Shulou(Shulou.com)06/03 Report--

NGFW (next-generation firewall) has been out for some days, and over the past three years, many mainstream manufacturers have launched their own next-generation walls. However, after the hustle and bustle, the next generation wall did not start a prairie fire instead of the traditional wall as the manufacturer hoped. At the same time, UTM also began to evolve, gradually becoming more and more indistinguishable from NGFW. In addition, the rise of virtualization has also put forward new requirements for firewalls. whether it is traditional walls or next-generation walls, not only the location of virtualization needs to be redefined. even how to adapt to east-west traffic has become a problem that needs to be reconsidered. Finally, situational awareness, security big data has become a hot topic in the domestic security circle this year, what role the next generation firewall should play under the new system, and so on, all need to rethink one by one, and judge a new position.

1. Next Generation and Firewall vs traditional Firewall / UTM: the core difference lies in identification ability

According to the standard drafted by the Ministry of Public Security, the next-generation firewall is uniformly called the second-generation firewall (GA/T1177-2014 "Information Security Technology second-generation firewall security technical requirements"), and the international common saying "next-generation firewall" is officially renamed to "second-generation firewall".

Taking a comprehensive view of the definitions of different institutions at home and abroad, generally speaking, the biggest difference between the second-generation wall and the traditional firewall is visualization and high performance, and there are things like ips,av,url, but I don't think it is essential. For example, PaloAlto said that app Id, user Id + high performance is their core technology, in fact, it is said that the user visual, application visual, high performance.

In addition, when it comes to the difference between the next-generation firewall and UTM, we generally criticize the performance of UTM. Technically, it is generally said that UTM is the previous generation technology. Using packets to be processed through each engine at a time, using string Tomatoes on sticks mode, the performance will decline sharply when the security feature is enabled. The next-generation firewall uses separate engines and one-time parallel scanning processing, so the performance will be very high. In fact, this is a pseudo-proposition. Hasn't UTM developed? All the technical problems can be solved.

Therefore, people will faint when making a choice. So what's the difference?

In fact, Palo is right. From a security professional point of view, there is a saying that "every level of security problems need to be solved at that level." Generally speaking, you have to see the thief before you can catch the thief. It can be seen that the grain size of this piece in the traditional fire wall is relatively coarse, and it is impossible to solve today's 7-layer application security problem in the third layer, because it is "invisible". And performance, with the improvement of hardware, in fact, there is no problem that can not be solved. As for adding IPS,waf, behavior management, av,url to NGFW. In theory, the manufacturer can add any module he thinks is useful, which I don't think constitutes an essential difference.

In addition, the "visual" problem has been solved, and the relevant Qos, policy enforcement, virus scanning, etc., can all be carried out in a more precise and fine-grained manner based on "application / user". In other words, "visual" lays a foundation for fine and precise management, which traditional firewalls cannot do based on the extensive management of quintuples.

Finally, it is true that the performance is much better than before, but it is mainly based on the improvement of hardware, which does not constitute an essential difference. The so-called "fast", I think there should be a premise, if you run naked, I am fully loaded, what is the use of you and me faster?

To be fair, next-generation firewall ≈ (traditional firewall + application visualization) ≈ UTM [≈: approximately]

2. Next Generation and Firewall Market share: not as large as imagined

Realistically speaking, NGFW does not subvert the traditional firewall and UTM. The actual situation is that the needs of most customers can basically be met by traditional firewalls, especially small and medium-sized customers such as channels. Moreover, this factor makes the price of the next generation wall relatively low. UTM continues to sell in his sphere of influence and is getting closer and closer to next-generation firewalls. Of course, the next-generation wall also has its own market share, after all, the next-generation wall manufacturers, will basically promote this to replace the traditional firewall sales. The market boundary of firewall / next-generation firewall has been blurred, and it is basically a scuffle in the original market share. The pool is not very big.

The next-generation firewall is characterized by a relatively integrated product, such as NAT, PPPOE, VLAN, IPSEC/SSL × ×, ACL, Qos and other functions of traditional firewalls, as well as behavior management, * detection, WAF, anti-virus, audit / behavior management, URL filtering and other application security functions. This feature also makes it easy for him to make enemies everywhere, for example, he can be transformed into an audit product, and he can be transformed into an anti-virus wall and a web firewall. In fact, the next-generation wall function developed by various manufacturers is to integrate their own superior products into it. The next-generation firewall has been out for several years, and many customers still don't know what the difference is. This makes the positioning of the next generation of walls a little embarrassing, which is not only a panacea, but also loses its own characteristics. For example, since there is an IPS in the next-generation firewall, why should customers buy a separate IPS for the community? With * in the firewall, why do customers want to buy professional *? All this requires manufacturers to ask themselves similar questions.

3. New challenges: the next generation of walls need to be developed and broken.

Cloud technology has developed rapidly in the past two years, which is no longer limited to paper research, and there are more and more cloud construction projects all over the country. In the cloud computing scenario, the firewall needs to reconsider its location and role.

For example, in the scenario of network virtualization, the inbound and outbound traffic is no longer based on traditional hardware such as port and vlan, but is imported by soft routing similar to vSwitch. In the private cloud scenario, the traffic is divided into internal and external traffic of the virtual machine, that is, "north-south" and "east-west" traffic. The needs for protection of these two kinds of traffic are different and need to be treated differently. The north-south traffic is mainly from the outside, and the demand of the original next-generation wall itself can be well protected, while the east-west traffic is mainly the traffic between virtual machines. The isolation between virtual machines can be limited by the strategy of virtual switch, so the main need to protect is the traffic between virtual machines, such as audit, identification, database protection and so on. Some manufacturers have studied this, such as mountains and rocks, the protection of these two kinds of traffic, with "cloud world", "cloud grid" two products to distinguish, the name is also very appropriate. However, the traditional hardware firewall only considers the external protection, and there is no way to directly protect the traffic within the virtual machine and between the sub-virtual machines.

In addition, there is a demand for virtual form (virtual machine) firewalls. Public cloud providers have now begun to try to turn traditional hardware protection equipment into virtual machines on the platform, which are sold in the form of products and services through the platform store.

Finally, the rise of Security big data this year, such as the use of Security big data for security situation awareness, security incident correlation analysis, security early warning, and so on, has also put forward new requirements for firewalls. firewalls are required to have the ability to monitor traffic and report data, and to make security issues closed-loop according to the rules issued by the security center.

To sum up, although the next generation wall has not been out for long, the changes in the market have required the next generation wall to keep up with the new changes as soon as possible. In the future, whether it is the hardware form and deployment location of the next-generation wall, or the protection content of the next-generation wall, it still needs to be continuously developed or even broken through.

4. the development forecast of the next generation wall.

The change of form

With the development of cloud computing and virtualization, the form of the next generation firewall will gradually become soft and hard, and the hardware is only the host of the firewall in the form of software.

Next-generation walls can be flexibly deployed anywhere, such as physical network boundaries, inside virtual machines, inside / outside the cloud, or as sensors wherever traffic detection is needed.

Changes in function

Internal and external repair is the basic skill-from the deployment location of the traditional firewall, it is located at the boundary of the internal and external network, one side is the outside, the other is the inside. Therefore, border defense is still an eternal topic. For the external, the main demand comes from security defense, so there will still be a strong demand for ips,waf, anti-D, etc.; internally, the main demand is control, especially for traffic, speech content control. Therefore, external defense, internal control, this is an internal and external repair of the next generation of walls, the basic skills that need to be done.

Universal Oil 2.0 Mel-traditional ips, waf, auditing, behavior management, * *, and new features will continue to be added. Of course, the range will still be superimposed around the feature of "traffic processing". With the superposition of functions, the next generation wall will adopt a new flexible plug-in mechanism, through the way of authorization, flexibly add functional modules, and users will pay according to the authorized number; the functions of the basic firewall will be sold at a very low basic price. the majority is still a payment module, which also solves the problem of entanglement with the price of the traditional wall.

The continuous enhancement of recognition ability-as mentioned above, the most essential difference of the next generation wall is the identification ability, that is, the identification of applications, security issues, users, and services. In order to protect against application problems, we must abandon the extensive protection of traditional x-tuples, continuously strengthen the identification ability, strengthen dpi/dfi, and use mathematical modeling, big data, machine intelligence and other ways as far as possible to solve the original way of relying on people to identify protocols by hand. If you can't see the thief, you can't catch the thief, which is the inherent demand power brought about by the application explosion.

Software, thinning-in addition to the enhanced recognition ability, the other capabilities of the next generation wall will be weakened, and more will evolve to sensors and thin boxes. For example, L3 and L2 functions, in the cloud environment, may not be needed, but only need to retain the core function of convection identification and control. No matter how it is deployed, streaming in, processing, and then deciding on the next hop to forward, this basic pattern will not change. With the security of big data, whether in the form of hardware or software, the number of walls will become more and more, while the core function shrinks to data identification and processing + log reporting. Through mature data processing capabilities, the cloud processes and analyzes all kinds of information, carries out functional operations such as situation awareness and association analysis mining, and sends the conclusions to the firewall in the way of ACL to form a closed loop. In terms of data collection, the wall is the most advantageous location because of its large volume.

In addition, with the development of mobile office, the physical boundary of firewall also has the need of virtual extension. Therefore, BYOD will continue to develop, relying on the encryption capability of the next generation wall data link and cooperating with terminal data encryption to form a security solution that does not land data in the whole process.

Concluding remarks

Real life is always full of opportunities and confusion, making products will also face these problems. In the face of the ever-changing market demand, it is possible to survive only by persisting in focusing on value, embracing change, and doing well in the most important aspects of the product.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.