Next-generation firewall mechanisms for threat detection

Before the era of UTM (Unified Threat Management or next-generation firewall), we most often dealt with stateful firewall devices. The principle of operation of the stateful firewall is primarily operating on the headers of the third network layer (L3) and the fourth transport layer (L4) of the OSI model.

Thanks to the understanding of headers and messages in the network and transport layers, e.g. the process of establishing a TCP connection – a three-way handshake, the firewall was able to “make sure” that the only possible direction of session initiation was the previously defined relationship of security zones or interfaces, e.g. trusted to untrusted.

The stateful firewall, operating on addresses in the network layer and flags in the transport layer, was able to recognize the beginning of a two-way session (i.e. a session initiated from a specific page) and the end of the session, automatically opening the possibility of returning traffic within a given session. In such a scenario, traffic, or more precisely, packets that do not belong to any open session, are not only not allowed, but also blocked.

Next-Generation Firewalls – Advanced protection

Today’s Next-Generation Firewall (NGFW or UTM) mechanisms are still based on the basic configuration of the stateful scenario, but they can be extended to include advanced filtering. In practice, this means that when you buy a new generation firewall from the Firepower 1150 or Fortigate 200 family, you have at your disposal mechanisms such as Web Filtering, Application Control, IPS or Anti-Malware, which work not only on the L3-L4 layers but analyze traffic up to layer seven (L7). And this allows greater control of traffic in the era of more sophisticated threats on the network.

It is worth mentioning on this occasion the general trend called Deep Packet Inspection (DPI) that allows the packet to penetrate into the application layer and analyze the contents of the packet (payload) in this layer. But it doesn’t end there. Modern firewalls can effectively use mechanisms such as load balancing and load sharing.

Let’s take a closer look at the features that cannot be missing in advanced Firewall solutions.

URL Filtering and Web Filtering in next-gen firewalls

One of the characteristic functionalities of UTM or Next-Generation Firewalls is URL Filtering. This is one of the mechanisms unavailable in older-generation firewall solutions, i.e. stateful firewalls. URL Filtering allows you to control requests for URL addresses (usually blocking or allowing) or parts of them that users try to connect to via HTTP connections. URL Filtering uses character analysis as part of the HTTP query, e.g. using the so-called regular expressions REGEX.

The technological development of this functionality is Web Filtering also called Web Content Filtering, which uses more advanced mechanisms. In addition to analyzing individual characters within the URL address, it filters the content using website categories catalogued in the databases of a given manufacturer. An example of a category can be e.g. Banking, E-commerce, News, Social Media, Gaming, etc.

Thanks to categorization, next-generation firewall mechanisms filter content based on categories containing hundreds of thousands of different websites. URL and Web Content Filtering functionalities are most often used to block users from the corporate network from accessing undesirable sites, for example, selected social media or other portals that do not comply with the company’s policy.

Application Filtering means application control

The Application Filtering (Application Control) functionality is based on two factors: knowledge of application signatures (patterns) and traffic patterns characteristic of application data transferred within the network.

The ability to recognize application signatures is most often associated with packet content analysis (also known as Packet payload). Then, the firewall determines what application it’s dealing with within a given session (even if the application uses encrypted traffic during communication). Such a machine uses a number of techniques that are not a standard analysis, e.g. a TCP / UDP port, but use many other patterns as part of the packet content, its header or messages specific to application data.

Application Filtering or Application Control, similarly to Web Filtering, uses categories catalogued by the manufacturer or created by the system administrator, enabling the use of various filters, e.g. Risks, Business Relevance, Types, Categories or Tags.

Examples of such applications include Facebook Messenger, Gmail, Google Hangouts, Office 365 and thousands of other applications. Application Control, therefore, allows you to specify which applications the firewall should prioritize, allow and block according to company policy.

Intrusion Prevention (IPS) and Anti-Malware Protection (AMP+) 

The Intrusion Prevention System is used as part of the firewall mechanism to detect activities commonly recognized as suspicious, e.g. related to attacks on the firewall device itself or attacks passing through a next-generation firewall, and calculated to destabilize services behind the edge device.

IPS is a mechanism most often based on attack signatures, i.e. traffic templates and hash functions, thanks to which we can detect many undesirable behaviours.

Which ones specifically?

• scanning,
• DoS (Denial of Service), DDoS (Distributed Denial of Service) attacks,
• spoofing,
• attempts to send dangerous commands as part of communication to and through the device.

A kind of extension of IPS mechanisms is a feature called Anti-Malware Protection (e.g. AMP), i.e. a mechanism responsible for detecting traces and activity of malicious malware, which includes e.g. ransomware. Malware is characterized by duplication and self-propagation within a given network and even polymorphism. These types of threats are undoubtedly more difficult to detect.

AMP mechanisms supported by machine learning (ML) can more effectively detect the presence of malware in our network. For this purpose, they use not only predefined signatures but also use a safe sandbox environment to investigate anomalies in the behaviour of the software for a certain period of time. They can also tag the behaviour of the program as undesirable.

Machine learning is also used to prevent the risk of new, yet unknown attacks. Such actions are called zero-day attack prevention.

How important protection against malware is, many global companies have found out in recent years, for example, by encrypting drives on users’ computers and even key servers.

Anti DDoS 

The Anti-DDoS mechanism, as the name suggests, has the ability to mitigate Denial of Service or Distributed Denial of Service.

It is difficult to provide protection against this type of attack using only a firewall at the interface between the network and the operator (ISP) because a characteristic feature of a DDoS attack is the use of the entire connection to the ISP. Even if the firewall will be able to process all traffic and effectively block packets, the link from the operator’s side will be full. As a result, the desired traffic will not be able to reach our network.

Therefore, Anti DDoS mechanisms or Anti-DDoS systems are often implemented using the so-called Scrubbing Center or in consultation with the network operator. Automation mechanisms are then used to dynamically control traffic and, upon detection of an attack, direct traffic through a cloud with greater capacity and capable of filtering out unwanted traffic. Then it sends “clean” traffic to our link.

As you can see, modern firewalls use advanced mechanisms to protect the edge of the network. Thanks to this, they are more responsive to emerging threats and increasingly sophisticated attack methods.

Wondering which next-generation firewall mechanisms will meet your network requirements? Fill out the contact form – we will help you choose the right solution.