Sorting Out the Next Generation of Security

December 01, 2016

Security got the boring end of the stick when names for the generations were handed out. Instead of Millennials, Gen X, Baby Boomers or the Greatest Generation, we're stuck with "Next Gen."  What comes after "Next Gen"? And where were the creative minds hiding when we needed them most?

In this post, I'm going to focus on a sliver of the next-gen security stack that we get asked about every day. Specifically, where do next-gen firewalls stop and where do next-gen IPSs pick up the baton. 

But first, to understand next-gen security we need to take a quick trip down memory lane back to the mid-2000s. That will help us understand what went wrong with "Last Gen" security and get smarter about the future. The mid-2000s was a bleak time for enterprise network security. Remember those port-centric firewalls that couldn't break out of the ACCEPT/DENY paradigm, and completely ignored the fact that most applications were beginning to run over HTTP?

Back then, there were deep-packet inspection-based IPS devices with primitive matching languages that (at best) could look into protocol headers for exploits targeting application servers. Full packet capture systems were in their infancy, filling large arrays of spinning disks with terrabytes of packets. It was an awesome sight to behold but it delivered little practical benefit.

Enter "Next Gen" Security

As the industry began to get smarter and more focused on the nature of the threats it faced, next-generation firewalls (NGFW) were the first and most compelling solution to emerge. Better known in their infancy as application-aware firewalls, application-specific packets were added to their accept/deny paradigm so you could sort out when your employees were working in Salesforce and block them when they were working in the World of Warcraft.

It wasn't long before next-gen firewalls gobbled up other firewall functions like VPNs, basic routing, URL filtering and even some malware analysis. As the capabilities of next-gen firewalls grew, the next logical step was to incorporate the packet-focused IPS engine and its associated ruleset.

This next step in the Great Gobble, however, is where next-gen firewalls ran into some problems. Sure, NGFW is as good a place as any to park those packet-based signatures if it makes you feel good. But real problems can emerge when you take that step.

First, it turns out that all of the additional features in NGFWs don't come for free. Each incremental feature increases the load on the NGFW, to the point that it risks creating a bottleneck that slows down the network. More important, as we pointed out in the first blog post in this series ("Would You Re-Hire Your IPS Today?") those IPS signatures aren't doing much to stop modern attacks, wherever they reside. So, adding them to the NGFW doesn't really solve the problem of the day: stopping intrusions.

Next-Gen Intrusion Prevention

That's where next-generation intrusion prevention systems (NGIPS) come in. They pick up where NGFWs leave off. All next gen-firewalls can do is block known bad threats (think...signatures). By contrast, next-gen intrusion prevention systems are far more muscular. They find and stop the (more dangerous) unknown threats that push right through your next-gen firewall. They help you truly understand what is happening and has happened in your environment so you can respond quickly and resolve incidents.

Think of the offense on a football team to understand the different roles a NGFW and NGIPS play. Your next-generation firewall is the offensive line. Its job is keep the defense at bay and out of the offensive backfield. Meanwhile, the quarterback is your next generation IPS. They call the plays, read the defense, make audibles and need to be ready to quickly react to a wide variety of situations in the moment.

With that analogy in mind, let's take a hard look at how next-gen firewalls differ from next-gen IPSs to understand the division of labor between them and what it means to your security operation.

  • It's a totally Black and White World: The job of the NGFW is to either block traffic or allow it. It lives in a binary in-or-out world. There are no grays and no color. It doesn't give you the nuanced visibility you need to understand what is happening on your network. That constant flow of PGP-encrypted objects flowing out of the accounting department might be worth looking at. But the NGFW can't make that distinction.
  • Alerts But No Actions: The NGFW remains a here-and-now alerting device. It makes a decision on activity in the moment, or soon after the activity is observed. But its alerts are forensic poor. That has historically been a problem for firewalls, which put the burden on incident response teams to look elsewhere for related artifacts. And while some NGFW solutions have incorporated malware sandboxes, they remain light when it comes to exploit and malware detection.
  • Application Aware But Content Blind: While your NGFW might be application-aware, it is also content-blind. It doesn't look deeply at the content of the packets so it can't tell you when unsigned driver files are headed toward your domain controller, let alone stop them.
  • Network Amnesia: The NGFW doesn't have any memory. It lives in the moment. It can't apply new intelligence to historic activity because it doesn't have any. It also can't run analytics or identify the low-and-slow attacks that unfold over a longer period of time, which is increasingly the nature of today's more advanced attacks. 
  • Blind to Endpoints: While some NGFWs have light tie-ins with endpoint solutions, the emphasis is on "light." They can't do real forensic and investigative use cases. In the absence of real forensic information about network activity (see Alerts But No Actions) what does the NGFW ask of the endpoint to validate and enrich alerts?
  • Old-Gen Rules: While a NGFW might take IP lists and even Snort rules and apply them in the here-and-now, they stop there. They can't handle rich and contemporary expressions of user-supplied threat intelligence like YARA rules and apply them to network activity. Why subscribe to all those CERT alerts and ISAC feeds if you can't actually use them?

You might be thinking "Hold on a second. It's unfair to expect the NGFW to do all of this in addition to the classic firewall, proxy and basic IPS functions that it handles." I'm glad you're thinking that. Because that's the entire point. Each player on a team has a different role. But if you don't have the right players in the right roles, you're less likely to have successful outcomes on the field.

So here's a quick reference guide for what a next-gen firewall does and what a next-gen IPS can and must do in your security stack.

 

How a Next-Gen Firewall Compares to a Next-Gen IPS

Feature

Next-Gen Firewall (NGFW)

Next-Gen IPS (NGIPS)

Firewall

x

 

VPN

x

 

Routing

x

 

URL Filtering

x

 

Packet-Based Signatures

x

x

Malware Analysis

x

x

User Awareness

 

x

Content Inspection

 

x

Endpoint Context

 

x

Rich Alert Forensics

 

x

Historical Metadata for Incident Response

 

x

Application of Threat Intel to Past and Present

 

x

Analytics and Machine Learning

 

x

 

You can take a look at the second blog post in this series ("Did You Hire Your IPS for a Job of the Past?") to see how Fidelis customers are implementing next gen IPSs. Meanwhile, stay tuned for our next post in this series where we'll take a look at the market and explain how Fidelis' next-generation intrusion prevention solution is unique from other next-gen IPS offerings. 

-- Hardik Modi, VP, Threat Research
www.threatgeek.com