Next generation (ng) firewalls

Download as PPTX, PDF

•1 like•1,136 views

Next Generation (NG) firewalls address the complexity that arose from combining multiple security functions into standalone devices. NG firewalls integrate firewall, intrusion detection, VPN, application control, web proxy, antivirus, and identity awareness capabilities into a single high-performance device. This consolidation improves network throughput, resilience, cost efficiency, and troubleshooting by eliminating the problems caused by managing separate security appliances. NG firewalls can analyze traffic in real-time at speeds of 10 gigabits per second and implement flexible access policies based on users, groups, applications, times of day, and other advanced criteria.

Next Generation (NG) Firewalls
• Firewall history
• But what about???
• Complexity creep
• NG firewalls

Firewall history
• Routers
• Access control lists (non-stateful)
• Firewalls
• Stateful firewalls appeared mid 90s
• Fairly simple databases (state tables)
• NAT/PAT complicates things (state tables + src & dst ports)
• Work at Layer 4 in the OSI 7 layer model
3. Network (IP/ICMP)
4. Transport (host-to-host flow control TCP/UDP)
• From wikipedia (sorry!):
“Early attempts at producing firewalls operated at the Application
Layer, which is the very top of the seven-layer OSI model. This method
required exorbitant amounts of computing power and is rarely used in
modern implementations.”

But what about???
• AKA functionality creep
• Intrusion Detection/Prevention Systems
• Virtual Private Networks (S2S, C2S)
• Application control
• Web Proxy
• Anti-virus/malware
• Identity awareness

Complexity creep
• All separate devices – creates problems…
• Network throughput
• Resilience
• Cost (Capital and Revenue)
• Complexity
• Troubleshooting
• Down-time

NG Firewalls
• Massively powerful switch/routers
• Massively powerful analysis engines
• Architected to analyse multiple of 10Gigabits of traffic in real-
time
• The type of access-list is entirely different
• Instead of:
• [IP Address A] can access [IP Address B] on [Port Y]
• We can write:
• [Users] in the [Finance Group] can access [Finance systems] during
[08.00 until 18.00]
• [All Students] on [IT Suite PCs] can only access [Social networking
sites] between [17.00 and 09.00]
• [Anyone] using [bittorrent] can only [upload] at [50kpbs]
• [Anyone] using [www] (if not previously known) must [authenticate]

More Related Content

PDF

OpenNebulaConf2017EU: Hyper converged infrastructure with OpenNebula and Ceph...OpenNebula Project

PDF

OpenNebulaConf2017EU: Providing cloud and Managed Hosting Environment by Mich...OpenNebula Project

PPT

Dynamic routing in microservice oriented architectureDaniel Leon

PPTX

Cloud Computing SecurityAnshul Patel

PDF

Go, Swarm and DevOps vs The Mighty MonolithIgor Karpovich

PDF

OpenNebula Conf 2014 | Bootstrapping a virtual infrastructure using OpenNebul...NETWAYS

PDF

OpenNebula Conf | Lightning talk: Managing a Scientific Computing Facility wi...NETWAYS

PDF

rOCCI – Providing Interoperability through OCCI 1.1 Support for OpenNebulaNETWAYS

OpenNebulaConf2017EU: Hyper converged infrastructure with OpenNebula and Ceph...OpenNebula Project

OpenNebulaConf2017EU: Providing cloud and Managed Hosting Environment by Mich...OpenNebula Project

Dynamic routing in microservice oriented architectureDaniel Leon

Cloud Computing SecurityAnshul Patel

Go, Swarm and DevOps vs The Mighty MonolithIgor Karpovich

OpenNebula Conf 2014 | Bootstrapping a virtual infrastructure using OpenNebul...NETWAYS

OpenNebula Conf | Lightning talk: Managing a Scientific Computing Facility wi...NETWAYS

rOCCI – Providing Interoperability through OCCI 1.1 Support for OpenNebulaNETWAYS

What's hot (16)

PPTX

Linux kit meetup_v1.0.0Anshul Patel

PPTX

linkerd: The Cloud Native Service MeshDario Simonetti

PDF

Performant and Resilient Storage: The Open Source & Linux WayOpenNebula Project

PPTX

Cloud Origins: How OpenStack became the natural evolution of the internet and...Cloud Native Day Tel Aviv

PPTX

My internworkV C

PPTX

Node Architecture.pptxAhmed Hassan

PPTX

The Nextcloud Roadmap for Secure Team CollaborationUnivention GmbH

PDF

Bringing Private Cloud computing to HPC and Science - EGI TF tf 2013Ignacio M. Llorente

PDF

UbiquiTalk - An Infrastructure for Ubiquitous Computing (ESUG 2006)Noury Bouraqadi

PPTX

IoT Day 2017 - Starter Kit SmartEnergyLorenzo Maiorfi

PDF

Art of nodejsShadaï ALI

PPT

InfiniBand in the Lab (vSphere 5.5) VMworld 2013 Barcelona vBrownbag Tech TalkErik Bussink

PPTX

Cldfnd chapter1-4Mostafa PourMonazah

PPT

Civil War: LXD vs DockerOpenNebula Project

PDF

Modern Computing System & BeyondNuwan Bandara

PDF

Planidoo & ZotonicDavid de Boer

Linux kit meetup_v1.0.0Anshul Patel

linkerd: The Cloud Native Service MeshDario Simonetti

Performant and Resilient Storage: The Open Source & Linux WayOpenNebula Project

Cloud Origins: How OpenStack became the natural evolution of the internet and...Cloud Native Day Tel Aviv

My internworkV C

Node Architecture.pptxAhmed Hassan

The Nextcloud Roadmap for Secure Team CollaborationUnivention GmbH

Bringing Private Cloud computing to HPC and Science - EGI TF tf 2013Ignacio M. Llorente

UbiquiTalk - An Infrastructure for Ubiquitous Computing (ESUG 2006)Noury Bouraqadi

IoT Day 2017 - Starter Kit SmartEnergyLorenzo Maiorfi

Art of nodejsShadaï ALI

InfiniBand in the Lab (vSphere 5.5) VMworld 2013 Barcelona vBrownbag Tech TalkErik Bussink

Cldfnd chapter1-4Mostafa PourMonazah

Civil War: LXD vs DockerOpenNebula Project

Modern Computing System & BeyondNuwan Bandara

Planidoo & ZotonicDavid de Boer

Similar to Next generation (ng) firewalls (20)

PPTX

Security analyticsSimon Bennett

PPTX

Moving to software-based production workflows and containerisation of media a...Kieran Kunhya

PDF

Using IT Equipment in Live BroadcastKieran Kunhya

PPTX

Building the Internet of Things with Thingsquare and Contiki - day 1, part 3Adam Dunkels

PPTX

Basic Foundation For CybersecurityMohammed Adam

PPTX

Tracking the International Space Station with Commodore ComputersLeif Bloomquist

PPTX

1. RINA motivation - TF WorkshopARCFIRE ICT

PDF

Html5 web sockets - Brad Drysdale - London Web 2011-10-20Nathan O'Hanlon

PDF

From Device to Data Center to InsightsDataWorks Summit/Hadoop Summit

PPTX

From Device to Data Center to Insights: Architectural Considerations for the ...P. Taylor Goetz

PPTX

Smart Object ArchitectureHannes Tschofenig

PDF

Matrix, The Year To Date, Ben Parsons, TADSummit 2018Alan Quayle

PDF

Software defined networking: PrimerMuhammad Moinur Rahman

PDF

XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation

PDF

Distributech_Presentation DTECH_2013Dorian Hernandez

PPTX

Intro RINAARCFIRE ICT

PPTX

5. IO virtualizationHwanju Kim

PDF

Scalable Service-Oriented Middleware over IPDai Yang

PDF

Network Stack in Userspace (NUSE)Hajime Tazaki

PDF

Grid middleware is easy to install, configure, secure, debug and manage acros...Paul Brebner

Security analyticsSimon Bennett

Moving to software-based production workflows and containerisation of media a...Kieran Kunhya

Using IT Equipment in Live BroadcastKieran Kunhya

Building the Internet of Things with Thingsquare and Contiki - day 1, part 3Adam Dunkels

Basic Foundation For CybersecurityMohammed Adam

Tracking the International Space Station with Commodore ComputersLeif Bloomquist

1. RINA motivation - TF WorkshopARCFIRE ICT

Html5 web sockets - Brad Drysdale - London Web 2011-10-20Nathan O'Hanlon

From Device to Data Center to InsightsDataWorks Summit/Hadoop Summit

From Device to Data Center to Insights: Architectural Considerations for the ...P. Taylor Goetz

Smart Object ArchitectureHannes Tschofenig

Matrix, The Year To Date, Ben Parsons, TADSummit 2018Alan Quayle

Software defined networking: PrimerMuhammad Moinur Rahman

XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation

Distributech_Presentation DTECH_2013Dorian Hernandez

Intro RINAARCFIRE ICT

5. IO virtualizationHwanju Kim

Scalable Service-Oriented Middleware over IPDai Yang

Network Stack in Userspace (NUSE)Hajime Tazaki

Grid middleware is easy to install, configure, secure, debug and manage acros...Paul Brebner

Next generation (ng) firewalls

1. Next Generation (NG) Firewalls • Firewall history • But what about??? • Complexity creep • NG firewalls

2. Firewall history • Routers • Access control lists (non-stateful) • Firewalls • Stateful firewalls appeared mid 90s • Fairly simple databases (state tables) • NAT/PAT complicates things (state tables + src & dst ports) • Work at Layer 4 in the OSI 7 layer model 3. Network (IP/ICMP) 4. Transport (host-to-host flow control TCP/UDP) • From wikipedia (sorry!): “Early attempts at producing firewalls operated at the Application Layer, which is the very top of the seven-layer OSI model. This method required exorbitant amounts of computing power and is rarely used in modern implementations.”

3. But what about??? • AKA functionality creep • Intrusion Detection/Prevention Systems • Virtual Private Networks (S2S, C2S) • Application control • Web Proxy • Anti-virus/malware • Identity awareness

4. Complexity creep • All separate devices – creates problems… • Network throughput • Resilience • Cost (Capital and Revenue) • Complexity • Troubleshooting • Down-time

5. NG Firewalls • Massively powerful switch/routers • Massively powerful analysis engines • Architected to analyse multiple of 10Gigabits of traffic in real- time • The type of access-list is entirely different • Instead of: • [IP Address A] can access [IP Address B] on [Port Y] • We can write: • [Users] in the [Finance Group] can access [Finance systems] during [08.00 until 18.00] • [All Students] on [IT Suite PCs] can only access [Social networking sites] between [17.00 and 09.00] • [Anyone] using [bittorrent] can only [upload] at [50kpbs] • [Anyone] using [www] (if not previously known) must [authenticate]