NSE 1: Next Generation Firewall (NGFW)

Study Guide
NSE 1: Next Generation Firewall (NGFW) Study Guide
Last Updated: 8 April 2016

Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents

NEXT GENERATION FIREWALL (NGFW) ........................................................4

Technology Trends .................................................................................................................4

NGFW Characteristics: Fundamental Changes .....................................................................5

NGFW Evolution...........................................................................................................................................6

Traditional NGFW Capabilities ...............................................................................................7

NGFW Functions..........................................................................................................................................12

Extended NGFW Capabilities .................................................................................................12

Sandboxes and APT ....................................................................................................................................17
Advanced Persistent Threats (APT) .............................................................................................................18

Advanced Threat Protection (ATP).........................................................................................18

NGFW Deployment .................................................................................................................19

Edge and Core .............................................................................................................................................19
NGFW compared to Extended NGFW .........................................................................................................20

Summary .................................................................................................................................21

KEY ACRONYMS ...........................................................................................22

GLOSSARY...................................................................................................24

REFERENCES ...............................................................................................26
  Next Generation Firewall (NGFW) Technology Trends

Next Generation Firewall (NGFW)

As system and network threats have evolved it has created a need for protection technology to evolve
has had to evolve to meet advanced threats. Legacy firewalls operated on the basis of port access, using
IP addresses or port data to determine whether packets should be allowed, blocked, or rejected. Most
firewall configurations allowed all traffic from trusted networks to pass through to untrusted networks,
unless policy exceptions were implemented. In closed networks and the early days of the Internet, this
was a viable option; however, model no longer provides adequate protection against advanced and
emerging system and network threats. Next generation firewalls (NGFW) allow or limit access based on
specific applications and content, rather than accepting or rejecting any traffic using a particular port
number. This is the primary difference traditional firewalls and NGFW.

Technology Trends
Trends in information technology and employment over the last 15 years have led to a need to rethink the
methodology behind modern network security. These trends occurred simultaneously across major
industries, all levels of business, and personal consumer environments.
Consumerization of IT. This trend has resulted in an explosion
of individual consumers acquiring technology-enabled devices
(smartphones, digital music and video players, cameras, and
others) for personal use. IT-enabled devices now also include
appliances such as refrigerators, home security systems, WiFi-
enabled televisions, stereos, and even the automated “smart
house.” Today we have to be mindful of the Internet of Things
(IoT) when we acquire devices and appliances.
Because consumers have embraced technology devices for both
communication and information sharing, Social Media enterprise has been embraced at the business
level as a way to reach consumer markets. With so many applications—especially social media—being
cloud based, the challenge of network security expanded.
Technology-enabled devices are also being heavily used to interact with business networks, by both
external users and those using personal devices for work purposes (BYOD). This produces a need to
provide security, network visibility, control, and user visibility, without an exponential increase in required
resources. Figure 1 shows the increase in BYOD practice.

Figure 1. Bring Your Own Device (BYOD) practices in 2011

NSE 1: Next Generation Firewall (NGFW) Study Guide 4

  Next Generation Firewall (NGFW) NGFW Characteristics: Fundamental Changes

NGFW Characteristics: Fundamental Changes

The primary benefits of NGFW are visibility and control of traffic entering the firewall ports. In legacy
firewalls, ports were opened and closed to allow or disallow traffic without consideration beyond basic
characteristics. NGFW provides deeper insight into the traffic attempting to access the network. With
NGFW, administrators have the ability to allow or limit access based on specific applications and content,
rather than accepting or rejecting any traffic based on port number. Figure 2 illustrates how a traditional
edge firewall limits traffic compared to an NGFW.

Figure 2. Edge firewall compared to NGFW traffic visibility

With a traditional firewall, traffic is accepted based on a designated port and IP address. With NGFW,
traffic is accepted based on user ID (not port), IP address, and traffic content. Figure 3 shows an example
of the port-based configuration of a traditional firewall. Figure 4 illustrates the increased visibility and
control capability provided by NGFW.
When comparing how traditional and legacy
firewalls assess data to how NGFWs
assess data, note that, in NGFW, the ports
are identified by traffic flowing through
them, as well as specific information about
the user sending the traffic, the traffic origin,
and the traffic type (content) received.

Figure 3. Traditional port configuration example

NSE 1: Next Generation Firewall (NGFW) Study Guide 5

  Next Generation Firewall (NGFW) NGFW Characteristics: Fundamental Changes

Figure 4. NGFW configuration example by application, user ID

Table 1 shows how NGFW provides enhanced security protection and simplified administrator control as
compared to traditional firewalls.
Table 1. Security features of edge firewalls compared to NGFW

Edge Firewall NGFW

Gatekeeper Gatekeeper

ISO/OSI L4 Port Protocol Application-Centric (Content Flow) Protocol

Basic Security + Add-ons Integrated Security Solutions

Complex Architecture Integrated Architecture

Complex Control Simplified Control

Simple – Moderate Security Integrated Complex Security

NGFW Evolution
NGFWs provide solutions against a wide range of advanced threats to applications, data, and users.
Going beyond standard firewall protections, NGFW integrates multiple capabilities to combat advanced
and emerging threats. These capabilities include, intrusion prevention system (IPS), deep packet
scanning, network application identification and control, and access enforcement based on user identity
verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector, persistent
network or system attacks against large and distributed enterprise networks.
The concept of NGFW was first coined by Gartner in 2004 in their paper discussing the need for
integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities into
firewalls [1]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level firewall
with integrating IPS or Deep Packet inspection, Application Identification, and “extra-firewall”
intelligence (such as Web Content Filter), but allowing for interoperability with third-party rule
management technology [2]. "Extra-firewall" intelligence also provides the ability to create white and
black lists to designate access and denial of traffic. In 2009, Gartner published a new definition of
NGFW, defining the characteristics as including VPN, integrated IPS interoperability with firewall
components, application awareness, and “extra-firewall” intelligence [3].
Figure 5 shows a timeline of NGFW evolution.

NSE 1: Next Generation Firewall (NGFW) Study Guide 6

  Next Generation Firewall (NGFW) Traditional NGFW Capabilities

Figure 5. NGFW evolution timeline

Traditional NGFW Capabilities

Traditional NGFW provides solutions against a wide range of advanced threats against
applications, data, and users. Traditional enterprise network security solutions are no longer
adequate to protect against today’s sophisticated attacks. In order to defend networks against
the latest threats, NGFWs should include (at a minimum): the ability to identify and control
applications running over a network, an integrated intrusion prevention system (IPS) with deep
packet scanning capabilities, and the ability to verify a user or device’s identity and enforce
access policies accordingly.
However, advanced threats require advanced protection. Some NGFW devices—such as the FortiGate
line—include additional technologies that provide a real-time ranking of the security risk of devices on
your network, and cloud-based threat detection and prevention. Traditional NGFW integrates multiple
capabilities to combat emerging threats.
Intrusion Prevention System (IPS). IPS blocks malicious network activity. Intrusion Detection System
(IDS) detects malicious activity but does not block it. IDS is integrated into IPS technology. IPS has been
used as part of edge-based protection as a firewall enhancement; however, it is more effective to tie it
into network segregation, enabling protection against both internal and external attacks against critical
servers. Figure 6 [4] illustrate how IPS works.

Figure 6. Intrusion Prevention System (IPS)

Deep Packet Inspection (DPI). DPI is the act of examining the payload or data portion of a network
packet as it passes through a firewall or other security device. DPI identifies and classifies network
traffic based on signatures in the payload [5]. It examines packets for protocol errors, viruses, spam,

NSE 1: Next Generation Firewall (NGFW) Study Guide 7

  Next Generation Firewall (NGFW) Traditional NGFW Capabilities

intrusions, or policy violations. Figure 7 shows how DPI works.

Figure 7. Deep Packet Inspection (DPI)

Network Application Identification and Control. Traditional firewall protection detects and restricts
applications by port, and protocol and server IP address. It cannot detect malicious content or abnormal
behavior in many web-based applications. NGFW technology with Application Control allows you to
identify and control applications on networks and endpoints, regardless of port, protocol, and IP address.
It gives you unmatched visibility and control over application traffic, even unknown applications from
unknown sources and inspects encrypted application traffic. Protocol decoders normalize and discover
traffic from applications attempting to evade detection via obfuscation techniques. Following identification
and decryption, application traffic is either blocked, or allowed and scanned for malicious payloads.
Application control even decrypts and inspects traffic using encrypted communications protocols, such as
HTTPS, POP3S, SMTPS and IMAPS. Figure 8 shows some of the ways that network application
identification and control is used.

Figure 8. Network application identification and control.

Access Enforcement. When a user attempts to access network resources, it controls access to the
network and the network applications based on the user, user groups and/or IP address. The
connection request will be allowed only if the user belongs to one of the permitted user groups, and
the assigned firewall policy will be applied to all traffic to and from that user. Figure 9 illustrates how
access enforcement works.

NSE 1: Next Generation Firewall (NGFW) Study Guide 8

  Next Generation Firewall (NGFW) Traditional NGFW Capabilities

Figure 9. Access enforcement (User identity)

Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks.
The foundation of the enterprise campus offering is a high-performance NGFW that adds intrusion
prevention, application control and antimalware to the traditional firewall and VPN combination. In
particular, Fortinet NGFWs do the following:
 Provide fine-grained, user- or device-based visibility and control over more than 3000 discrete
applications to establish/enforce appropriate policies.
 Include powerful intrusion prevention, looking beyond port and protocol to actual content of your
network traffic to identify and stop threats.
 Leverage top rated antimalware to proactively detect malicious code seeking entry to the network.
 Deliver actionable application and risk dashboards/reports for real-time views into network
activity.
 Run on purpose-built appliances with Custom ASICs for superior, multi-function performance,
even over encrypted traffic.
Figure 10 shows an example of a high-performance NGFW in a distributed enterprise.

NSE 1: Next Generation Firewall (NGFW) Study Guide 9

  Next Generation Firewall (NGFW) Traditional NGFW Capabilities

Figure 10. NGFW distributed enterprise-level capability

Interoperable with third-Party management. Enterprise-class appliances deliver the comprehensive
security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full
suite of ASIC-accelerated security modules for customizable value-added features for specific customers.
NGFW appliances include the ability to create multi-tenant virtual security networks, supporting up to
5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated management
applications—including granular reporting features—offer unprecedented visibility into the security
posture of customers while identifying their highest risks. Figure 12 shows and example network being
managed by an MSSP.

NSE 1: Next Generation Firewall (NGFW) Study Guide 10

  Next Generation Firewall (NGFW) Traditional NGFW Capabilities

Figure 11. Example network with managed security (MSSP).

VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications
and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN
protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and
decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections—including
antivirus, intrusion prevention, application control, email filtering and web filtering—can be applied and
enforced for all content traversing the VPN tunnel.
Application Awareness. While establishing port and protocol are important first steps in identifying
traffic, positive identification of application traffic is an important capability added by NGFW. This requires
a multi-factor approach independent of port, protocol, encryption, or evasive measures (Figure 13).
Application awareness includes protocol detection and decryption, protocol decoding, signature
identification, and heuristics (behavioral analyses). [6] Figure 12 shows how application awareness is
implemented using the NGFW application monitoring feature.

NSE 1: Next Generation Firewall (NGFW) Study Guide 11

  Next Generation Firewall (NGFW) Extended NGFW Capabilities

Figure 12. Application awareness: The NGFW application monitoring feature

NGFW Functions
Two important functions of NGFW are to detect threats and prevent them from exploiting system or
network vulnerabilities. The best way to detect threats is to deploy an IDS as part of the network
architecture. In order to prevent identified threats from exploiting existing vulnerabilities, an IPS should be
deployed. The purpose of IPS is to react to detected threats to a network in order to block intrusion by
traffic attempting to take advantage of system vulnerabilities, deviations from standard protocols, or
attacks generated by trusted sources [4]. NGFW appliances provide integrated capability for IDS and IPS
to both detect and prevent intrusion and exploitation of protected networks.
Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type
of inspection protects endpoint clients as well as Web and application servers from potentially hidden
threats. SSL inspection intercepts and inspects encrypted traffic for threats before routing it to its
destination. It can be applied to client-oriented traffic, such as users connected through a cloud-based
site, or to Web and application server traffic. Using SSL inspection allows policy enforcement on
encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. While
SSL inspection adds security by screening for threats attempting to bypass protections by riding on
encrypted traffic, the resultant tradeoff is a decrease in throughput speed.

Extended NGFW Capabilities

Beyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced and
emerging threats are clearly needed. Particularly within enterprise network security infrastructure, the
need to protect against new and evolving classes of highly targeted and tailored attacks designed to
bypass common defenses is needed. Because of these advanced and evolving threats, additional
defenses—referred to by Fortinet as Advanced Threat Protection (ATP)—include anti-virus and
malware, anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional

NSE 1: Next Generation Firewall (NGFW) Study Guide 12

  Next Generation Firewall (NGFW) Extended NGFW Capabilities

capabilities is shown in Figure 14.

Figure 13. Extending NGFW with Advanced Threat Protection (ATP).

When integrated with NGFW, capabilities of ATP enhance security by providing additional protections
against evolving threats, including:
 Dual-level sandboxing, allowing code activity examination in simulated and virtual environments
to detect previously unidentified threats.
 Detailed reporting on system, process, file, and network behavior, including risk assessments.
 Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing
communications with malicious sites and IPs.
 Option to share identified threat information and receive updated in-line protections.
 Option to integrate with other systems to simplify network security deployment.
With continued shift toward mobile and BYOD practices, integrated user authentication takes on
increased importance in visibility and control of applications being employed by network users. With
the sophistication of advanced and evolving threats, use of two-factor—or “strong”—authentication has
become more prevalent. In addition to the capabilities discussed previously as additive measures to
the NGFW, a number of strong authentication factors may also be enabled:
 Hardware, software, email, and SMS tokens
 Integration with LDAP, AD, and RADIUS
 End user self-service
 Certificate Authority

NSE 1: Next Generation Firewall (NGFW) Study Guide 13

  Next Generation Firewall (NGFW) Extended NGFW Capabilities

 Single sign on throughout the network

Figure 15 shows an example of authentication functions integrated into NGFW.

Figure 14. FortiGate single sign-on infrastructure

While the Application Control feature of the extended NGFW serves to identify applications employed by
the users, and block applications representing a risk to the organization, this feature differs from how the
Web Filtering function of ATP operates. Unlike Application Control that focuses on the content of the
accessed site, Web Filtering focuses on the Internet Sites (URLs) based on a categorization of the site, or
type of content [4]. This allows the NGFW to block web sites known to host malicious content. An example
of how Web Filtering categorizes site appears in Figure 16.

NSE 1: Next Generation Firewall (NGFW) Study Guide 14

  Next Generation Firewall (NGFW) Extended NGFW Capabilities

Figure 15. Web filtering profile control

Antivirus/Antialware (AV/AM). Responsible for detecting, removing, and reporting on malicious code. By
intercepting and inspecting application-based traffic and content, antivirus protection ensures that
malicious threats hidden within legitimate application content are identified and removed from data
streams before they can cause damage. Using AV/AM protection at client servers and devices, adds an
additional layer of security.

NSE 1: Next Generation Firewall (NGFW) Study Guide 15

  Next Generation Firewall (NGFW) Extended NGFW Capabilities

Figure 16. Antivirus/malware

Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks. Organizations may prevent, uncover, and block botnet activities using Anti-
Bot traffic pattern detection and IP regulation services supplied in real-time. This capability is important in
detecting and reacting to DDoS or other coordinated network attacks.

Figure 17. Anti-botnet protection

Web filtering. Function that allows or blocks Web traffic based on type of content, commonly defined
by categories. Web filtering protects endpoints, networks and sensitive information against Web-based
threats by preventing users from accessing known phishing sites and sources of malware.

NSE 1: Next Generation Firewall (NGFW) Study Guide 16

  Next Generation Firewall (NGFW) Extended NGFW Capabilities

Figure 18. Web filtering capability

Code emulation. Allows testing of unknown or potentially malicious code by

emulating the actual environment where the code is intended to be executed.
Sandboxing. Isolating unknown or potentially malicious codes to fully execute
all functions before allowing the traffic to download into the network.
Sandboxing has a unique capability to detect zero-day exploits that other
security solutions cannot identify. If malicious activity is discovered, Advanced Threat Protection (ATP)
can block it.

Sandboxes and APT

Sandboxes were initially developed for executable files. Now they run application data that may contain
malicious code, like Adobe Reader or JavaScript, which sandbox identifies malicious code before it can
infect your operating system. Modern sandbox technology can help detect and identify new threats—such
as old legacy threats in new veneers—by emulating endpoint device environments to analyze how the
potential threat behaves. In this way, relatively unknown malware—constantly being developed at all
levels of complexity—and APTs may be detected, identified, cataloged, and blocked by the NGFW
(Figure 20). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic
is forwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.

NSE 1: Next Generation Firewall (NGFW) Study Guide 17

  Next Generation Firewall (NGFW) Advanced Threat Protection (ATP)

Figure 19. Sandbox deployed with NGFW Solution

Advanced Persistent Threats (APT)

Since widespread availability of computer technology, people have used software to target systems and
networks to damage, steal, or deny access to data. Modern and future challenges present a more
daunting sophistication of malware, attack vectors, and perseverance by which they mount offensives
against their targets. Just as APT uses multiple attack layers and vectors to enhance chances of success,
network security administrators must also design and implement a multi-layered defense to protect
against these threats. It is critical to understand that no single network security feature will stop an APT.
Simplified, a three-step approach to how NGFW addresses APTs appears in Figure 21.

Figure 20. The NGFW three-step approach to APT

Advanced Threat Protection (ATP)

NSE 1: Next Generation Firewall (NGFW) Study Guide 18

  Next Generation Firewall (NGFW) NGFW Deployment

In order to protect against modern and emerging future threats, adaptive defense tools like ATP are being
incorporated into network security infrastructures at an increasing pace. This level of protection provides
increased security across all network sizes from SMB to large enterprises. Critical capabilities brought to
bear by ATP include:
 Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.
 Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,
antimalware.
 Threat Detection. Sandboxing, botnet detection, client reputation, network behavior analysis.
 Incident Response. Consolidated logs & reports, professional services, user/device quarantine,
threat prevention updates.
 Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.
The continuous nature of ATP protection is illustrated in Figure 22.

Figure 21. Advanced Threat Protection (ATP) model.

NGFW Deployment

Edge and Core

When deploying the NGFW, segmentation is a key consideration. NGFW brings a unique combination of
hardware and software segmentation capabilities that allow isolation of critical network sections, such as
data centers. Deploying NGFW into an edge network configuration accomplishes the goal of providing
control while optimizing critical infrastructure protection (Figure 23).

NSE 1: Next Generation Firewall (NGFW) Study Guide 19

  Next Generation Firewall (NGFW) NGFW Deployment

Figure 22. NGFW deployment to edge network

NGFW compared to Extended NGFW

Another consideration that must be made is what NGFW capabilities are needed—or desired—for the
network being protected. A consideration whether to deploy extended NGFW capabilities depends on the
nature of what functions will be accomplished both internally and external to the network. In particular,
with movement to more cloud-based and web applications, the benefits of extended NGFW may be best
suited. As illustrated in Figure 24, extended NGFW incorporates the capabilities of current NGFW plus
enhanced features that make it against modern more capable and emerging threats.

Figure 23. Current NGFW vs. Extended NGFW capabilities

NSE 1: Next Generation Firewall (NGFW) Study Guide 20

  Next Generation Firewall (NGFW) Summary

NGFW uses two methods used to inspect traffic: flow-based inspection and proxy-based inspection. In
flow-based inspection, the NGFW performs a string comparison to examine patterns in the traffic without
breaking the connection. In proxy-based inspection, the entire traffic stream is analyzed, breaking the
connection and reestablishing it after analysis, resulting in slower throughput. In flow-based inspection,
compressed files are not unpacked , so deploying anti-malware may result in decreased detection rate.
Table 2. Comparison of flow-based and proxy-based inspections

Type of Inspection Flow-based Proxy-based

Speed/Performance Resources Faster Slower

Comparing traffic to database of Conducting specific analysis on

Security Analysis Method
known bad situations relevant information

TCP flow not broken. Only packet TCP convention broken, TCP
TCP Transparency
headers changed if necessary. sequence numbers changed.

Understands protocol being

Protocol Awareness Not required
analyzed

Yes, when buffering, based on

File size limits Only during scanning
available NGFW memory

Antivirus, IPS, Application Control, Antivirus, DLP, Web Content

Features supported
Web Content Filtering Filtering, AntiSpam

Summary
The concept of NGFW developed to address evolving threats as technology itself evolved. With the rapid
rise of technology integration, portability and BYOD models in business, education, and other
environments, combined with more widespread ability for hackers from novices to experts to develop
malicious code, a system deriving from the initial premise of NGFW needed to develop for the future.

NSE 1: Next Generation Firewall (NGFW) Study Guide 21

  Key Acronyms

Key Acronyms
AAA Authentication, Authorization, and ICMP Internet Control Message Protocol
Accounting ICSA International Computer Security
AD Active Directory Association
ADC Application Delivery Controller ID Identification
ADN Application Delivery Network IDC International Data Corporation
ADOM Administrative Domain IDS Intrusion Detection System
AM Antimalware IM Instant Messaging
API Application Programming Interface IMAP Internet Message Access Protocol
APT Advanced Persistent Threat IMAPS Internet Message Access Protocol
ASIC Application-Specific Integrated Circuit Secure
ASP Analog Signal Processing IoT Internet of Things
ATP Advanced Threat Protection IP Internet Protocol
AV Antivirus IPS Intrusion Prevention System
AV/AM Antivirus/Antimalware IPSec Internet Protocol Security
BYOD Bring Your Own Device IPTV Internet Protocol Television
CPU Central Processing Unit IT Information Technology
DDoS Distributed Denial of Service J2EE Java Platform Enterprise Edition
DLP Data Leak Prevention LAN Local Area Network
DNS Domain Name System LDAP Lightweight Directory Access Protocol
DoS Denial of Service LLB Link Load Balancing
DPI Deep Packet Inspection LOIC Low Orbit Ion Cannon
DSL Digital Subscriber Line MSP Managed Service Provider
FTP File Transfer Protocol MSSP Managed Security Service Provider
FW Firewall NGFW Next Generation Firewall
Gb Gigabyte NSS NSS Labs
GbE Gigabit Ethernet OSI Open Systems Infrastructure
Gbps Gigabits per second OTS Off the Shelf
GSLB Global Server Load Balancing PaaS Platform as a Service
GUI Graphical User Interface PC Personal Computer
HTML Hypertext Markup Language PCI DSS Payment Card Industry Data
Security
HTTP Hypertext Transfer Protocol
Standard
HTTPS Hypertext Transfer Protocol Secure
PHP PHP Hypertext Protocol
IaaS Infrastructure as a Service

NSE 1: Next Generation Firewall (NGFW) Study Guide 22

  Key Acronyms

POE Power over Ethernet SWG Secure Web Gateway

POP3 Post Office Protocol (v3) SYN Synchronization packet in TCP
POP3S Post Office Protocol (v3) Secure Syslog Standard acronym for Computer
QoS Quality of Service Message Logging
Radius Protocol server for UNIX systems TCP Transmission Control Protocol
RDP Remote Desktop Protocol TCP/IP Transmission Control Protocol/Internet
SaaS Software as a Service Protocol (Basic Internet Protocol)
SDN Software-Defined Network TLS Transport Layer Security
SEG Secure Email Gateway TLS/SSL Transport Layer Security/Secure
Socket
SFP Small Form-Factor Pluggable
Layer Authentication
SFTP Secure File Transfer Protocol
UDP User Datagram Protocol
SIEM Security Information and Event
URL Uniform Resource Locator
Management
USB Universal Serial Bus
SLA Service Level Agreement
UTM Unified Threat Management
SM Security Management
VDOM Virtual Domain
SMB Small & Medium Business
VM Virtual Machine
SMS Simple Messaging System
VoIP Voice over Internet Protocol
SMTP Simple Mail Transfer Protocol
VPN Virtual Private Network
SMTPS Simple Mail Transfer Protocol Secure
WAF Web Application Firewall
SNMP Simple Network Management Protocol
WANOpt Wide Area Network Optimization
SPoF Single Point of Failure
WLAN Wireless Local Area Network
SQL Structured Query Language
WAN Wide Area Network
SSL Secure Socket Layer
XSS Cross-site Scripting

NSE 1: Next Generation Firewall (NGFW) Study Guide 23

  Glossary

Glossary
Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access
to a network and stays there undetected for a long period of time. The intention of an APT attack is to
steal data rather than to cause damage to the network or organization. APT attacks target organizations
in sectors with high-value information, such as national defense, manufacturing and the financial industry.
ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular
use, as opposed to a general-purpose device.
ATP. Advanced Threat Protection relies on multiple types of security technologies, products, and
research -- each performing a different role, but still working seamlessly together -- to combat these
attacks from network core through the end user device. The 3-part framework is conceptually simple—
prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for
network, application and endpoint security, threat detection, and mitigation.
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of malware
attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and reporting on
malicious code. By intercepting and inspecting application-based traffic and content, antivirus protection
ensures that malicious threats hidden within legitimate application content are identified and removed
from data streams before they can cause damage. Using AV/AM protection at client servers/devices adds
an additional layer of security.
Botnet. A botnet (also known as a zombie army) is a number of Internet computers that, although their
owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other
computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer "robot" or
"bot" that serves the wishes of some master spam or virus originator.
BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,
whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a Unisys
study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by
the employee.
Code Emulation. A virtual machine is implemented to simulate the CPU and memory management
systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the
scanner, and no actual virus code is executed by the real processor.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.
Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions, including:

 IP Security (IPSec)  Web Filtering

 Firewall  Antispam
 Intrusion Detection System/Intrusion  Traffic Shaping [7]
Prevention System (IDS/IPS)
 Antivirus/Antispyware

Edge Firewall. Implemented at the edge of a network in order to protect the network against potential

NSE 1: Next Generation Firewall (NGFW) Study Guide 24

  Glossary

attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall—the
gatekeeper.
Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to
the Internet & identify themselves to other devices. IoT is significant because an object that can represent
itself digitally becomes something greater that the object by itself.
IDS. Intrusion Detection System (IDS) detects threats but does not alert the firewall to take any action
against identified threats or unknown traffic.
IPS. Intrusion Prevention System protects networks from threats by blocking attacks that might otherwise
take advantage of network vulnerabilities and unpatched systems. IPS may include a wide range of
features that can be used to monitor and block malicious network activity including: predefined and
custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode, similar to IDS), packet
logging, and IPS sensors. IPS can be installed at the edge of your network or within the network core to
protect critical business applications from both external and internal attacks.
NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall appliance
instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a
traditional firewall with advanced features including:
 Intrusion Prevention (IPS)  Deep Packet Inspection  Network App ID & Control
(DPI)

 Access Enforcement  Distributed Enterprise  “Extra Firewall” Intelligence

Capability

 Third Party Management  VPN  Application Awareness

Compatibility

Sandbox. A sandbox is a security mechanism for separating running programs. It is typically used to
execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users,
and untrusted websites, in an area segmented off from the device/network operating system and
applications.
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
Web Filtering. Web Filtering technology gives you the option to explicitly allow web sites, or to pass web
traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most
advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control
perimeter web traffic at a granular level. Using web content filtering technology, these appliances can
classify and filter web traffic using multiple pre-defined and custom categories.

NSE 1: Next Generation Firewall (NGFW) Study Guide 25

  References

References
1. Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.

2. Gartner, Magic Quadrant for Enterprise Network Firewalls. 2008.

3. Gartner, Defining the Next Generation Firewall. 2009.

4. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.

5. Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.

6. Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.

7. UAB, M., Fortinet Secure Gateways, Firewalls. 2013.

NSE 1: Next Generation Firewall (NGFW) Study Guide 26