Skip to content

Page299

Next Generation Firewalls (NGFW)

NGFW (Next Generation Firewalls) operate up to layer 7. Unlike packet filter and stateful firewalls that make decisions based on layers 3 and 4 only, NGFWs can make filtering decisions based on application-layer data, such as HTTP or DNS traffic, in addition to layers 3 and 4. This seemingly simple distinction offers tremendously improved capabilities in protection against modern threats. With the increased visibility, NGFWs can incorporate layer 7 filtering and detection approaches employed by Network Intrusion Detection Systems (NIDS), and their preventive counterpart Network Intrusion Prevention Systems (NIPS), which are discussed later in this chapter.

Many NGFWs offer the ability to dynamically determine the layer 7 protocol being employed, regardless of the port over which the communication occurs. This capability can be used to identify adversary traffic that might tunnel one layer 7 protocol over a TCP port not typically employed by that layer 7 protocol. Consider an adversary instantiating an outbound SSH tunnel, which would typically use TCP port 22, over TCP port 443 from a compromised internal asset. Packet filter and stateful firewalls without layer 7 visibility would presume the traffic targeting TCP 443 to be HTTPS, as they lack the visibility to determine otherwise.

NGFW capabilities have expanded well beyond the traditional purview of firewalls to include security offerings traditionally found in separate standalone offerings. The potentially expanded feature set, including capabilities such as web content filtering, sandboxing, antimalware, threat intelligence, and HTTPS decryption, can allow organizations to potentially reduce the overall cost of maintaining these functions in separate devices.

Endpoint Firewalls

The primary focus of firewalls historically has been on assets deployed to offer protection to a collection of systems on a network. While the importance of firewalls to achieve network segments persists, firewalls deployed on individual endpoints offer substantial and additional benefits. The most basic configuration performed on any firewall involves defining the trust levels associated with various networks. Historically, this meant trusting internal assets and treating all non-internal assets to be untrusted. Unfortunately, adversaries' increasing use of Lateral Movement (TA0008 within the MITRE ATT&CKĀ® Enterprise Matrix [6]) diminishes the efficacy of equating internal as trusted.

Thankfully, endpoint firewalls offer us a technically simple way to combat this overly generous internal zone of trust. Endpoint firewalls, sometimes referred to as desktop or host-based firewalls, operate as a piece of software installed on a single system. Only the system on which the endpoint firewall is installed needs to be implicitly trusted, which can allow greatly increased protection and detection capabilities in the face of an adversary launching attacks from the vantage point of a compromised internal asset.