First, the next generation of firewall positioning
Background of next generation firewall
The world's most authoritative IT research and consulting firm Gartner in 2009 issued an article entitled "Defining the Next-Generation Firewall" article, are truly able to meet the next generation firewall user's current security requirements: next generation firewall is a kind of deep packet inspection firewall, beyond the port, protocol testing based on the increase of detection and blocking, application layer and intrusion protection, next generation firewall should not be independent of the network intrusion detection system which contains only confused, daily or non enterprise firewall, the firewall and IPS or in a simple device, the integration is not close.
Next generation firewall suitable for domestic environment
Combined with the current domestic Internet security environment, more and more security incidents are caused by Web level design vulnerabilities caused by hackers. According to statistics, the proportion of domestic users of Internet traffic and foreign business mix together more than 50%. Take the government as an example, more than 60% of the government departments, portals and users access the Internet to share the E-government extranet. In this scenario, if the export security gateway firewall as does not have the Web application protection, so in the new APT attack of the environment, the existing safety equipment can easily be bypassed, useless. As a converged security product, the next generation firewall can not exist the security short board which is based on Web application.
Next generation firewall (Next-Generation Application Firewall) NGAF oriented application layer design, can accurately identify users, applications and content, with L2-L7 layer security protection system, strengthen the protection of the Web in the application level, not only can fully replace the traditional firewall, and in the case of opening the safety function also maintains the application layer with strong performance.
Second, Why do you need the next generation firewall?
In recent years, more and more network security incidents tell us that security risks are more difficult to detect than ever. With the gradual deterioration of network security situation, network attacks become more frequent, and customers become more and more unsure of their own network security construction. How to strengthen security construction? What is the core issue of safety construction? What kind of security measures are more appropriate? These problems have become the key problems of customer safety construction.
Question 1: do you see the real risks?
On the one hand, only to see the overall safety condition of L2-L7 layer attacks in order to understand the network, combination of multiple products that most users have no way for unified analysis based on will not be able to quickly locate security issues, but also increased the workload of the security operation. On the other hand, no attack does not mean that the business does not exist loopholes, once the vulnerability is exploited, it is too late. A good solution should be able to detect business flaws in time and nip it in the bud. Finally, even if a large number of attacks does not mean that the business security threat is great, only attacks against real business vulnerabilities are effective attacks. If you don't see an effective attack scheme, you can't let the client see the real security of the network and the business.
Question two: defend against the hidden attacks?
On the one hand, protection technology does not exist short board, there is a short board will be bypassed, the original equipment is useless; on the other hand, simple protection external hackers on the intranet terminal and server attack is not enough, and whether the leak in aggressive behavior also need to detect terminal and server active outward initiated traffic, and in order to find the hacker to control channel network, found that the risk of leaks at the same time, finally for the security technology to defense.
To sum up, can really see the vulnerability attacks and operations timely leak turnover, and timely stop the attack is the most effective solution. So, can the traditional solutions based on attack features really meet the requirements?
Can the traditional combination scheme (FW+IPS+WAF) be satisfied?
A combination scheme has several shortcomings: the device can see several attacks, but because the information is difficult to separate the unified analysis to the security log; the attack can be found, in the absence of attacks, will not be able to see the business loopholes, but this does not mean there is no business loopholes; even that attack, too unable to determine whether there really exists a business system security vulnerabilities, or to guide the user security construction.
Combination of less than two: there are several devices can protect several attacks, but most of the customers to deploy, so there is a short board; even if all of these devices are not deployed, the server and the terminal outward initiated business flow protection, lack of effective prevention measures in the face of new unknown attacks, or there is a risk of being bypassed.
Second, next generation firewall introduction
In combination with the trend of security development and the current situation of domestic users' safety construction, the next generation firewall suitable for the local needs of Chinese users needs to meet the following features:
1. Security Visual
Next generation firewall can understand the network application, the application of threats and attacks, threats to take the data content, and can easily show the real L2-L7 layer unified security visualization; through active or passive flow detection to detect business risk vulnerabilities, even without the attack can be found in the business potential.
Through the association analysis of attacks and business vulnerabilities, it can help users find accurate attacks accurately, and enable users to see the real security situation of the network and the business.
2. two-way defense
The next generation firewall has the attack protection technology of L2-L7 layer, so that the protection technology doesn't exist short board. NGAF can not only protect against external attacks, but also check whether the server / terminal external flow risk, make up for the traditional security devices, only to protect against the shortcomings of the outside. NGAF can detect whether or not the server's outgoing data leaks or tampered with, and also detects whether or not the computer in the network terminal is controlled by hackers.
3. intelligent linkage
Is the so-called road of one upmanship, various varieties, application layer attack, escape attacks emerge in an endless stream intelligently attacks against, or the protection object of learning, one of the intelligent protection rules is the next generation firewall must form the dynamic characteristics, so that security detection module and protection strategy can improve the linkage effect, hacker attacks reduce customer cost, cost of operation and maintenance management.
4. high efficiency and stability
Although the multifunctional gateway have some application security capability, but the traditional security equipment integration, serial deployment way, make its multiple functions in the open after a sharp decline in performance, and ultimately only when using the traditional firewall. Next generation firewall from the two aspects of software architecture, hardware architecture completely changed the multifunctional gateway due to multi function stack, serial deployment performance bottleneck caused by efficient application layer processing ability, achieve Gigabit throughput.