Reply
New Member
Posts: 5
Registered: ‎03-12-2014
Accepted Solution

NGFW (Next-Generation Firewall)

Does anyone know if EdgeOS supports NGFW application layer filtering? Or if a soon-to-be-released firmware update will do so? I'm starting to get inquiries from clients who are under HIPAA and SOX mandates about the ability of their firewall to stop attacks aimed at OSI layers. 4-7


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5429
Solutions: 1656
Contributions: 2

Re: NGFW (Next-Generation Firewall)

That is something we are looking into but at this point we do not have a time estimate yet.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5429
Solutions: 1656
Contributions: 2

Re: NGFW (Next-Generation Firewall)

Depending on the exact requirements, if for example application-layer deep packet inspection is required, that is not currently supported, but as discussed before we are looking into possibly adding such features in the future.

New Member
Posts: 5
Registered: ‎03-12-2014

Re: NGFW (Next-Generation Firewall)

DPI is the main feature I was asking about... sure is hard to keep ahead of the bad guys! Any "best guesses" about the timeframe for getting that feature? It's available in some of the routers from Cisco, SonicWall and Juniper (among others), but my clients are all small businesses, and those are priced WAY out of their league!

Member
Posts: 276
Registered: ‎09-14-2009
Kudos: 132
Solutions: 18

Re: NGFW (Next-Generation Firewall)

[ Edited ]

I think NGFW or similar are mostly marketing terms and used to attract people to security seminars, rather than an industry standard.

There have been products with layer 4 - 7 filtering throughout the years and like with "thin-client" these themes or types of featres come and go in cycles according to the fashion of the day.

The usual arguments about layer 4 - 7 filtering revolve around how much throughput you are willing to sacrifice to implement it, or spend on more powerful hardware, as it usually takes more CPU power to inspect more of the packet headers or indeed analyse the content itself (historical examples include stripping Javascript out of web pages - this is much more likely to break web content nowadays so such implementations have to evolve with the times).

I expect over time you may see various CPU offloading schemes or indeed ASICs or FPGAs being used to to implement this kind of filtering, but not all vendors would want to design hardware against a moving target - and it would probably need to be a re-programmable hardware implementation.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5429
Solutions: 1656
Contributions: 2

Re: NGFW (Next-Generation Firewall)

That is something we are looking into but at this point we do not have a time estimate yet.

New Member
Posts: 5
Registered: ‎03-12-2014

Re: NGFW (Next-Generation Firewall)

Thanks for all the fast replies! I agree with pretty much all of it. My hope is that with the 1+ million packets per second throughput that the EdgeRouters have, DPI might be feasible on this platform, especially for smaller installations (most of my clients are in the 2 to 25 user range, so they wouldn't necessarily need the kind of hardware the other guys are selling to enterprise-level customers).

Member
Posts: 276
Registered: ‎09-14-2009
Kudos: 132
Solutions: 18

Re: NGFW (Next-Generation Firewall)

[ Edited ]

As of now you can use an EdgeRouter for the routing tasks but transparently proxy certain types of traffic to another box for analysis.

Ubiquiti have provided examples for a separate web proxy and that approach could be extended used with something running dansguardian, snort or other types of (software) filters.

Depending on the configuration used, I believe the traffic that is not subject to the "modify" firewall action (to divert it via the proxy) can still be hardware offloaded but don't quote me on that. If so that would be a way to have both elements in your setup and be able to choose the second box according to budget.

Member
Posts: 137
Registered: ‎11-16-2013
Kudos: 55
Solutions: 5

Re: NGFW (Next-Generation Firewall)

In my perspective, Palo Alto Networks coined the term NGFW to mean that they could detect a number of applications regardless of the ports they were on.

 

 

 

Highlighted
Regular Member
Posts: 615
Registered: ‎04-08-2013
Kudos: 358
Solutions: 59

Re: NGFW (Next-Generation Firewall)

I'm a bit cynical about "DPI". Depth can be quite shallow when encryption, e.g. TLS, is used.

When encrypted communications become the norm, "DPI" and the like become an endpoint responsibility: a service feature, not a network feature.

"DPI" is a misnomer in any case; traffic analysis is a better term.

And yes, I know that there are some who will try anyway, terminating encryption at or ahead of a "DPI" appliance in order to enable "inspection". Their life will be more difficult than those who relegate that responsibility to the services to be protected. And those who additionally see potential benefit from such a network bottleneck appliance having a commanding view of all communications should consider that the same prospect can be obtained from a synthesis of intelligence obtained from individual services.

The next generation in information security will be accompanied by d16n.

Member
Posts: 137
Registered: ‎11-16-2013
Kudos: 55
Solutions: 5

Re: NGFW (Next-Generation Firewall)

A lot of sensitive research institutions have been doing this forever.  The need to be secure, but every machine was publicly addressable on the internet and potentially reachable.  In these scenarious the individual elements of the infrastructure trust each other less, and there are fewer elements of shared infrastructure.

The issue that makes people feel comfortable about perimiters and uncomfortable with these designs is that the perception is that the "attack surface" is smaller.  This is especially pronounced when there are shared services that all machines in the organization can access.

 

Reply