There are many different ways to secure network flows in real-time. In this video, you’ll learn about UTMs, NGFWs, and WAFs.
If you are connected to the internet, then you’re probably communicating through a firewall. We use these firewalls in our homes, in our offices. We even have firewalls built into our operating systems themselves. Firewalls are designed to control the flow of traffic between two points. So you might be able to control traffic going in and out of your network using your firewall. This can be especially important in large environments where you have hundreds or even thousands of users communicating to the internet and back again. And you can use the firewall to manage all of those flows.
Firewalls can also be used to control what websites or content a person may access. This can be used in a corporate environment to control what websites employees might visit. Or you might have the firewall at home provide parental controls. And since the firewall is watching all traffic pass through it, this is a perfect place to provide additional security controls for antivirus and anti-malware.
A network-based firewall controls traffic through the use of a purpose-built appliance. Traditional network-based firewalls can control traffic based on OSI layer 4. So that would be a TCP port or a UDP port number. More modern, next-generation firewalls are able to manage traffic based on OSI layer 7. This is the application layer. So they’re able to allow or disallow traffic based on what application is being used over the network.
Firewalls can also do more than simply allow or disallow traffic flows. They can integrate other services inside of the firewall, such as a Virtual Private Network, or VPN. And many firewalls can also operate as a layer 3 device or a router. These devices would commonly sit on the edge of the network and control the traffic flows between the internal network and the external network. Because they’re providing this layer 3 functionality, they very often can provide network address translation and other types of routing protocols.
Some older firewalls include a number of different features that are bundled within one single device. We refer to these older devices as a UTM, or a Unified Threat Management device. Sometimes you’ll see this referred to as a web security gateway or an all-in-one security appliance. We refer to them as all-in-one because they’re able to handle many different services all at the same time. Features such as URL filtering or content inspection can allow or disallow access to certain websites. These UTMs might also have some capability for identifying malware and blocking it before it gets into your network.
Many UTMs can also be used to filter spam, so they can block unwanted email correspondence within the firewall itself. These devices might also provide additional functionality for wide area network connectivity such as a CSU/DSU or routing and switching built into the device itself. Of course, the firewall functionality is also included along with the ability to block malicious software through the use of an IDS or IPS. And since all of this traffic is flowing through this single device, we can use this as a bandwidth shaper to provide quality of service across different applications or protocols.
And in many cases, these UTMs can also act as a VPN concentrator or VPN endpoint, providing a way for people to connect securely to the corporate environment. One of the challenges with UTMs, however, is that many of these devices only operate at layer 4, so they only look at port numbers. And having all of these individual and separate capabilities within one single appliance often provide a drawback to performance. So you may only turn on a few of these capabilities before the entire device tends to slow down.
One of the most modern types of firewalls is the Next-Generation FireWall or NGFW. These devices operate at OSI layer 7. So they’re able to make forwarding decisions based on the applications that are being used on the network. Sometimes you’ll hear these next-generation firewalls described as application layer gateways, stateful multilayer inspection devices, or deep packet inspection.
A next-generation firewall is able to examine all traffic traversing the network and perform a full packet decode of everything traversing those links. That means the firewall can recognize who’s sending the traffic, where the traffic’s going to, what is contained within the application layer of the traffic, and then make forwarding decisions on whether that traffic is allowed or disallowed through the firewall.
Next-generation firewalls are able to examine all of this traffic, determine what applications are in use, and then make forwarding decisions based on those applications. So a next-gen firewall might allow Microsoft SQL Server traffic to go through the firewall regardless of what port number it’s using. Maybe people are allowed to view Twitter but not post to Twitter. And then you can allow or restrict anyone from viewing YouTube videos. It’s very possible that all three of these application types are using similar port numbers. But since the next-generation firewall looks at the application layer, it doesn’t necessarily rely on just a port number to make forwarding decisions.
It’s also very common for a next-generation firewall to have a list of known vulnerabilities that it can allow or block in the firewall itself, effectively, turning that portion of the next-generation firewall into an intrusion prevention system. And many next-gen firewalls will include a categorization of URLs so you can allow or block traffic to a specific type of website or a specific URL itself. This means you can configure a rule inside of your next-gen firewall that would prohibit anyone inside of your network from visiting a site categorized as a gambling site.
Or you can individually list URLs. For example, you might prevent anyone from visiting espn.com or yahoo.com. There’s another firewall that we can put into its own category because it doesn’t work like a UTM or a next-generation firewall. This would be a Web Application Firewall, or a WAF. Web application firewalls are designed to analyze input into web-based applications and either allow or disallow that traffic based on what the input happens to be. This is very common for web-based conversations using HTTP or HTTPS.
For example, a web application firewall can identify SQL injections within a traffic flow and block that from reaching the application server. It’s not unusual to see a web application firewall used alongside a next-generation firewall. Both of those firewalls are looking at different traffic and making different forwarding decisions. Sometimes we are mandated to have a web application firewall as part of a directive to keep our network safe. For example, the Payment Card Industry DSS, or Data Security Standard, focuses on providing web application firewalls to be able to better protect these credit card-based applications.
Here’s a log file from a web application firewall. You can see that all of the attacks that are blocked within this log file are attacks against a web-based app– things like SQL injections, cross-site scripting, and web-based errors. For example, this particular log entry looks at the time, the date, and assigns an ID to this particular record. You can see the URL that was visited on the website, which is an index.cgi.
The service IP address is listed along with the port number. In this case, it was a web server demo1, and this communication was over HTTP. This traffic flow originated from this client IP address and country. And you can see the details in the attack name. The attack itself is identified as SQL Injection in Parameter. You can see that it was blocked based on a standard security policy for this web application firewall.