Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Study Guide
for NSE 1: February 1

Next
Generation
Firewall
2016
(NGFW)
This Study Guide is designed to provide information for the Fortinet Fortinet
Network Security Expert Program – Level 1 curriculum. The study
guide presents discussions on concepts and equipment necessary as a
Network
foundational understanding for modern network security prior to Security
taking more advanced and focused NSE program levels.
Solutions

i
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Contents
Figures ..................................................................................................................................................... iii
Tables ...................................................................................................................................................... iv
Next Generation Firewall (NGFW) ................................................................................................................ 1
Technology Trends .................................................................................................................................. 1
NGFW Characteristics: Fundamental Changes...................................................................................... 2
NGFW Evolution .................................................................................................................................... 4
Traditional NGFW Capabilities ............................................................................................................... 4
NGFW Functions ................................................................................................................................. 10
Extended NGFW Capabilities ................................................................................................................ 10
Sandboxes and APT ............................................................................................................................. 15
Advanced Persistent Threats (APT) ..................................................................................................... 16
Advanced Threat Protection (ATP)...................................................................................................... 17
NGFW Deployment ................................................................................................................................ 18
Edge vs. Core ....................................................................................................................................... 18
NGFW vs. Extended NGFW ................................................................................................................. 18
Summary ................................................................................................................................................ 20
Key Acronyms.............................................................................................................................................. 21
Glossary ....................................................................................................................................................... 23
References .................................................................................................................................................. 26

ii
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figures
Figure 1. Bring Your Own Device (BYOD) practices in 2011.......................................................................... 2
Figure 2. Edge firewall vs. NGFW traffic visibility. ........................................................................................ 2
Figure 3. Traditional port configuration example. ........................................................................................ 3
Figure 4. NGFW configuration example by application, user ID. .................................................................. 3
Figure 5. NGFW evolution timeline............................................................................................................... 4
Figure 6. Intrusion Prevention System (IPS). ................................................................................................ 5
Figure 7. Deep Packet Inspection (DPI). ........................................................................................................ 5
Figure 8. Network application identification and control............................................................................. 6
Figure 9. Access enforcement (User identity)............................................................................................... 6
Figure 10. NGFW distributed enterprise-level capability. ............................................................................ 7
Figure 11. Extra-firewall intelligence IP list assignment. .............................................................................. 8
Figure 12. Notional network with managed security (MSSP). ...................................................................... 8
Figure 13. Application awareness: The NGFW application monitoring feature. .......................................... 9
Figure 14. Extending NGFW with Advanced Threat Protection (ATP). ....................................................... 11
Figure 15. Authentication functions integrated into NGFW. ...................................................................... 12
Figure 16. Web filtering profile control. ..................................................................................................... 13
Figure 17. Antivirus/malware. .................................................................................................................... 14
Figure 18. Anti-botnet protection. .............................................................................................................. 14
Figure 19. Web filtering capability. ............................................................................................................. 15
Figure 20. Sandbox deployed with NGFW Solution. ................................................................................... 16
Figure 21. The NGFW three-step approach to APT..................................................................................... 17
Figure 22. Advanced Threat Protection (ATP) model. ................................................................................ 17
Figure 23. NGFW deployment to edge network ......................................................................................... 18
Figure 24. Current NGFW vs. Extended NGFW capabilities. ....................................................................... 19

iii
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Tables
Table 1. Comparative security features of edge firewalls vs. NGFW. ........................................................... 3
Table 2. Comparison between flow-based and proxy-based inspections .................................................. 19

iv
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Next Generation Firewall (NGFW)

Just because you’re paranoid that hackers are trying to steal your data…
…doesn’t mean they’re not really out to get you!

Early firewalls acted much like a fire door in a building—if something bad was happening in the hallway,
it protected what was in your room and other parts of the building. As personal computers became
more affordable and digital portable devices became more widespread, system and network threats
evolved as well, creating a need for protection technology able to evolve along with—or ahead of—
advanced threats. Legacy firewalls operated on the basis of port access, using source/destination IP
addresses or TCP/UDP port data to discern whether packets should be allowed to pass between
networks or be blocked or rejected. Most firewall configurations allowed all traffic from trusted
networks to pass through to untrusted networks, unless policy exceptions were implemented. In closed
networks and the early days of the Internet, this was a viable option—this predominantly static firewall
configuration model no longer provides adequate protection against advanced and emerging system
and network threats to large, distributed enterprise businesses and organizations having to serve
customers, clients, and employees in an ever-evolving mobile environment.

Technology Trends
Trends in information technology development and employment over the last 15 years have led to a
need to rethink the methodology behind modern network security. To further exacerbate this challenge,
these trends occurred simultaneously across major industry, all levels of business, and personal
consumer environments.

Consumerization of IT has resulted in IT-enabled devices—such

as smartphones, digital music and video players, recorders,
cameras, and others—becoming so commonplace in the market
that their lower pricing resulted in an explosion of individual
consumers acquiring technology-enabled devices for personal
use. This extends beyond the obvious devices listed above. IT-
enabled devices now include such appliances as
refrigerator/freezers, home security systems, personal home networks that include WiFi-enabled
televisions, stereos, and even the automated “smart house.” In other words, what we have to be
mindful of today is the Internet of Things (IoT) when we acquire devices and appliances.

Because consumers have embraced technology devices for both communication and information
sharing, Social Media enterprise has been embraced at the business level as a way to reach consumer
markets and supplement Web and traditional marketing and communication pathways. With so many
applications—especially social media—being cloud based, the challenge of network security expands
beneath the surface of traffic and into substance.

1
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
With the proliferation of inexpensive, technology-enabled devices interacting with business networks—
including both external users and those using personal devices for work purposes (Bring Your Own
Device – BYOD), the question becomes one of how to provide security, network visibility, control, and
user visibility simultaneously without an exponential increase in required resources (Figure 1).

Figure 1. Bring Your Own Device (BYOD) practices in 2011.

NGFW Characteristics: Fundamental Changes

The primary benefits of NGFW is visibility and control of traffic entering the firewall ports. In legacy
firewalls, ports were opened and closed, or protocols allowed or disallowed without consideration
beyond basic characteristics.

Figure 2. Edge firewall vs. NGFW traffic visibility.

With NGFW, administrators are provided finer granularity that provides deeper insight into the traffic
attempting to access the network (Figure 2). This includes deeper visibility of users and devices, as well
as the ability to allow or limit access based on specific applications and content rather than accepting or
rejecting any traffic using a particular transmission protocol. This is the primary difference that
separates traditional and next generation firewalls (NGFW).

2
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
With a traditional firewall, traffic is accepted based on identification criteria of designated port and IP
address. Conversely, traffic is accepted with NGFW based on user ID (not port) and both the IP address
and traffic content. The diagrams in Figures 3 and 4 illustrate better the visibility and control capability
provided when NGFW is integrated into the network security architecture, supplanting the legacy edge
firewall.

When comparing the granularity in how

traditional and legacy firewalls assess data,
note that in NGFW the ports are identified with
traffic flowing through them as well as specific
information about the user sending the traffic,
traffic origin, and the type (content) of traffic
being received. This information goes beyond
the basic link level and brings security into OSI
levels 3 & 4 (application security capability).
Figure 3. Traditional port configuration example.

Figure 4. NGFW configuration example by application, user ID.

In addition to enhanced visibility over traffic, NGFW provides enhancements in both complex security
protection and administrator control simplicity over traditional firewalls, as compared in Table 1.

Table 1. Comparative security features of edge firewalls vs. NGFW.

Edge Firewall NGFW

Gatekeeper
ISO/OSI L4 Port Protocol
Basic Security + Add-ons
Complex Architecture
Complex Control
Simple – Moderate Security
Gatekeeper
Application-Centric (Content Flow) Protocol
Integrated Security Solutions
Integrated Architecture
Simplified Control
Integrated Complex Security

3
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
NGFW Evolution
Referring to an evolving technology offering high-performance protection, Next Generation Firewalls
(NGFW) provide solutions against a wide range of advanced threats against applications, data, and
users. Going beyond standard firewall protections, NGFW integrates multiple capabilities to combat
advanced and emerging threats. These capabilities include intrusion prevention system (IPS), deep
packet scanning, network application identification and control, and access enforcement based on user
identity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector,
persistent network or system attacks against large and distributed enterprise networks.

The concept of NGFW (Figure 5) was first coined by Gartner in 2004 in their paper discussing the need
for integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities
into firewalls [1]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level
firewall with integrating IPS or Deep Packet inspection, Application Identification, and “extra-firewall”
intelligence (such as Web Content Filter), but allowing for interoperability with third-party rule
management technology [2]. In 2009, Gartner published a new definition of NGFW, defining the
characteristics as including VPN, integrated IPS interoperability with firewall components, application
awareness, and “extra-firewall” intelligence [3].

Figure 5. NGFW evolution timeline.

Traditional NGFW Capabilities

Traditional NGFW provides solutions against a wide range of advanced threats against applications,
data, and users. Traditional enterprise network security solutions such as legacy firewalls and stand-
alone intrusion detection/prevention systems (IPS) are no longer adequate to protect against today’s
sophisticated attacks. In order to defend networks against the latest threats, NGFWs should include, at a
minimum, the ability to identify and control applications running over a network, an integrated intrusion
prevention system (IPS) with deep packet scanning capabilities, and the ability to verify a user or
device’s identity and enforce access policies accordingly.
However, advanced threats require advanced protection. Some NGFW devices—such as the FortiGate
line—include additional technologies that provides you with a real-time ranking of the security risk of
devices on your network and cloud-based threat detection and prevention. Traditional NGFW integrates
multiple capabilities to combat emerging threats.

4
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figure 6. Intrusion Prevention System (IPS).

Intrusion Prevention System (IPS). Sometimes called integrated IDS/IPS. Monitors network and directs
firewall to allow or block traffic. Intrusion Detection System (IDS) detects threats but does not alert the
firewall to take action against identified threats or unknown traffic. IDS is integrated into IPS technology.
IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more
effective to tie it into network segregation, enabling protection against both internal and external
attacks against critical servers(Figure 6) [4].

Figure 7. Deep Packet Inspection (DPI).

Deep Packet Inspection (DPI). Examining the payload or data portion of a network packet as it passes
through a firewall or other security device (Figure 7). DPI identifies and classifies network traffic based
on signatures in the payload [5]. Examines packets for protocol errors, viruses, spam, intrusions, or policy
violations.

5
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figure 8. Network application identification and control.

Network Application Identification & Control. Traditional firewall protection detects and restricts
applications by port, protocol and server IP address, and cannot detect malicious content or abnormal
behavior in many web-based applications (Figure 8). Next Generation Firewall (NGFW) technology with
Application Control allows you to identify and control applications on networks and endpoints
regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over
application traffic, even unknown applications from unknown sources and inspects encrypted
application traffic. Protocol decoders normalize and discover traffic from applications attempting to
evade detection via obfuscation techniques. Following identification and decryption, application traffic
is either blocked, or allowed and scanned for malicious payloads. In addition, application control
protocol decoders detect and decrypt tunneled IPsec VPN and SSL VPN traffic prior to inspection,
ensuring total network visibility. Application control even decrypts and inspects traffic using encrypted
communications protocols, such as HTTPS, POP3S, SMTPS and IMAPS.

Figure 9. Access enforcement (User identity).

6
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
Access Enforcement (User Identity). When a user attempts to access network resources, Next
Generation Firewalls (NGFW) allow identification of the user from a list of names, IP addresses and
Active Directory (AD) group memberships that it maintains locally. The connection request will be
allowed only if the user belongs to one of the permitted user groups, and the assigned firewall policy
will be applied to all traffic to and from that user (Figure 9).

Figure 10. NGFW distributed enterprise-level capability.

Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks.

The foundation of the enterprise campus offering is a high performance next generation firewall (NGFW)
that adds intrusion prevention, application control and antimalware to the traditional firewall/VPN
combination (Figure 10). In particular, Fortinet NGFWs:
 Provide fine-grained, user- or device-based visibility and control over more than 3000 discrete
applications to establish/enforce appropriate policies.
 Include powerful intrusion prevention, looking beyond port and protocol to actual content of
your network traffic to identify and stop threats.
 Leverage top rated antimalware to proactively detect malicious code seeking entry to the
network.
 Deliver actionable application and risk dashboards/reports for real-time views into network
activity.
 Run on purpose-built appliances with Custom ASICs for superior, multi-function performance,
even over encrypted traffic.

7
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figure 11. Extra-firewall intelligence IP list assignment.

“Extra-firewall” Intelligence. This provides the ability to create lists for access or denial of external
traffic to the network. These lists may be designated by IP address List types include:

White List. Designated sources considered trusted and will be allowed access to the network.
Black List. Designated sources considered not trusted and will be denied access to the network.

A key point to this function is that the source is based on an address, therefore, access does not relate
to any specific type of information that may be carried on traffic from that source. This is a surface
screening rather than a content screening function.

Figure 12. Notional network with managed security (MSSP).

8
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
Interoperable with Third-Party Management. Enterprise-class appliances deliver the comprehensive
security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full
suite of ASIC-accelerated security modules for customizable value-added features for specific customers.
NGFW appliances include the ability to create multi-tenant virtual security networks, supporting up to
5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated management
applications—including granular reporting features—offer unprecedented visibility into the security
posture of customers while identifying their highest risks (Figure 12).

VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications
and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN
protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and
decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections—
including antivirus, intrusion prevention, application control, email filtering and web filtering—can be
applied and enforced for all content traversing the VPN tunnel.

Figure 13. Application awareness: The NGFW application monitoring feature.

Application Awareness. While establishing port and protocol are important first steps in identifying
traffic, positive identification of application traffic is an important capability added by NGFW, requiring a
multi-factor approach independent of port, protocol, encryption, or evasive measures (Figure 13).
Application awareness includes protocol detection and decryption, protocol decoding, signature
identification, and heuristics (behavioral analyses). [6]

9
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
NGFW Functions
Two important functions of NGFW is to detect threats and prevent them from exploiting system or
network vulnerabilities. The best way to detect threats is to deploy an Intrusion Detection System (IDS)
as part of the network architecture. In order to prevent identified threats from exploiting existing
vulnerabilities, an Intrusion Prevention System (IPS) should be deployed. The purpose of IPS is to react to
detected threats to a network in order to block intrusion by traffic attempting to take advantage of
system vulnerabilities, deviations from standard protocols, or attacks generated by trusted sources [4].
NGFW appliances provide integrated capability for IDS and IPS to both detect and prevent intrusion and
exploitation of protected networks.

Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type
of inspection protects endpoint clients as well as Web and application servers from potentially hidden
threats. SSL Inspection intercepts and inspects encrypted traffic for threats before routing it to its
destination and can be applied to client-oriented traffic, such as users connected through a cloud-based
site, or to Web and application server traffic. Using SSL inspection allows policy enforcement on
encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. Like
other inspection protocols, however, the tradeoff to enabling SSL inspection is a decrease in throughput
speed.

Extended NGFW Capabilities

Beyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced and
emerging threats are clearly needed. Particularly within enterprise network security infrastructure, the
need to protect against new and evolving classes of highly targeted and tailored attacks designed to
bypass common defenses is needed. Because of these advanced and evolving threats, additional
defenses—referred to by Fortinet as Advanced Threat Protection (ATP)—include anti-virus/malware,
anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional capabilities
appear in Figure 14.

10
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figure 14. Extending NGFW with Advanced Threat Protection (ATP).

When integrated with NGFW, capabilities of ATP enhance security by providing additional protections
against evolving threats, including:

 Dual-level sandboxing, allowing code activity examination in simulated and virtual environments
to detect previously unidentified threats.
 Detailed reporting on system, process, file, and network behavior, including risk assessments.
 Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing
communications with malicious sites and IPs.
 Option to share identified threat information and receive updated in-line protections.
 Option to integrate with other systems to simplify network security deployment.

11
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
With continued shift toward mobile and BYOD practices, integrated user authentication takes on
increased importance in visibility and control of applications being employed by network users. With the
sophistication of advanced and evolving threats, use of two-factor—or “strong”—authentication has
become more prevalent. In addition to the capabilities discussed previously as additive measures to the
NGFW, a number of strong authentication factors may also be enabled:

 Hardware, software, email, and SMS tokens

 Integration with LDAP, AD, and RADIUS
 End user self-service
 Certificate Authority
 Single sign on throughout the network

Illustration of authentication functions integrated into NGFW appear in Figure 15.

Figure 15. Authentication functions integrated into NGFW.

While the Application Control feature of the extended NGFW serves to identify network users, monitor
applications employed by those users, and block applications representing a risk to the organization, this
feature differs from how the Web Filtering function of ATP operates. Unlike Application Control that
focuses on the actual content of the accessed site, Web Filtering focuses on the Internet Sites (URLs)
based on a categorization of the site, or type of content [4]. This allows the NGFW to block web sites
known to host malicious content. An example of how Web Filtering categorizes site appears in Figure 16.

12
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figure 16. Web filtering profile control.

Antivirus/malware. Responsible for detecting, removing, and reporting on malicious code. By

intercepting and inspecting application-based traffic and content, antivirus protection ensures that
malicious threats hidden within legitimate application content are identified and removed from data
streams before they can cause damage. Using AV/AM protection at client servers/devices adds an
additional layer of security.

13
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figure 17. Antivirus/malware.

Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks. Organizations may prevent, uncover, and block botnet activities using
Anti-Bot traffic pattern detection and IP regulation services supplied in real-time. This capability is
important in detecting and reacting to Distributed Denial of Service (DDoS) or other coordinated
network attacks.

Figure 18. Anti-botnet protection.

14
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
Web filtering. Function that allows or blocks Web traffic based on type of content, commonly defined
by categories. Web filtering protects endpoints, networks and sensitive information against Web-based
threats by preventing users from accessing known phishing sites and sources of malware.

Figure 19. Web filtering capability.

Code emulation. Allows testing of unknown or potentially malicious traffic in

a virtual environment by emulating the actual environment to which the
traffic was addressed.

Sandboxing. Isolating unknown or potentially malicious codes to fully execute all functions before
allowing the traffic to download into the network. Sandboxing has a unique capability to detect zero-day
exploits that other security solutions cannot identify. If malicious activity is discovered, Advanced Threat
Protection (ATP) can block it.

Sandboxes and APT

You might be thinking whether this is Back to the Future? After all, sandbox technology is old, having
long been a standard safety isolation to analyze code. So why would sandboxes be important when
examining the implications of Advanced Persistent Threats (APT)?

15
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
Sandboxes were initially developed for executable files. Now they run application data that may contain
malicious code, like Adobe Reader or JavaScript, which sandbox identified malicious code before it can
infect your operating system. Modern sandbox technology can help detect and identify new threats—
such as old legacy threats in new veneers, by emulating endpoint device environments to analyze how
the potential threat behaves. In this way, relatively unknown malware—constantly being developed at
all levels of complexity—and APTs may be detected, identified, cataloged, and blocked by the NGFW
(Figure 20). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic is
forwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.

Figure 20. Sandbox deployed with NGFW Solution.

Advanced Persistent Threats (APT)

Since widespread availability of computer technology—especially since introduction of affordable
personal computing platforms and open availability of computer training—people have used software to
target systems and networks to damage, steal, or deny access to data. Modern and future challenges—
or Advanced Persistent Threats—present a more daunting sophistication of malware, attack vectors, and
perseverance by which they mount offensives against their targets. Just as APT uses multiple attack
layers and vectors to enhance chances of success, network security administrators must also design and
implement a multi-layered defense to protect against these threats. It is critical to understand that no
single network security feature will stop an APT. Simplified, a three-step approach to how NGFW
addresses APTs appears in Figure 21.

16
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figure 21. The NGFW three-step approach to APT.

Advanced Threat Protection (ATP)

In order to protect against modern and emerging future threats, adaptive defense tools like ATP are
being incorporated into network security infrastructures at an increasing pace. This level of protection
provides increased security across all network sizes from SMB to large enterprises. Critical capabilities
brought to bear by ATP include:

Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.

Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,
antimalware.
Threat Detection. “Sandboxing,” botnet detection, client reputation, network behavior analysis.
Incident Response. Consolidated logs & reports, professional services, user/device quarantine,
threat prevention updates.
Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.

The continuous nature of ATP protection is illustrated in Figure 22, below:

Figure 22. Advanced Threat Protection (ATP) model.

17
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

NGFW Deployment
Edge vs. Core
When deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFW
brings a unique combination of hardware- and software-related segmentation capabilities that allow
isolation of critical network sections, such as data centers. Deploying NGFW into an Edge Network
accomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 23).

Figure 23. NGFW deployment to edge network

NGFW vs. Extended NGFW

Another consideration that must be made is what NGFW capabilities are needed—or desired—for the
network being protected. A consideration whether to deploy extended NGFW capabilities depends on
the nature of what functions will be accomplished both internally and external to the network. In
particular, with movement to more cloud-based and web applications, the benefits of extended NGFW
may be best suited. As illustrated in Figure 24, Extended NGFW incorporates the capabilities of current
NGFW plus enhanced features that make it more capable against modern and emerging threats.

18
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Figure 24. Current NGFW vs. Extended NGFW capabilities.

One of the characteristics of most technologies is that with added capabilities comes concomitant trade-
offs. In the case of NGFW, the addition of inspection functions such as web filtering—or anti-malware—
presents options that balance capabilities and protection levels versus traffic processing speed. The two
methods used to inspect traffic are Flow-based and Proxy-based inspections. In flow-based inspection,
the NGFW performs a “string comparison” to examine patterns in the traffic without breaking the
connection, resulting in a small portion of the traffic stream being inspected but with a trade-off of
faster throughput. In proxy-based inspection, the entire traffic stream is analyzed, breaking the
connection and reestablishing it after analysis, resulting in slower throughput.

Table 2. Comparison between flow-based and proxy-based inspections

Type of Inspection Flow-based Proxy-based
Speed/Performance Resources Faster Slower
Comparing traffic to database of Conducting specific analysis on
Security Analysis Method
known bad situations relevant information
TCP flow not broken. Only packet TCP convention broken, TCP sequence
TCP Transparency
headers changed if necessary. numbers changed.
Protocol Awareness Not required Understands protocol being analyzed
Yes, when buffering, based on available
File size limits Only during scanning
NGFW memory
Antivirus, IPS, Application Control, Web Antivirus, DLP, Web Content Filtering,
Features supported
Content Filtering AntiSpam

Because Flow Mode does not unpack compressed files or email/FTP attachments, deploying anti-
malware in Flow Mode may result in decreased detection rate.

19
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Summary
The concept of Next Generation Firewalls developed to address evolving threats as technology itself
evolved. With the rapid rise of technology integration, portability and BYOD models in business,
education, and other environments, combined with more widespread ability for hackers from novices to
experts to develop malicious code, a system deriving from the initial premise of NGFW needed to
develop for the future.

Because of these capabilities and the flexibility to proactively address modern and developing threat
environments across networks of varying sizes, NGFW will be the standard in network firewall
protection at least through 2020…

20
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Key Acronyms
AAA Authentication, Authorization, and GUI Graphical User Interface
Accounting
HTML Hypertext Markup Language
AD Active Directory
HTTP Hypertext Transfer Protocol
ADC Application Delivery Controller
HTTPS Hypertext Transfer Protocol Secure
ADN Application Delivery Network
IaaS Infrastructure as a Service
ADOM Administrative Domain
ICMP Internet Control Message Protocol
AM Antimalware
ICSA International Computer Security
API Application Programming Interface Association
APT Advanced Persistent Threat ID Identification
ASIC Application-Specific Integrated Circuit IDC International Data Corporation
ASP Analog Signal Processing IDS Intrusion Detection System
ATP Advanced Threat Protection IM Instant Messaging
AV Antivirus IMAP Internet Message Access Protocol
AV/AM Antivirus/Antimalware IMAPS Internet Message Access Protocol
Secure
BYOD Bring Your Own Device
IoT Internet of Things
CPU Central Processing Unit
IP Internet Protocol
DDoS Distributed Denial of Service
IPS Intrusion Prevention System
DLP Data Leak Prevention
IPSec Internet Protocol Security
DNS Domain Name System
IPTV Internet Protocol Television
DoS Denial of Service
IT Information Technology
DPI Deep Packet Inspection
J2EE Java Platform Enterprise Edition
DSL Digital Subscriber Line
LAN Local Area Network
FTP File Transfer Protocol
LDAP Lightweight Directory Access Protocol
FW Firewall
LLB Link Load Balancing
Gb Gigabyte
LOIC Low Orbit Ion Cannon
GbE Gigabit Ethernet
MSP Managed Service Provider
Gbps Gigabits per second
MSSP Managed Security Service Provider
GSLB Global Server Load Balancing
NGFW Next Generation Firewall

21
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
NSS NSS Labs SNMP Simple Network Management Protocol
OSI Open Systems Infrastructure SPoF Single Point of Failure
OTS Off the Shelf SQL Structured Query Language
PaaS Platform as a Service SSL Secure Socket Layer
PC Personal Computer SWG Secure Web Gateway
PCI DSS Payment Card Industry Data Security SYN Synchronization packet in TCP
Standard
Syslog Standard acronym for Computer
PHP PHP Hypertext Protocol Message Logging
POE Power over Ethernet TCP Transmission Control Protocol
POP3 Post Office Protocol (v3) TCP/IP Transmission Control Protocol/Internet
Protocol (Basic Internet Protocol)
POP3S Post Office Protocol (v3) Secure
TLS Transport Layer Security
QoS Quality of Service
TLS/SSL Transport Layer Security/Secure Socket
Radius Protocol server for UNIX systems Layer Authentication
RDP Remote Desktop Protocol UDP User Datagram Protocol
SaaS Software as a Service URL Uniform Resource Locator
SDN Software-Defined Network USB Universal Serial Bus
SEG Secure Email Gateway UTM Unified Threat Management
SFP Small Form-Factor Pluggable VDOM Virtual Domain
SFTP Secure File Transfer Protocol VM Virtual Machine
SIEM Security Information and Event VoIP Voice over Internet Protocol
Management
VPN Virtual Private Network
SLA Service Level Agreement
WAF Web Application Firewall
SM Security Management
WANOpt Wide Area Network Optimization
SMB Small & Medium Business
WLAN Wireless Local Area Network
SMS Simple Messaging System
WAN Wide Area Network
SMTP Simple Mail Transfer Protocol
XSS Cross-site Scripting
SMTPS Simple Mail Transfer Protocol Secure

22
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

Glossary
Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks.

APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access to
a network and stays there undetected for a long period of time. The intention of an APT attack is to steal
data rather than to cause damage to the network or organization. APT attacks target organizations in
sectors with high-value information, such as national defense, manufacturing and the financial industry.

ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular
use, as opposed to a general-purpose device.

ATP. Advanced Threat Protection relies on multiple types of security technologies, products, and
research -- each performing a different role, but still working seamlessly together -- to combat these
attacks from network core through the end user device. The 3-part framework is conceptually simple—
prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for
network, application and endpoint security, threat detection, and mitigation.

AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of
malware attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and
reporting on malicious code. By intercepting and inspecting application-based traffic and content,
antivirus protection ensures that malicious threats hidden within legitimate application content are
identified and removed from data streams before they can cause damage. Using AV/AM protection at
client servers/devices adds an additional layer of security.

Botnet. A botnet (also known as a zombie army) is a number of Internet computers that, although their
owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to
other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer
"robot" or "bot" that serves the wishes of some master spam or virus originator.

BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,
whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a
Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were
owned by the employee.

Code Emulation. A virtual machine is implemented to simulate the CPU and memory management
systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the
scanner, and no actual virus code is executed by the real processor.

Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.

23
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions, including:
 IP Security (IPSec)  Antivirus/Antispyware
 Firewall  Web Filtering
 Intrusion Detection System/Intrusion  Antispam

Prevention System (IDS/IPS) Traffic Shaping [7]

Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall—
the gatekeeper.

Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to
the Internet & identify themselves to other devices. IoT is significant because an object that can
represent itself digitally becomes something greater that the object by itself.

IDS. Intrusion Detection System (IDS) detects threats but does not alert the firewall to take any action
against identified threats or unknown traffic.

IPS. Intrusion Prevention System protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including: predefined
and custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode, similar to IDS),
packet logging, and IPS sensors. IPS can be installed at the edge of your network or within the network
core to protect critical business applications from both external and internal attacks.

NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall
appliance instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities
of a traditional firewall with advanced features including:
 Intrusion Prevention (IPS)  Deep Packet Inspection  Network App ID & Control
(DPI)
 Access Enforcement  Distributed Enterprise  “Extra Firewall” Intelligence
Capability
 Third Party Management  VPN  Application Awareness
Compatibility

Sandbox. A sandbox is a security mechanism for separating running programs. It is typically used to
execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users,
and untrusted websites, in an area segmented off from the device/network operating system and
applications.

24
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.

Web Filtering. Web Filtering technology gives you the option to explicitly allow web sites, or to pass web
traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most
advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control
perimeter web traffic at a granular level. Using web content filtering technology, these appliances can
classify and filter web traffic using multiple pre-defined and custom categories.

25
 Study Guide for NSE 1: Next Generation Firewall 2016
(NGFW)

References
1. Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.
2. Gartner, Magic Quadrant for Enterprise Network Firewalls. 2008.
3. Gartner, Defining the Next Generation Firewall. 2009.
4. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
5. Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
6. Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.
7. UAB, M., Fortinet Secure Gateways, Firewalls. 2013.

26