Documente Academic
Documente Profesional
Documente Cultură
Study Guide
NSE 1: Next Generation Firewall (NGFW) Study Guide
Last Updated: 8 April 2016
Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
Summary .................................................................................................................................21
GLOSSARY...................................................................................................24
REFERENCES ...............................................................................................26
Next Generation Firewall (NGFW) Technology Trends
Technology Trends
Trends in information technology and employment over the last 15 years have led to a need to rethink the
methodology behind modern network security. These trends occurred simultaneously across major
industries, all levels of business, and personal consumer environments.
Consumerization of IT. This trend has resulted in an explosion
of individual consumers acquiring technology-enabled devices
(smartphones, digital music and video players, cameras, and
others) for personal use. IT-enabled devices now also include
appliances such as refrigerators, home security systems, WiFi-
enabled televisions, stereos, and even the automated “smart
house.” Today we have to be mindful of the Internet of Things
(IoT) when we acquire devices and appliances.
Because consumers have embraced technology devices for both
communication and information sharing, Social Media enterprise has been embraced at the business
level as a way to reach consumer markets. With so many applications—especially social media—being
cloud based, the challenge of network security expanded.
Technology-enabled devices are also being heavily used to interact with business networks, by both
external users and those using personal devices for work purposes (BYOD). This produces a need to
provide security, network visibility, control, and user visibility, without an exponential increase in required
resources. Figure 1 shows the increase in BYOD practice.
Gatekeeper Gatekeeper
NGFW Evolution
NGFWs provide solutions against a wide range of advanced threats to applications, data, and users.
Going beyond standard firewall protections, NGFW integrates multiple capabilities to combat advanced
and emerging threats. These capabilities include, intrusion prevention system (IPS), deep packet
scanning, network application identification and control, and access enforcement based on user identity
verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector, persistent
network or system attacks against large and distributed enterprise networks.
The concept of NGFW was first coined by Gartner in 2004 in their paper discussing the need for
integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities into
firewalls [1]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level firewall
with integrating IPS or Deep Packet inspection, Application Identification, and “extra-firewall”
intelligence (such as Web Content Filter), but allowing for interoperability with third-party rule
management technology [2]. "Extra-firewall" intelligence also provides the ability to create white and
black lists to designate access and denial of traffic. In 2009, Gartner published a new definition of
NGFW, defining the characteristics as including VPN, integrated IPS interoperability with firewall
components, application awareness, and “extra-firewall” intelligence [3].
Figure 5 shows a timeline of NGFW evolution.
NGFW Functions
Two important functions of NGFW are to detect threats and prevent them from exploiting system or
network vulnerabilities. The best way to detect threats is to deploy an IDS as part of the network
architecture. In order to prevent identified threats from exploiting existing vulnerabilities, an IPS should be
deployed. The purpose of IPS is to react to detected threats to a network in order to block intrusion by
traffic attempting to take advantage of system vulnerabilities, deviations from standard protocols, or
attacks generated by trusted sources [4]. NGFW appliances provide integrated capability for IDS and IPS
to both detect and prevent intrusion and exploitation of protected networks.
Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type
of inspection protects endpoint clients as well as Web and application servers from potentially hidden
threats. SSL inspection intercepts and inspects encrypted traffic for threats before routing it to its
destination. It can be applied to client-oriented traffic, such as users connected through a cloud-based
site, or to Web and application server traffic. Using SSL inspection allows policy enforcement on
encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. While
SSL inspection adds security by screening for threats attempting to bypass protections by riding on
encrypted traffic, the resultant tradeoff is a decrease in throughput speed.
When integrated with NGFW, capabilities of ATP enhance security by providing additional protections
against evolving threats, including:
Dual-level sandboxing, allowing code activity examination in simulated and virtual environments
to detect previously unidentified threats.
Detailed reporting on system, process, file, and network behavior, including risk assessments.
Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing
communications with malicious sites and IPs.
Option to share identified threat information and receive updated in-line protections.
Option to integrate with other systems to simplify network security deployment.
With continued shift toward mobile and BYOD practices, integrated user authentication takes on
increased importance in visibility and control of applications being employed by network users. With
the sophistication of advanced and evolving threats, use of two-factor—or “strong”—authentication has
become more prevalent. In addition to the capabilities discussed previously as additive measures to
the NGFW, a number of strong authentication factors may also be enabled:
Hardware, software, email, and SMS tokens
Integration with LDAP, AD, and RADIUS
End user self-service
Certificate Authority
In order to protect against modern and emerging future threats, adaptive defense tools like ATP are being
incorporated into network security infrastructures at an increasing pace. This level of protection provides
increased security across all network sizes from SMB to large enterprises. Critical capabilities brought to
bear by ATP include:
Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.
Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,
antimalware.
Threat Detection. Sandboxing, botnet detection, client reputation, network behavior analysis.
Incident Response. Consolidated logs & reports, professional services, user/device quarantine,
threat prevention updates.
Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.
The continuous nature of ATP protection is illustrated in Figure 22.
NGFW Deployment
NGFW uses two methods used to inspect traffic: flow-based inspection and proxy-based inspection. In
flow-based inspection, the NGFW performs a string comparison to examine patterns in the traffic without
breaking the connection. In proxy-based inspection, the entire traffic stream is analyzed, breaking the
connection and reestablishing it after analysis, resulting in slower throughput. In flow-based inspection,
compressed files are not unpacked , so deploying anti-malware may result in decreased detection rate.
Table 2. Comparison of flow-based and proxy-based inspections
TCP flow not broken. Only packet TCP convention broken, TCP
TCP Transparency
headers changed if necessary. sequence numbers changed.
Summary
The concept of NGFW developed to address evolving threats as technology itself evolved. With the rapid
rise of technology integration, portability and BYOD models in business, education, and other
environments, combined with more widespread ability for hackers from novices to experts to develop
malicious code, a system deriving from the initial premise of NGFW needed to develop for the future.
Key Acronyms
AAA Authentication, Authorization, and ICMP Internet Control Message Protocol
Accounting ICSA International Computer Security
AD Active Directory Association
ADC Application Delivery Controller ID Identification
ADN Application Delivery Network IDC International Data Corporation
ADOM Administrative Domain IDS Intrusion Detection System
AM Antimalware IM Instant Messaging
API Application Programming Interface IMAP Internet Message Access Protocol
APT Advanced Persistent Threat IMAPS Internet Message Access Protocol
ASIC Application-Specific Integrated Circuit Secure
ASP Analog Signal Processing IoT Internet of Things
ATP Advanced Threat Protection IP Internet Protocol
AV Antivirus IPS Intrusion Prevention System
AV/AM Antivirus/Antimalware IPSec Internet Protocol Security
BYOD Bring Your Own Device IPTV Internet Protocol Television
CPU Central Processing Unit IT Information Technology
DDoS Distributed Denial of Service J2EE Java Platform Enterprise Edition
DLP Data Leak Prevention LAN Local Area Network
DNS Domain Name System LDAP Lightweight Directory Access Protocol
DoS Denial of Service LLB Link Load Balancing
DPI Deep Packet Inspection LOIC Low Orbit Ion Cannon
DSL Digital Subscriber Line MSP Managed Service Provider
FTP File Transfer Protocol MSSP Managed Security Service Provider
FW Firewall NGFW Next Generation Firewall
Gb Gigabyte NSS NSS Labs
GbE Gigabit Ethernet OSI Open Systems Infrastructure
Gbps Gigabits per second OTS Off the Shelf
GSLB Global Server Load Balancing PaaS Platform as a Service
GUI Graphical User Interface PC Personal Computer
HTML Hypertext Markup Language PCI DSS Payment Card Industry Data
Security
HTTP Hypertext Transfer Protocol
Standard
HTTPS Hypertext Transfer Protocol Secure
PHP PHP Hypertext Protocol
IaaS Infrastructure as a Service
Glossary
Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access
to a network and stays there undetected for a long period of time. The intention of an APT attack is to
steal data rather than to cause damage to the network or organization. APT attacks target organizations
in sectors with high-value information, such as national defense, manufacturing and the financial industry.
ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular
use, as opposed to a general-purpose device.
ATP. Advanced Threat Protection relies on multiple types of security technologies, products, and
research -- each performing a different role, but still working seamlessly together -- to combat these
attacks from network core through the end user device. The 3-part framework is conceptually simple—
prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for
network, application and endpoint security, threat detection, and mitigation.
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of malware
attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and reporting on
malicious code. By intercepting and inspecting application-based traffic and content, antivirus protection
ensures that malicious threats hidden within legitimate application content are identified and removed
from data streams before they can cause damage. Using AV/AM protection at client servers/devices adds
an additional layer of security.
Botnet. A botnet (also known as a zombie army) is a number of Internet computers that, although their
owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other
computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer "robot" or
"bot" that serves the wishes of some master spam or virus originator.
BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,
whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a Unisys
study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by
the employee.
Code Emulation. A virtual machine is implemented to simulate the CPU and memory management
systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the
scanner, and no actual virus code is executed by the real processor.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.
Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions, including:
Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall—the
gatekeeper.
Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to
the Internet & identify themselves to other devices. IoT is significant because an object that can represent
itself digitally becomes something greater that the object by itself.
IDS. Intrusion Detection System (IDS) detects threats but does not alert the firewall to take any action
against identified threats or unknown traffic.
IPS. Intrusion Prevention System protects networks from threats by blocking attacks that might otherwise
take advantage of network vulnerabilities and unpatched systems. IPS may include a wide range of
features that can be used to monitor and block malicious network activity including: predefined and
custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode, similar to IDS), packet
logging, and IPS sensors. IPS can be installed at the edge of your network or within the network core to
protect critical business applications from both external and internal attacks.
NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall appliance
instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a
traditional firewall with advanced features including:
Intrusion Prevention (IPS) Deep Packet Inspection Network App ID & Control
(DPI)
Sandbox. A sandbox is a security mechanism for separating running programs. It is typically used to
execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users,
and untrusted websites, in an area segmented off from the device/network operating system and
applications.
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
Web Filtering. Web Filtering technology gives you the option to explicitly allow web sites, or to pass web
traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most
advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control
perimeter web traffic at a granular level. Using web content filtering technology, these appliances can
classify and filter web traffic using multiple pre-defined and custom categories.
References
1. Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.
4. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
5. Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
6. Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.