3] Next Generation Firewalls
[4] Deep Packet Inspection



See Also


802.11 Wireless Security
Wireless Ad-hoc Network Intrusion Detection System
Isolations for Security
Tools for Linux Security



External Links


The Perils of Deep Packet Inspection
The Evolution of Firewalls
How Firewalls Work
Personal Firewall Comparison


Last Revised: April 06, 2007