By: Sasha Radenovic
July 18, 2017
Next Generations of Firewalls
By: Sasha Radenovic
July 18, 2017
§ Purpose of Firewall
The firewall should prevent unwanted traffic, block "downtime" on the local network and protect the computers in it. As long as the applications used strictly defined ports and protocols, it was also possible using conventional firewall devices that block traffic on a particular port and/or protocol. What was missing in most networks through firewalls was HTTP (networking) or port 80. Various applications, as well as cyber criminals, quickly realized that they could use HTTP to "pass" the powerful and expensive protection provided by firewalls, So almost all applications today will run smoothly using the only HTTP air port 80 - Skype, p2p, torrent ... whatever. The protective fence was powerful and impenetrable, but the gate number 80 was wide open. Classic firewalls offer a partial solution through traffic monitoring and scanning with integration with anti-malware solutions, but this did not help - all the way to the next-generation firewall of the Palo Alto Networks (PAN).§ Why “next” generation is better”?
Why do PAN devices provide better protection? First of all, they can "see" and control most of the known and lesser known applications whose traffic goes through the network - no matter which port and protocol they use or if they use some of the hiding tactics. PAN devices can even identify encrypted traffic of SSL applications.[caption id="attachment_96500" align="aligncenter" width="575"] More info about this from Palo Alto Networks: https://media.paloaltonetworks.com/lp/endpoint-security/index.html[/caption]
Another key trump is user identification. Yes, they can integrate with AD (Active Directory), as well as many other solutions, but PAN devices go a step further - they can monitor user logging, access the Exchange server, check who is logged in, log on to the workstation, and so on. All that is to determine with certainty which user is using the device and application.
The third feature is precise content control, which provides protection against a wide range of threats, prevents unauthorized download of files/data and controls counterproductive web surfing.
In addition, PAN devices can control SSL and SSH (encrypted) traffic, manage and unknown traffic (which is not related to the known application or protocol), scan and protect against malicious code all applications and all ports / protocols, providing easy And centralized management, easy implementation of policies for all users, across all devices / locations with high performance.
- § Classic firewalls are not enough anymore
Palo Alto Networks analyzed network traffic in more than 5,500 companies. There are 2,100 applications, over 50 PB (petabytes) of data and 16,000 unique threats detected. The results of the analysis were published at www.paloaltonetworks.com/autr, and the most important findings from our region, EMEA, are summarized here.
The analysis in the EMEA region involved 1,500 organizations, 1,700 applications, 7.6 PB traffic and about 4,750 threats. What is clear and without analysis is that the use of the Internet has evolved - in addition to standard surfing, various email clients and systems, social networks, remote access tools, data exchange and storage systems, chat, voice And everything else. Part of these applications is used equally for both personal and business purposes. In Europe, the most common data sharing applications, such as e-mail, file sharing, IM, social networking ... It is unusual that 27% of these applications are used to transmit threats, but only 5% are detected! When it comes to file sharing, there are 165 file sharing applications (82 were browser based systems, 49 clients/server and 34 P2P - Peer to Peer) - approximately 21 applications for file sharing by Enterprise / Organization. Do we really need so many applications for the same thing - file sharing? Similar stories and data also apply to video files - 118 variants, 26 per firm.
A small number of applications carry most of the malware activity - almost 99% of threats come from one application. The top 10 common threats in the EMEA region came through WebDav, ms exchange, FTP, pop3, Facebook base, ms docs / Lync, Twitter base, SMTP. An attempt to exploit vulnerabilities (exploit) has a similar appearance - in just 10 applications 97% of the attempts were found.
It was detected that 30% of applications use SSL - which is a high percentage and is most commonly used for file sharing, chat and (IM) and social networking applications. The problem with SSL is that classical systems do not allow it to be inspected, so it can not be determined whether it is carrying a malicious code. A good example is TeamViewer, an application that provides remote access to a computer or remote help, quite often in use and with us (in Europe, 75% of networks). The same protocol and the same communication mode uses TeamSpy, the hacked version of TeamViewer. Are you sure that the traffic you attributed to TeamViewer does not actually come from TeamSpy?