Events are taking place around us that have radically changed the structure of the offer on the IT products market. Despite the fact that some Western NGFWs continue to function, the sale and renewal of licenses has been suspended, many companies have been left without technical support, will not be able to receive updates to signature databases.
What will Russian vendors offer the customer in the current situation? Which NGFW functions are key, according to customers, and what requirements should they meet? Does our customer need an analogue or a complete copy of a well-known foreign solution, or a solution created taking into account the current needs of Russian organizations, said Sofya Khudyakova, Head of Product Analytics at RTK-Solar.
Blocking traffic from untrusted sources (firewall) is one of the basic and oldest network security technologies. The development of methods of hacking information systems, the emergence of new threats and vulnerabilities has been the driver of the development of data protection technologies and systems. Manufacturers are adding new security features to firewalls, solutions are becoming more complex and combine various tools. As a result, network protection systems have evolved into integrated NGFW class products – new generation firewalls.
A new generation firewall, NGFW is a multifunctional device, inside of which many necessary network security functions are implemented. In many companies, NGFW is the core of information security in terms of protection against perimeter network threats, since it includes most of the necessary services: filtering and deep traffic analysis, intrusion prevention, antivirus, VPN, and so on.
For a long time, most of the market needs were met by network security tools from the “big four”: Cisco, Fortinet, Palo Alto, Check Point. And it is not surprising, because the choice of solutions is influenced by: simplicity and breadth of configuration, high efficiency, convenient and intuitive interface, and Western solutions fully meet these requirements.
However, events are taking place around us that have radically changed the structure of the offer on the IT products market.
Despite the fact that some Western solutions continue to function, the sale and renewal of licenses has been suspended, many companies have been left without technical support, will not be able to receive updates to signature databases.
Updating signatures is especially critical for NGFW class solutions. After all, to ensure the security of the system, signatures are analyzed and compared with the current database. If the signature database is unavailable, when a new vulnerability appears, the firewall will not receive a signature and the network perimeter of the organization becomes vulnerable.
In the most negative scenario, the suspension of the operation of information security tools will not only lead to financial losses or damage to the reputation of the company, but may also cause production processes to stop, which is unacceptable for the organization.
What will Russian vendors offer the customer in the current situation? In which direction will the market for the development of domestic solutions develop? Does our customer need an analogue or a complete copy of a well-known foreign solution, or a solution created taking into account the current needs of Russian organizations?
At RTK-Solar, we strive to develop solutions together with our users in order to provide the most demanded functions in products that can solve the maximum of customers’ tasks. To get answers to the questions, our company conducted a study in which information security and IT specialists responsible for the selection and implementation of information security products and services talked about NGFW-class network security tools.
It is obvious that a high-quality solution is characterized by a combination of many factors, including not only the functionality of the product, but also qualified and fast technical support, performance, fault tolerance, certificate availability, optimal price-quality ratio. All these criteria are indisputably important and play a key role in deciding on the choice of NGFW in the organization. However, in this review we will consider only the functions of firewalls – which of them, according to our customers, are the key ones, and we will clarify with experts what requirements these functions should meet, how they should be arranged in order to quickly and efficiently solve user tasks.
WEB filtering
Traffic filtering functionality – restricting access to a specific list of resources that contain all solutions of this class. If we consider large companies with an extensive structure, more complex tasks may arise than just blocking certain resources. One of the traditional examples is managing access to social networks.
Usually, the company’s rules restrict access to social networks during working hours. But for the sales department, for example, you need access to the public – the official pages of organizations. Recruiters who are engaged in recruitment need to communicate with candidates in social networks, which means they need access to personal pages, as well as chats and correspondence opportunities in social network messengers. For marketing and PR services, social networks are generally a working tool, they need full access to social networks, including viewing and publishing media content.
In order to implement the work scheme described above with the help of a firewall, the correct solution should be able to:
Determine the organizational affiliation of the user.
To do this, the firewall must contain a module for interacting with the domain controller in order to ensure not only the mapping of the user’s IP address and its identifier, but also in one way or another (by periodic polling or by subscribing to alerts) to update the correspondence table between user ids and IP addresses that users are currently using. This will allow you to build rules based on users and departments, rather than IP addresses.
Maintain traffic categorization with the required level of detail.
The quality of detail is determined by the number of directory categories and the optimal level of nesting. In the example with social networks, it is necessary to classify traffic in such a way as to create rules for using social networks for different groups of users.
What other requirements should the “correct” categorization module meet?
Traffic Categorizer
The ideal categorizer in NGFW is the one that provides the desired result and does not require any intervention from the user. However, the world and the tasks of users are much richer and more diverse than any developer’s hypotheses about what a good set of product functions should be. Therefore, the right solution should provide a convenient interface for configuring the categorizer, for example, changing the category for a resource or manually adding the desired specific resource to the categorizer.
It is good if the solution supports the integration mechanism of the Roskomnadzor database – resources containing information whose distribution is prohibited in the Russian Federation. Of course, blocking unwanted sites, as a rule, occurs at the provider level, but in our practice there have been cases when it was important for customers to set up a blocking rule on their firewall.
In addition to traffic categorization, it is useful if the system supports content filtering, that is, it analyzes the content of the transmitted page by keywords, as well as changes to the content, if necessary, for example, cutting out advertising banners.
In order to reduce the amount of work on setting up filtering, a set of keywords for which traffic is checked must be supplied by the vendor “out of the box”. However, using the preset settings “directly” will not allow you to correctly solve all filtering tasks.
For example, when implementing NGFW for an educational institution, a categorizer rule was configured that includes blocking by the keyword “suicide”. As a result, not only unwanted content appeared in the block, but even sites that counter suicide, psychology sites, etc. It follows that a good categorizer should contain additional useful functions that simplify configuration, for example:
setting up the weighting factor (the filtering rule is triggered if the keyword occurs the specified number of times);
setting up exceptions (whitelist);
a directory containing policy objects. The directory is filled in by the administrator, resources and parts of the URL are manually registered. For example, you can add lists of your own resources to the directory. The directory makes it easier to set up a security policy and allows you to flexibly configure it.
So, the right approach to traffic categorization: nested categories, preset content filtering rules, flexible categorizer configuration capabilities will help provide the required level of filtering to solve the organization’s tasks.
IPS
The Intrusion prevention System (IPS) is the protection of the company’s internal resources from known network attacks “from the outside”. Some vendors supply the system as a separate product, which can be not only software, but also a hardware device that requires separate hardware. In this case, integration into the security system requires additional rack space to accommodate devices, organize a power source, and additional ports.
Most of the respondents in our study consider it necessary to have IPS “on board” the firewall.
Regarding the requirements for IPS functionality, all respondents note the availability and convenience of settings for signature management. What settings are needed and why is it important?
Signature Management