Security optimize

Next Generation Firewalls: It's all about tuples

Next-generation firewalls have been around for several years, but garnered little interest. That's changing as first-generation firewalls aren't keeping up.

IT professionals responsible for perimeter defenses are frustrated.

Case in point: Internet traffic of all shapes and sizes traverses port 80. Meaning, port 80 must remain open. Bad guys know this. So port 80 becomes their private malware highway. And trucks, full of malcode, drive right past the check point.

There is hope

I'd like to introduce Next Generation FireWalls (NGFW). Firewalls designed to filter packets based on applications. To continue my analogy, the trucks loaded with malcode can't drive right past the check point, any more.

Other features incorporated in NGFWs:

  • Enforce company regulations: NGFWs are able to control user access to websites and online applications as required.
  • SSL Proxy: NGFWs are able to decrypt, inspect, and re-establish the encrypted SSL connection. This eliminates encryption as a method of hiding malware.
  • IDS/IPS: NGFWs have incorporated deep packet inspection-to the point where stand alone IDS/IPS devices are not required.
  • Active-Directory friendly: Many NGFWs are able to authorize application usage based upon individual user profiles or groups.
  • Malware filtering: NGFWs provide signature and reputation-based filtering to block malicious applications that have a bad reputation.

Click to enlarge

Vendors

Palo Alto Networks was the first company to offer a NGFW. For information about NGFW requirements per Palo Alto Networks, please check out this white paper (above slide). Barracuda Networks, Juniper Networks, and WatchGuard also offer NGFW solutions.

N-tuple?

Just about every blog post I've read about NGFWs mentioned tuples. I had no idea what they were. Hopefully, you do. If not, here's what I found out.

N-tuple is a collection of attributes. And, in the case of firewalls, these attributes are used to define access requirements. N is a place holder representing the number of attributes in the list. For example, a 5-tuple "firewall allow rule" might include:

  • Source IP address
  • Source port (typically: any)
  • Destination IP address
  • Destination port (80 or 443)
  • Destination protocol (typically TCP)

So, if the packet being inspected has all of the correct attributes, the firewall will allow it to pass.

Widening the 5-tuple

I thought I was "good to go" after figuring out what a tuple was. Then I read something about "widening the 5-tuple". Widen a tuple. Does that even make sense?

Let's see if it does.

As mentioned earlier, a first-generation firewall rule employs a collection of 5 attributes or 5-tuple. That is sufficient to carry out stateful port and protocol inspection, Network Address Translation, and Virtual Private Network technology.

A 5-tuple rule set is not sufficient for NGFWs. Next Generation Firewalls need additional attributes such as application type and user identity in order to work as advertised. To understand why, consider the port 80 analogy, one last time.

If it's discovered that the truck carrying malcode has an illegal license plate, the truck ain't going anywhere. The same applies to malcode. If its license plate -- "application type" attribute -- is incorrect, the malcode is blocked from continuing on.

The additional attributes or tuples are "widening the 5-tuple".

Confession time: I did not find a clear-cut explanation of how tuples relate to firewalls. But, article after article mentioned tuples. So, I jumped in. If my explanation is wrong, I hope firewall and database admins that better understand will bail me out.

Survey says

The Ponomen Institute just completed a survey of NGFWs for SourceFire, Inc. The infographic ( partially shown below) provides several interesting statistics, particularly what is driving interest in NGFWs and the percentage of respondents noticing performance degradation:

Final thoughts

The race toward sophistication between malware and antimalware continues. Stay tuned.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

24 comments
PhilM
PhilM

"NGFWs are able to decrypt, inspect, and re-establish the encrypted SSL connection. This eliminates encryption as a method of hiding malware." So SSL traffic can be decrypted by something that isn't the recipient?

seanferd
seanferd

But for whatever reason, FW devs decided to use the concept of tuple where other devs/engineers have not chosen to use it so much (excepting perhaps relational DB types). An n-tuple is a shopping list with n items on it, listed in some meaningful order if we follow a stricter definition. If the word itself puzzles you, think quintuplet. Regarding firewalls, an ordered list of rules is an amazingly useful thing when playing deny/allow with multiple sorts of incoming traffic. More than five rules to sort traffic is, put mildly, way past due. Actually, there have been more than five tuples in all sorts of firewalls forever, so I don't know what these "Next Gen" vendors are actually providing here. Better configuration? More flexible? Haz DB of o-fishilly okeydokey applicashunz so zero-conf-4-u? Or maybe the additional tuples can be moved up the list more effectively, as opposed to, say, existing only in port forwarding settings, making it more effective with apps using HTTP 80. The malware filtering itself sounds just like any other AV/AM solution. I can only assume the filtering is better, more-flexible, and more all-in-one in a single commercial device than what has come before. But tuple is just another bit of mathematical jargon used appropriately in the heavily maths-orientated world of information technology.

bboyd
bboyd

Concept is well presented. How do these frame up against actual IT work load? I can imagine that is something similar to supporting email filters or white listing services. N-tuple has always been a buzzword to me, no change in attitude after reading. /smirk

bryon
bryon

It's not as scary as it sounds - well it is really. We've had a PaloAlto Networks pan4050 for several years and it allows extreme detail in what it can control. For example, the ssl decrypt rule we chose was to decrypt any ssl traffic except for the application called "ms-exchange" or "exchange-rpc" and also exclude any internet-sourced ssl web traffic to our own web server in the dmz. Since the firewall is aware of applications, we can choose what to do or not do with them. We don't say "nat these ports inbound for exchange to this server", we say "nat exchange app related packets to this server" The SSL decrypt basically works like this (MITM): 1. your enterprise already trusts your firewalls own ssl cert 2. the user goes to https://something 3. the firewall receives the cert from the internet host and presents its OWN cert to the user (which is accepted by way of enterprise trust) and still "green" in the address bar. 4. traffic is secured from user to firewall, and firewall to internet host, but plaintext on the firewall for it to do its magic. So i wouldn't necessarily call it decryption... although that sounds cool doesn't it? Realistically it's SSL Re-encryption on the fly. But that doesn't sound as sexy in marketing materials. So, trust your IT staff because "all your packets are belong to us"

Michael Kassner
Michael Kassner

The light went on when I read quintuplet. Funny, as one that took years of Latin, I should have made the connection. As I mentioned elsewhere, I am wondering about the performance hit that NGFW are making. That will turn off lots of admins.

AnsuGisalas
AnsuGisalas

Signature-based recognition is pretty much bankrupt in AV, so now it's moving on to FW? I don't get it. Since a firewall is upstream from execution, they can't use heuristics, but still... how much malware is actually circulated long enough in one compile to have a useful signature? Or are they talking about profiling the traffic, running source and target nodes against a signature of "bad places"? Or maybe they can make a signature that discovers "key-logger feed" or "screengrabber feed"? Very confused me. And if the firewall checks for alarming traffic patterns, shouldn't it also be talking to anti-malware apps? Otherwise the malware can just stick around and keep trying to phone home in various ways...

Michael Kassner
Michael Kassner

I am concerned about all the reports of performance degradation. DPI must be really intense. Guess we have a thing or two to learn from NSA. Tuple was new to me. I am more familiar with rule sets.

JCitizen
JCitizen

on the Barracuda I was looking at ( I think); the NG Firewall F-101 looked good to me; it will be challenging affording the service fees though; almost $200 a year. Some of my clients wouldn't complain, however. 1 Gbps would be nice, but that is expecting Alice in Wonderland, I suppose. This is a bottom end model - so enterprise solutions would be much more capable. Sorry I'm so late to the discussion once again. I just can't get it together anymore! :(

seanferd
seanferd

Perhaps NGFWs will become faster, and one could always place them only on, or configure the heavy security only for, networks or segments which really need the heavy protection. I can see where these might generate interest in BYOD networks as well.

seanferd
seanferd

but the sigs may be applied to the deeply inspected packets, for one option. I haven't read up on how any particular vendor's device is supposed to operate. AVs, not matter where implemented, are like slightly leaky dykes. Good enough most of the time, but occasionally someone gets flooded a little.

Michael Kassner
Michael Kassner

I believe heuristics can work without execution. In my world that is what they are about. They look at the packets and make an assumption.

Neon Samurai
Neon Samurai

Anything that sits on the network and breaks end to end encryption (these perform an SSL man in the middle attack by design) makes me itch. From the business admin side; yeah, I want to be able to monitor traffic rather than be blinded by the encryption. From the home user side; I don't believe an ISP or any other intermediary has any business MITM'ing my encrypted traffic. I pay for a hole in the wall that provides 1s and 0s in and out not traffic monitoring or crappy rebranded AV software. In both situations I'm very vocal about eliminating use of clear-text protocols too. It's my own little self imposed damned if you do damned if you don't though admittedly.

AnsuGisalas
AnsuGisalas

if what it does is compare the package content to a blacklist, then it might not be that bad of a hit... especially since a hardware firewall can have a quite powerful processor, and doesn't have to do all the other stuff a computer does. I wonder if hardware firewalls have video cards nowadays, if malware uses the video card for processing power, so should the defenses, right? Oh, oh, oh!!! I just realized one thing a DPI should definitely check for: if the system has been penetrated, the intruder will want to listen to the traffic on the network, so the firewall should definitely be comparing all outgoing packages with synchronous network activity, to make sure the systems guts don't spill out... that should be doable. Other things it should definitely watch for are password hashes... once they leave the building, the jig is up, so they should be on the outgoing blacklist too.

Michael Kassner
Michael Kassner

I'm looking into how much processing power DPI requires. I am thinking it's significant.

seanferd
seanferd

Because we'll need a lot more luck to see fixes implemented than we'll need to see some fixes developed. I'll keep my fingers crossed as well. edit: "nore" is not a word.

Michael Kassner
Michael Kassner

I agree with your assessment. What I chuckle about is how many times the MitM happens along the path to the packet's destination. Another thing I wonder about is if packets from the same traffic stream are given different routes along the way.

Michael Kassner
Michael Kassner

With people like Dan Kaminsky and Moxie Marlinspike working on these problems, I am optimistic they can be resolved -- fingers crossed.

david.hunt
david.hunt

Firstly, it isn't transparent, but the uninitiated may not notice. Because the Proxy has to terminate the external site's HTTPS, but cannot use the External Site's SSL Certificate, it uses its own certificate but mimicks the external site's information (it generates a dynamic internal certificate for each session). Thus while you will have a secure session, a look at the certificate details will reveal that it isn't for the site or signer that you expect. This was implemented where I work some years back and I have never conducted an Internet banking transaction via company systems since. I may not have a right to privacy, but my credentials for secure sites are sacrosanct. I don't need them is some log file floating around!!

Neon Samurai
Neon Samurai

Granted, monitoring the network seems counter to much of my opinion but it came down to this: owner monitoring traffic; good. outsider monitoring traffic; bad. My employer knowing what bits are flowing around, in and out of the company network is good. Knowing the bits inside my own home network is good. The gov (and by proxy, my ISP) knowing what bits are flowing around the networks I manage without probable cause and a warrant with equal justification to a meat-space search and seizure warrant is not good. (don't even get me started on SOPA; it's previous incarnations and likelyhood of future incarnations attempts. The best government money can buy indeed.) But, your question just becomes scary in terms of government. If the technology is in the private sector, it's been in the state sector already even if it has been limited to the intelligence services secret stash. Simply consider the fiasco that is the classic SSL certificate trust model; your browser will trust any traffic that the Chinese post office can re-route through it's MITM node. Heck, any government entity with more than a single 486 in it's home office will have a root level certificate or friendly CA it can rely on to sign whatever end certificate it likes. With how broken the model is, I'm rather surprised at how slowly Convergence authenticating nodes have been popping up. On my last check, there was only four of them out available. (which reminds me that it's time to check in again.)

Michael Kassner
Michael Kassner

Just finally getting these abilities, makes one wonder how long the .govs have had them.