The next generation of firewall wins the application layer, and the next generation wins the application layer.
Why is next-generation firewall superior to application layer?
Almost no one doubts about the important position of firewalls in the procurement of all security equipment in the enterprise. However, traditional firewalls do not solve major network security problems. In terms of implementation technology, the traditional firewall is mainly a packet filtering firewall, which implements network-Layer Control-intercepts packets in the network and parses the packets according to the protocol, finally, compare the keyword segment of the header with the preset filter rule to determine whether to forward the packet. With the wide variety of applications on the application layer, more and more application-layer protocols are available. As a result, more and more hackers can launch attacks directly on the application layer.
According to Gartner, a famous research institution,In recent years, 75% of network attacks have occurred at the application layer.Even a typical DDoS attack "winning" by network-layer traffic has moved down to the application layer in recent years. By 2013, more than 1/4 of DDoS attacks were based on applications, this proportion is also increasing year by year. In stark contrast, with the rapid development of Internet technology, key business activities are increasingly dependent on Internet applications, which means to expose more and more potential risks.
New battlefield of new generation security
Traditional firewalls are mainly used to process common protocols. They are unable to analyze application protocol packages and are difficult to prevent more targeted network attacks. With the development of technology and the business needs of the Internet + era, firewall users urgently need to perform deeper checks and filters on data packets. For example, users can transmit files through QQ, And the transferred files may be malicious files that introduce risks. In this business scenario, even if the traditional firewall can confirm the QQ service running through the port number, it cannot perform in-depth detection at the file level, do not mention many applications running on non-standard ports.
Although it is too early to assert that the traditional policy-oriented protection system is completely ineffective, in the context of the conversion from Network-layer attacks to Web attacks, we can draw a conclusion: without a firewall with application-layer detection and protection capabilities, we are inevitably faced with the dilemma of "being honest and cool". The focus of new-generation security lies in application security, it is to provide a complete solution for the Web application layer.
How can next-generation firewalls resolve Application Layer crisis?
There are more than one reason to make the next generation firewall "Next Generation". application awareness is a typical label of the Next Generation firewall, however, "application perception Capability" is undoubtedly the hot term that is most likely to be associated with the next generation firewall. The concept of Application Awareness seems clear, but to some extent misleading. It is clear that the next generation firewall can specifically associate traffic with specific applications. It is misleading because the security capabilities of the Next Generation firewall should not be limited to detecting and identifying application traffic, more importantly, they act on the recognition results: they can be selectively blocked or used in other ways to restrict the use of applications, or even application sub-applications, instead of blocking specific ports and protocols just like traditional firewalls.
In the new security situation, firewall users need to have a deeper understanding and understanding of the applications running across the network. In recent years, many new security devices have provided deep packet inspection (DPI), refined control, and application perception functions to help enterprises manage network boundaries. According to Eric Maiwald, Gartner's Research Director, "modern firewalls have more or less the next generation of genes, including integrated intrusion detection (IPS) and better application control capabilities. These seem to have become the standard for today's firewall devices, and almost all mainstream security vendors can come along with a story about the next generation ". But after all, the story is a story. What is more important than listening to the story is to understand how to evaluate the "Next Generation" and whether it should be migrated to the "Next Generation ".
Real-Time Detection and Analysis of abnormal behavior is the main driving force for many users to upgrade to the next generation firewall. Many IT directors have reported that, the most obvious change after the next-generation firewall is deployed is the detection of fallen hosts-some enterprises can find botnets and intruded hosts in the intranet on the day of deployment. This benefits from the ability of the Next Generation firewall to detect the effective load of data packets and make corresponding decisions based on the actual content. It also provides better content filtering capabilities-it can review the complete network data packets, not only the network address and port, but also the next generation firewall has more powerful logging functions, such as logging events such as commands issued by a specific program, this provides valuable information for identifying abnormal behaviors of applications.
More precise application layer security control is another "killer" of the Next Generation firewall ". In the context that more network threats come from the application layer, users naturally have higher requirements on network access control. How to precisely identify users and applications, block applications that hide security risks, and ensure normal use of legitimate applications has become the focus of users. However, with the rapid development of network applications, more than 90% of network applications run on HTTP 80 and 443 ports, and a large number of applications can reuse ports and modify IP addresses, as a result, the IP address is not equal to the user and the port number is not equal to the application. The traditional quintuple-based access control policy is useless. The user and application visualization technologies of the Next Generation firewall can recognize and control applications based on their behaviors and characteristics. If they can be implemented with multiple authentication systems (such as AD and LDAP) seamless connection can further automatically identify the user information corresponding to the current IP address in the network, and draw a three-dimensional portrait of the person-content-application to meet the network control requirements of the new generation of security.
The next generation firewall is not
Different from the traditional feature-based detection engine, the next generation firewall is born with genes that perceive user and application behavior. Ultimately, it is necessary to understand the context of network packets. Although this removes the need for feature libraries, it does not mean that the next-generation firewall has been removed from the tedious work of regular upgrades. On the contrary, the next generation firewall needs to continuously learn the increasing application fingerprint features to maintain the timeliness of application recognition. Because these fingerprint features do not depend on ports, protocols, and other features that are easy to identify, and sometimes may even contain the content of specific packets, maintaining the rule set of the Next Generation Firewall is a more arduous task. In addition, for non-General-purpose applications, such as private applications developed by many large enterprises, the next generation firewall may not be recognized. In this case, you still need to manually add application fingerprint features, and this process may be repeated after each private application upgrade. If the next generation firewall is so insecure, many users will be greatly impressed by the "Next Generation.
The next-generation application layer firewall technology overcomes the shortcomings of the traditional "Border firewall" and integrates security technologies such as IPS and anti-virus to implement comprehensive security solutions from network to server and client, meets the security requirements of enterprise applications and development. Looking forward to the future, as more concealed application-layer attacks emerge, the firewall will face more protocol parsing and more application recognition in the future, therefore, in the future, the application layer firewall will develop towards greater protection functions and more granular control.