Goodbye old firewalls. Welcome Next-Generation Firewalls!

12-09-2019 12:56:25

To protect our network against unauthorised people and prevent abuse from the outside, we use firewalls. This is how we regulate the traffic on our network and how we decide whether traffic is allowed of blocked. Because there was a need for more capacity and we wanted to use more functionalities as well, we started looking at two new firewalls. During my graduation assignment at BIT, I researched the different firewalls that are being offered. In addition to more capacity and more functionalities, expansion of the firewall services was also key in this study.

Inventory requirements

Prior to my research, I made an inventory of all the requirements for the new firewalls. By using the MoSCoW method, I classified the requirements for this project. The MoSCoW method is a way of prioritising things like product development. It labels a project as ‘failed’ when not all ‘must-have’ requirements are part of the end product. Following is a short list of a number of requirements that we think are important:

High availability with stateful failover (redundancy);
Redundant power supply (4 power supplies on 2 firewalls);
Full IPv6 support;
Multitenancy (having virtual, separate firewalls for customer environments for example);
Being able to set up at least 50.000 new sessions per second;
Next Generation Firewall (NGFWW) functionalities (for securing the aforementioned customer environments);
Reporting.

Functionalities Next Generation Firewalls

Nowadays, firewalls are a lot more developed and do more than just the simple package filtering and stateful inspection. NGFWs are primarily used to black new threats. Think about advanced malware or attacks on the application layer. This was also one of the reasons for BIT to opt for a new generation firewall. We thought it was important that the firewalls would have a number of important functionalities, that will be explained in the following paragraphs.

It goes without saying that a firewall must have a number of standard functionalities. By this, I mean that sessions are recorded and traffic is regulated based on policies. In addition it has to be possible to do traffic shaping (aka packet shaping). This refers to the amount of data sent en received by a network card. In this way, you can configure the maximum amount of allowed bandwidth per interface, per IP or per application.

Anti-malware is also a functionality in the NGFW portfolio. Based on this technique, you can block malware before it enters the network. Other NGFW functionalities are Application Control and the Intrusion Prevention System (IPS). Application Control allows the organisation to exert influence on the applications that are being used. This allows you, for example, to block social media as a whole for one or more users.

The IPS is a function that tries to detect and block the network. The technique used for this is Deep Packet Inspection (DPI). DPI inspects ethernet packages and analyses them. Based on this analysis, it is determined whether the packages is relevant. The relevance is determined by two methods; the comparison of the so-called signatures and the execution of a heuristic analysis (also called anomaly detection). As soon as a signature is recognised, the IPS will take actions, which mostly means that the packages will be placed in quarantine or blocked completely. Through heuristic analysis, the IPS will decide what traffic is harmful. The system has to learn how to do this. This initially leads to many false-positives and requires a lot of work from the administrator to get a properly functioning system.

Another NGFW functionality is the so-called Geoblocking. Geoblocking allows companies to block or allow traffic per country. The final function I would like to explain is the Virtual Private Network (VPN). With this VPN technology secure communication between different networks and hosts is guaranteed. Firewalls use so-called site-to-site IPSec tunnels for this.

Fortinet firewalls as best option

To determine which firewall would be best for BIT, the requirements and wishes were outlined in the so-called package selection. The requirements were placed on the longlist and models that did not meet these requirements would immediately be discounted. The wishes were placed on a shortlist and were rated. The model with the most points best fits BIT’s demands.

13 brands were compared, including firewalls from brands such as Palo Alto, Fortinet and Checkpoint. Of those brands, a total of 41 models were compared. Fortinet’s NGFW turned out to be the best option. A Proof of Concept was executed with Fortinet to verify the result of the study. Two of Fortinet’s type 500E firewalls were orderd; one for data center BIT-1 and one for BIT-2A. These two firewalls are geographically separated and installed in a redundant setting. This means that as soon as one firewall fails, the other one immediately takes over.

The Fortinet firewalls have been in use for a while now and are running our UMTS services and anumber of DMZ VLANs. The next step is to migrate other things as will (such as Office).

Physical and virtual firewalls (FWaaS)

It is also possible to purchase firewalls as a service. The Firewall as a Service (FWaaS) is a virtual solution for the security, filtering and separating of traffic within your server environment. A major advantage of this is that there is no need for hardware investments. BIT can deliver this through Fortinet firewalls.

The Fortinet 500E firewall offers customers the option of having their own Virtual Domains (VDOMs). These VDOMs have the option to configure an independent rule base, set up VPN connections and provide insight into active sessions.

Want to know more?

Do you want to know more about firewalls? Feel free to contact us at info@bit.nl or 0318 648 688.

By: Tim Lambers

Goodbye old firewalls. Welcome Next-Generation Firewalls!