BUILDING A NEXT-GENERATION FIREWALL

Transcription

1 How to Add Network Intelligence, Security, and Speed While Getting to Market Faster INNOVATORS START HERE.

2 EXECUTIVE SUMMARY Your clients are on the front line of cyberspace and they need your help. Faced with new threats every day, their job is to keep their networks safe, secure, and fast. They look to you to help them accomplish their goal. That s why you need to make sure you are providing them with the tools to be successful when they need them. A next-generation firewall (NGFW) is one of those tools. Generally speaking, an NGFW needs to offer security and flexibility at a granular level with uncompromised performance to keep up with today s network needs. This means an NGFW needs to do more than execute instructions to block ports and specify which IP addresses you do and do not want to allow. Plus, including the NGFW in a dedicated device may not provide the agility needed to meet your client s demands, which is why deploying in software allows your solution to be more flexible and robust. In today s world, security needs to be much more sophisticated than ever before. The NGFW needs to be able to perform deep packet inspection (DPI) on all necessary packets, and not only recognize the applications driving the traffic (Skype, Netflix, etc.) but also look for complex patterns. With this information it must prioritize and in some cases deny access based on things like user, location, and packet signature. The NGFW also needs to be able to learn what to allow and what to block in the future. On top of all this, it needs to be fast, and be able to scale. Even though the level of data inspection required is significant, the network must still be able to maintain high performance. TABLE OF CONTENTS Executive Summary... 2 Match the Pattern, Adjust the Flow... 3 Fewer Steps for Higher Performance Additional Functions and Considerations Wind River Intelligent Network Platform Conclusion White Paper

3 So how do you accomplish all this? To add security and intelligence to your client s network without compromising performance, your system needs to allow for the following: Consolidation of services and applications for the benefit of having a more comprehensive solution Consolidation of technologies for the benefit of better overall performance Integrated policy enforcement Ability to scale In addition to the elements above, time-to-market is critical. An important question network security appliance providers need to ask themselves is, What do I make and what do I buy? And how do you keep it current, in this ever-changing landscape? This paper discusses these issues and offers a solution for a technology stack to achieve these benefits. MATCH THE PATTERN, ADJUST THE FLOW In addition to performing all the functions of a traditional firewall, some of the key features of an NGFW as defined by Gartner are integrated deep packet inspection, intrusion detection, application identification, and granular control. An NGFW needs DPI capabilities to extract huge amounts of data, quickly, in order to make informed decisions and take action. Some of the things the appliance needs to know are: What application is this? What user is this? What website is the user visiting? What can I learn about the individual packets? As part of the DPI process, the data will go through a pattern matching function. Effective pattern matching is the ability to match large groups of regular expressions against blocks or streams of data; in this case, to identify malware. The data is matched against a rules database provided by DPI and security experts in order to conclude whether the flow is good or malicious. If it s malicious, the NGFW will block it, reroute it to a trusted zone, or forcefully terminate it. If it s good, the NGFW will determine and apply quality of service (QoS) policies to the block or stream as needed (e.g., bandwidth issue, service guarantee). This process of data extraction, analysis, and pattern matching is where the heavy lifting will occur in your device, so the DPI tool needs to be robust and efficient. Almost every security tool built for specific functions such as intrusion prevention systems (IPS), stateful firewalls, data loss prevention, antivirus, web application firewalls (WAF), and so on requires pattern matching. Many still suffer from a significant overhead, which compromises performance. FEWER STEPS FOR HIGHER PERFORMANCE Beyond pattern matching, your appliance needs to have awareness of what applications are flowing or attempting to flow through your system. For that you must have a way to compare the traffic flows with known sites, applications, and protocols such as http, https, and tcp. With this awareness, your appliance can understand data coming through and can then systematically take action, such as dropping certain packet types once they are identified, or cutting off a flow completely if malware is discovered, without the need for further DPI. It s important to ensure your tool is referencing a comprehensive list of applications and actively updating to stay current. By learning the behavior of the network, you can better handle advanced persistent threats (APTs) through tracking and being aware of anomalies. But trouble occurs when you have multiple checkpoints along the way to extract, analyze, and take action on this data. The DPI function described above, when deployed in traditional systems, may involve examining each packet multiple times using different engines. This sort of inefficient flow requires multiple cycles, adds latency, and causes a severe bottleneck. For example, you may have a QoS entity go through all the QoS algorithms and determine you need to apply x amount of bandwidth for that flow, only to discover you need to drop that flow once it runs through the IPS. But it doesn t have to be that way. A better approach is to consolidate the logic, and combine outputs from several services into a single-pass architecture to increase the performance. By consolidating the logic and applying a cascading mechanism, a security company could apply its signature databases (for application awareness, malware identification, and partially even for APTs, Zero Day attacks, network abnormalities, etc.) all at once 3 White Paper

4 to a pattern matching engine, an application ID engine, and other plugins, depending on what you elect to put in the cascade. In order to maximize performance, you accumulate information relating to multiple security functions, and then analyze all the results together and provide comprehensive contextual security (i.e., enforcement) by dropping flows, blocking applications, prioritizing data streams, and so on. Extensibility: Cyber crime is anything but static. And in response to the ever-evolving methods used by cyber criminals, new security services appear all the time. You must be able to frequently, and seamlessly, augment an existing security service chain with new services as they become available. What about denial of service attempts? The appliance can t protect the network if it succumbs to an attack. So as much as the NGFW needs to protect the network, it also needs to protect itself. Ingress Network Traffic Classifier Flow 1 Flow 2 Flow 3 Flow 4 Flow 5 Protocol Identifier HTTPS IM VoIP Proprietary Video Decrypt HTTP Application Identification Web P2P Flow Analysis Engine Classification Protocol ID Application ID Content Inspection Engine Pattern Matching - Fixed String; RegEx; Signature DB Application Acceleration Engine Throughput Security Latency Figure 1: Network acceleration, deep packet inspection, and packet identification in one system ADDITIONAL FUNCTIONS AND CONSIDERATIONS In addition to the core DPI capabilities discussed above, there are a few more supporting functions that are worth mentioning: Encryption and decryption: Some traffic is sensitive and therefore needs to go through a process of encryption and/or decryption, depending on the flow direction and the data. Whether the data needs to be encrypted so those who are unauthorized cannot understand it, or it needs to be decrypted back to its original form, this process needs to happen quickly. Ideally you would be able to accelerate the offloading of the tasks of encrypting and decrypting sensitive traffic. Hitless updates: Updating the security database on the fly is key to any security system. Chances are your clients can t afford to take their systems offline in order to install an upgrade. Pluggable architecture not only is straightforward and dependable, but also makes the task of updating the database amount to replacing one plugin instance with another one. And where is the ideal place to put it? And how do you design your solution once, and leverage it across multiple products, large or small? By implementing DPI in software, you can put it anywhere, and scale it to the size you need. Whether you are creating a dedicated physical device or are putting your services in the cloud, software is flexible enough to go where you need it. WIND RIVER INTELLIGENT NETWORK PLATFORM Clearly there is much to consider when building an NGFW. Building a robust DPI tool that can perform the functions described in this paper takes time and considerable expertise. The question is, how do you want to differentiate your product based on the DPI infrastructure? Or is your secret sauce in the business intelligence in your application layer? In other words, does it make sense for you to spend your time fine-tuning a DPI engine, or could you focus your efforts on your innovative, transformative business intelligence apps and get your product on the market much sooner by using an existing, extensible framework that provides the tools you need? 4 White Paper

5 Wind River Intelligent Network Platform is a DPI and packet acceleration framework that provides security, intelligence, and performance to next-generation physical or virtual network security appliances. It is a fully scalable, software-based platform that can be used as a separate virtual network function with or without service chaining. DPI comes in two forms: communications DPI (flow classification), and security DPI (pattern matching). Most DPI implementations provide one or the other. Intelligent Network Platform has them both, integrated into one solution that also includes packet acceleration. Wind River Application Acceleration Engine leverages the Intel Data Plane Development Kit (Intel DPDK) to accelerate networking applications, protocols, and security components such as DPI. Intelligent Network Platform s unique combination of DPI and packet acceleration capabilities offers multiple benefits, including substantial performance gains for layer 3 packet throughput and layer 4 protocol over the native Linux network stack. Using best-of-breed tools, our software is optimized for real-life scenarios where you may have millions of concurrent flows and high volumes of traffic and make no mistake, software does TCP Performance QoS Performance IP-forwarding not equal slow. In fact, we provide the means for processing the traffic, extracting data, and matching the enormous number of conditions you need to match against the traffic, five times faster than standard Linux-based in-house alternatives. Your code is then responsible for taking this data and applying the security rules to arrive at a conclusion. Once that conclusion is made, you translate the conclusion into policy enforcement (e.g., block pass, regulate.) From there, it comes back to our tools to direct the traffic as needed. In addition to an NGFW, Intelligent Network Platform integrates into a broad array of security devices, including those built on dedicated hardware or deployed in the cloud. Integrating Intelligent Network Platform into your security device gives you a one-of-a-kind DPI solution that offers maximum flexibility and future-readiness through a pluggable architecture and servicechaining support. And our best-in-class infrastructural algorithms ensure that we achieve this while maintaining high performance. CONCLUSION The needs of your clients are evolving. This means you need to evolve with them by offering sophisticated tools to help them keep their networks secure, while maintaining optimal performance. Wind River Intelligent Network Platform gives you a comprehensive, high-performance DPI and packet acceleration solution that is ready to deploy today. Leveraging Intelligent Network Platform allows you to focus on your unique value, which means you can meet your clients needs by getting a higher quality product to market faster. To learn more about Wind River Intelligent Network Platform, please visit or call WIND ( ). 0% 200% 400% 600% 800% 1000% 1200% Figure 2: Percent improvement vs. native Linux Wind River is a world leader in embedded software for intelligent connected systems. The company has been pioneering computing inside embedded devices since 1981, and its technology is found in more than 1 billion products. To learn more, visit Wind River at Wind River Systems, Inc. The Wind River logo is a trademark of Wind River Systems, Inc., and Wind River and VxWorks are registered trademarks of Wind River Systems, Inc. Rev. 05/2014