1. Granular Application Control

This refers to the ability to do more than simply block a website or block an application from a website or an application server, but actually understand the application and block the functions within that application. Similar to a dimmer switch, the settings can be turned up or down. A great example is Facebook. Perhaps your marketing team needs to use Facebook, however, you don’t want your marketing team playing Facebook games. You can give them the ability to access Facebook and post things on your company page like, “This is what’s happening new in our company,” and encourage followers, but they can’t play the games. Another example is the HR department. Maybe they need to check someone’s profile, you can allow HR to check profiles, but not post status updates. Being able to allow people to have access to applications on the internet, but limit what they can do within those applications keeps up productivity.

2. User and Group Specific Policy

This enables you to apply policy based on your active directory, or whatever directory you use for people to authenticate to the network. Applying this to our previous examples, we will look at the HR department. Let’s say you have an active directory group of HR employees, you can apply policy based on their membership to that active directory group. Meaning that you don’t have to recreate your users and your groups on the firewall, you simply have the firewall query active directory or LDAP and find out if this user that’s trying to access the internet is a member of a group. If they’re a member of the “HR group”, apply these certain policies. As a member of HR, they’re allowed to access Facebook, but they’re not allowed to play games, they can only check profiles. If they’re a member of marketing they have access to Facebook, but they’re only allowed to post things about the company. They aren’t allowed to go and do other applications or activities on Facebook. This creates the ability to apply specific restrictions.

Also related to this, is knowing what people are doing. Instead of having an IP address showing “this IP address went to this website”, it will say “Bill Jones” went to that website, because we’re directory aware, whether that’s active directory or another directory, we know who the person is. It’s not just their IP address, it is “Sally Smith” who went to that website, thus we’re aware of who that user is and our reports show that information. This is much more useful than an IP address that you somehow have to equate to one of many users.

3. SSL Decryption

SSL encryption hides a lot of nasty things that people are doing when they go out on https (encrypted protocol). Since it’s encrypted, we can’t look at it or see what they’re doing. However, Next Generation Firewalls are now able to act like a middle man. They include a technique where “we” insert ourselves into the middle, and are able to decrypt traffic, then re-encrypt it. So, when a user goes out to a website that’s encrypted, we are ready in the middle. The firewall can actually terminate the encryption session, de-encrypt it, and then analyze what they’re doing. If it’s legitimate, it’s re-encrypted and allowed to go its merry way, and the return traffic is handled in the same manner.

Now we can actually allow users to use encrypted protocols, but can see what they’re doing inside of that. There are obviously security concerns in that, but we have granularity. We can say, “You know what? If they’re going to their healthcare website or financial website, like their doctor or their bank, don’t de-encrypt that, let that go straight through.” However, if they’re going out to their email, their Gmail account, Facebook, etc., those are the sessions we want to de-encrypt, inspect, then re-encrypt if it’s legitimate traffic. This allows us to have granular control of everything we do, this way we don’t step onto any land mines and actually start looking at anyone’s personal information, such as banking or medical, but are still able to control their activities when they’re going to places like Facebook.

4. Advanced Reporting

Since we have all this visibility, and we can see who is doing certain things, both encrypted and unencrypted traffic, and it’s assigned to a specific user, and assigned to a specific application, we can actually give very advanced and detailed reporting about what people are doing. Instead of it being an IP address which represents a user somehow and a port number which maybe represents an application, (good luck if it’s port 80, basically all applications are running over port 80 or http) instead it’s a user “Bob Smith” and SAP, Facebook or any other application. We can now see the granular reporting of exactly who is doing what in which application. The reporting is extremely detailed, sophisticated and informative because it’s using actual user and application names, not IP addresses and port numbers.

5. Behavioral Based Detection

Behavioral based detection means, being able to look for not only signatures, but at the behavior of an application or a document to see if it’s doing something malicious. This helps us with zero day exploits. Many applications, DLLs, executables, or documents like PDFs, can actually execute scripts. Those documents and executables can be malicious and if there’s not a signature out for them, they’re going to flow right through. With behavioral based detection, what we do is implement that executable or open that document and watch what it does.

The Next Gen Firewall has a sand box, usually up in the cloud, when it sees an executable or a document with scripts, such as a PDF, that it hasn’t seen before, it sends that document or executable up to the sand box. The sand box is a simulated windows environment and will open that document or execute that executable in a simulated environment and observe its actions.

If it does anything malicious or suspicious, like trying to edit the registry, rename system files, disable the antivirus, turn off the firewall, etc., it will see that and realize by its behavior that it’s a malicious code and mark it as bad. Now, the first person that this goes through is still going to get it, because we can’t slow down people’s access of files. So what it does, is it makes a copy of that executable or document that it’s never seen before, does the sand box functionality, but lets it flow through. It sees within a few minutes or seconds and realizes that the file was a bad, malicious document or executable and then flags it. Anyone else who’s a part of the network will know about it and now there will be a “signature” for that one. As for you, the administrator, if you’re the lucky one that got that first document that’s never been seen before, you will at least be alerted that it made it through and it’s malicious. You can then go chase it down. Behavioral based detection is a big step forward in getting zero day detection for brand new viruses, malware, etc.

Post Author: Dave Norwood, President, Trusted Network Solutions

This post was initially posted here & has been reproduced with permission.