In these days I visited several customers to talk about technology trends for 2012. With the occasion I decided to collect all the articles written in my blog concerning Advanced Persistent Threats and Related Technologies in a single, very short, presentation, and consequently uploaded it to SlideShare. Feel free to give it a look as a reference. My perception is that next year we will often hear talking about APTs and NG-IPS (and, more in general, about context-aware security Technologies).
- Next-gen Context Aware Intrusion Prevention (blogs.gartner.com)
Advanced Persistent Threats are changing the information security paradigm and Next Generation IPS will probably be, together with SIEM, the new weapons in the hands of information security professionals for stopping this new category of threats that are proving to be the real nightmares for CISOs in this troubled 2011.
If you have just learned what a Next Generation Firewall is, you will probably be a little disappointed in knowing that it is not the last frontier of information security (as many security firms claim), instead the growing impact and influence of APTs, which are threats acting on different layers (user, network and applications), different timeframes and different portions of the network, are redesigning the network security paradigm, requiring additional intelligence at the perimeter, and shifting the game to a context-aware model in order to grant the holistic view that is necessary to stop them.
Now let us suppose to make a brand new information security recipe, taking the main features of a NGF (user awareness and application awareness), the main features of a Firewall (access control) and the main features of an IPS (protocol awareness and vulnerability awareness), blend them in a virtual pot and add a little bit of reputation (for instance obtained from a globally distributed network of sensors) and other features such as geo-location, application heuristics and, last but not least, an application anomaly detection engine (which is completely different from a traditional protocol anomaly engine). You will obtain a new information security dish: the Next Generation IPS, a new class of devices that likely represents the near future of network security.
NG-IPSs are characterized by two main features:
- They shift the enforcement of security policies from a content-based to a context-based model (where the context is defined by the interaction of user with applications);
- They leverage new technologies such as reputation and geo-location to provide the holistic view necessary to stop APTs.
So what do we have to expect at the perimeter? The traditional Firewall and IPS (or UTMs) will likely be replaced by NG-IPS, while specific “vertical” security devices, such as Web Application Firewall will remain in place in strategic portion of the netowork (just in front of Web Farms) to protect specifically Web (read HTTP and HTTPS) applications. As you may see from the following table a NG-IPS encompasses all the features of the “old” technologies plus new features allowed by a growing adoption of Reputation and Cloud-Based services.
Since WAF will follow a parallel and co-existing walk, meanwhile I reccomend you to read my Q&A on Next-Gen and Web Application Firewall.
- Next Generation Firewalls and Web Applications Firewall Q&A (paulsparrows.wordpress.com)
If I ask to an average skilled information security professional what a firewall is, I am pretty sure that he will be able to answer my question and describe with great detail concepts as packet filter, application proxy and stateful inspection.
I am afraid that the situation would be completely (and dramatically) different in case I would decide to ask him what a Next Generation Firewall (abbreviated as NGF and sometime also referred as Application Firewall) is, and most of all what a Web Application Firewall (abbreviated as WAF) is and how it is different from a traditional UTM or Firewall or also from a Next Generation Girewall.
Although NGF and WAF are becoming quite familiar for information security professionals (their presence is constantly growing in parallel with the growing skill of the average user, more and more aggressive in circumventing the traditional security bastions, and in parallel with the growing sophistication of Web threats and the consequent influence of compliance -think for instance to PCI-DSS- into the design process of a security infrastructure), the confusion reigns and, for my experience, I can state with no fear, that too many professional and end-users confuse and overlap Next Generation and Web Application Firewall.
In case of an Application (AKA Next Generation) and Web Application Firewall, a noun adjective (Web) is a little thing, but it makes a huge difference. I will try to explain why with this quick Q&A
Q: What is a next generation firewall?
A: A Next Generation Firewall (aka Application Firewall) is a security device, evolution of a stateful firewall, that is application aware, i.e. capable to recognize and block applications according to specific patterns and fingerprints peculiar of the application itself. Its security paradigm is to prevent users from bypassing the layer of defense by mean of consolidated methods such as mapping the malicious application on standard ports known to be accepted, or using anonymous proxies (such as the well known TOR). Unlike a traditional firewall, which enforces the access control by mean of the “IP Address – Port/Protocol“ paradigm, a Next Generation Firewall enforces the “user – application” paradigm: in a traditional firewall security model, policies allow or deny specific protocols for specific IP addresses, in an application firewall security model, policies allow or deny specific applications for specific users authenticated in external repositories (Active Directory, LDAP or Radius). Of course Single-Sign-On is also possible (for instance with Active Directory).
Q: What is a web application firewall?
A: A Web Application Firewall is a security device whose main task is to protect web portals and web application by inspecting the XML/SOAP semantics of the flowing traffic and also inspecting HTTP/HTTPS for typical attacks at layer 7 such as SQL Injections, Buffer Overflow, Cross Site Scripting (XSS), File Inclusion, Cookie Poisoning, Schema Poisoning, Defacements, etc. Web application firewalls also provide protection against DDoS but do not enforce access control in the traditional meaning of the term. They only protect the server farm behind them, adopting signature based or anomaly detection algorithms but, unlike a network IPS they focus on HTTP/HTTPS. They act like proxy and, because of their ability to inspect HTTPS traffic (by importing the original certificate of the target server), they may perform also other functions such as SSL offloading and server load balancing. Also important: a web application firewall do not inspect (and should not allow) other traffic than HTTP/HTTPS.
Q: What is the difference between a NGF and a WAF?
A: This is a million dollar question: a NGF is a user and application oriented firewall, a WAF is a server and HTTP/HTTP oriented security equipment (no I cannot call it a firewall). They are very different as far as their role and deployment are concerned: usually the best deployment for a NGF is to protect outgoing traffic from misuse by users; the only deployment for a WAF is in front of the target server farm to protect incoming HTTP/HTTPS traffic. Typical location for a WAF is in a dedicated DMZ and obligatorily behind a traditional traffic that should deny other traffic than HTTP/HTTPS).
Q: I want to deploy a NGF, do I need to deploy it in conjunction with a traditional firewall?
A: It depends, although the original NGFs were conceived as dedicated devices, preferably deployed in conjunction with a “traditional” stateful firewall, the current technology trend is to bring the application control features on top of stateful inspection (and UTM) functions, so definitively nearly all the security vendors are now able to provide application control as native functions or with additional licenses. On the other hand application control corresponds to a stateful inspection brought to layer 7 of the ISO/OSI Model (At this link an interesting comparison of the different implemenations).
Q: I want to deploy a WAF, do I need to deploy it in conjunction with a traditional firewall?
A: Absolutely yes. A WAF does not provide access control neither is capable to check other protocols than HTTP/HTTPS (by default not even to forward them);
Q: I have an IPS, do I need a WAF as well?
A: A traditional Network IPS scans all the traffic on the network so it cannot have the same granularity and depth for HTTP/HTTPS threats than a WAF. An optimal comparison is done in this article by SANS, which states, among the other things: where IPSs interrogate traffic against signatures and anomalies, WAFs interrogate the behavior and logic of what is requested and returned. A WAF acts as a reverse proxy (although, like an IPS, several WAF technologies may also active in passive mode), instead an IPS typically listens to traffic in transparent mode.
Q: So definitively when do I need to deploy a NGF and when do I need to deploy a WAF?
A: Deploy a NGF when you want to protect your network from misuse by users avoiding bandwith hogging and usage of insecure applications which could bring malware inside the organization. Deploy a WAF, in conjunction with traditional Firewall, IPS or UTM, when you have to protect your web applications (and partially also the back-end databases) from HTTP/HTTPS threats.
So, at the end, if you will need to enhance your security level you will not have to chooes between a WAF and NGF, but simply to decide which is the best device according to your needs. In this case the following table may be helpful!
In the wake of the infamous LizaMoon which has flooded an impressive number of databases all over the world with SQL Injection, infecting more than 1,500,000 URLs according to Google Search, the next frontier of Information Security to which security vendors are likely to move, is the branch of application security. The last vendor in order of time to make an acquisition (just a couple of days before LizaMoon was detected) was
Intel McAfee, which decided to enter the database security market (estimated more than $ 600 million in 2012) acquiring Sentrigo, a Santa Clara based company focused on database security, former member of the SIA Technology Partnership Program (McAfee Security Innovation Alliance) and currently linked to McAfee by an OEM partnerships.
The red Infosec Colossus of Santa Clara is just the latest player to enter this market, following the example of IBM, which offers a complete Application Security solution since 2009, thanks to the acquisitions (in rigorous chronological order) of DataPower (Web Application/XML Security), Ounce Labs (Code Analysis) and Guardium (Database Security). A set of solutions which form respectively the Websphere, Rational and InfoSphere Guardium Security Solutions.
McAfee and IBM are accompanied by Fortinet, another important security player which has been active in this field for some years. Fortinet has been investing in database and application security since 2006, and even if it lacks a code analysis solution, it offers a portfolio which extends up to the database (scanning and monitoring) level, through the acquisition of IP-Locks, and up to XML /Application Firewall, thanks to its offer of FortiWeb appliances.
As you may notice the three examples above are particularly meaningful of how the security is now converging towards application security. Although McAfee, Fortinet and IBM have very different backgrounds, they are converging to a comparable application security offer: McAfee approached the problem from the endpoint security, which is its historical strength, IBM from the content security, since its adventure in security has started from the acquisition of ISS, and finally Fortinet from the network security, well represented by its Fortigate appliances.
According to my personal model, the complete cycle of application security moves on four levels: training of developers is the first level and the necessary foundation upon which an application security project is built. Where the ability (and security awareness) of developers does not arrive, Vulnerability Assessment/Penetration Test (second level) may be enforced to check the level of security of the applications. If we move to a more “technological” plane there are two more levels: they consist respectively in Code Analysis (a preventive measure) and XML/Application/Database security solutions implemented with dedicated software or appliances (an infrastructural measure). Please consider that (an aspect which is not secondary) these kindw of solutions are also driven by increasingly stringent regulations, such as PCI-DSS, and emerging “De Facto” standards such as OWASP (Open Web Application Security Program).
If IBM is currently the only vendor to cover the three areas of application security (code analysis, XML/Web application security and database security), in addition to McAfee and Fortinet, there are other vendors at the door, looking at this market with great interest starting from Cisco Systems, provided with a great ability to execute, but currently focused primarily on its network-centric approach by mean of its ACE family of XML Firewalls, and HP, which, even if currently leaks an XML/WAF or Database Security solution) is approaching the world of Application Security starting from code analysis thanks to the acquisition of Fortify, considered by many observers the market leader in this field.
Actually, alongside these vendors there are more players which, even if more focused on network security, however, look carefully in this market by offering niche solutions, as is the case, for instance, with Checkpoint, which combines its traditional firewall modules (or software blades according to the current terminology) with Web Security functions specifically tailored for application threat, or also Citrix which approaches the problem from the Application Acceleration/Distribution perspective.
It is likely that the market value and the emotional drive of LizaMoon will soon bring furher earthquakes in this market. In my honest opinion, the next to fall will be two more important partners in the McAfee SIA focused in Application Security: Imperva (Web Application/XML Firewall) and VeraCode (Code Analysis) are well advised…