03-12-2014 03:41 PM
Does anyone know if EdgeOS supports NGFW application layer filtering? Or if a soon-to-be-released firmware update will do so? I'm starting to get inquiries from clients who are under HIPAA and SOX mandates about the ability of their firewall to stop attacks aimed at OSI layers. 4-7
03-12-2014 03:46 PM
Depending on the exact requirements, if for example application-layer deep packet inspection is required, that is not currently supported, but as discussed before we are looking into possibly adding such features in the future.
03-12-2014 03:50 PM
DPI is the main feature I was asking about... sure is hard to keep ahead of the bad guys! Any "best guesses" about the timeframe for getting that feature? It's available in some of the routers from Cisco, SonicWall and Juniper (among others), but my clients are all small businesses, and those are priced WAY out of their league!
03-12-2014 04:03 PM - edited 03-12-2014 04:09 PM
I think NGFW or similar are mostly marketing terms and used to attract people to security seminars, rather than an industry standard.
There have been products with layer 4 - 7 filtering throughout the years and like with "thin-client" these themes or types of featres come and go in cycles according to the fashion of the day.
I expect over time you may see various CPU offloading schemes or indeed ASICs or FPGAs being used to to implement this kind of filtering, but not all vendors would want to design hardware against a moving target - and it would probably need to be a re-programmable hardware implementation.
03-12-2014 04:20 PM
Thanks for all the fast replies! I agree with pretty much all of it. My hope is that with the 1+ million packets per second throughput that the EdgeRouters have, DPI might be feasible on this platform, especially for smaller installations (most of my clients are in the 2 to 25 user range, so they wouldn't necessarily need the kind of hardware the other guys are selling to enterprise-level customers).
03-12-2014 04:30 PM - edited 03-12-2014 04:31 PM
As of now you can use an EdgeRouter for the routing tasks but transparently proxy certain types of traffic to another box for analysis.
Ubiquiti have provided examples for a separate web proxy and that approach could be extended used with something running dansguardian, snort or other types of (software) filters.
Depending on the configuration used, I believe the traffic that is not subject to the "modify" firewall action (to divert it via the proxy) can still be hardware offloaded but don't quote me on that. If so that would be a way to have both elements in your setup and be able to choose the second box according to budget.
03-12-2014 11:41 PM
I'm a bit cynical about "DPI". Depth can be quite shallow when encryption, e.g. TLS, is used.
When encrypted communications become the norm, "DPI" and the like become an endpoint responsibility: a service feature, not a network feature.
"DPI" is a misnomer in any case; traffic analysis is a better term.
And yes, I know that there are some who will try anyway, terminating encryption at or ahead of a "DPI" appliance in order to enable "inspection". Their life will be more difficult than those who relegate that responsibility to the services to be protected. And those who additionally see potential benefit from such a network bottleneck appliance having a commanding view of all communications should consider that the same prospect can be obtained from a synthesis of intelligence obtained from individual services.
The next generation in information security will be accompanied by d16n.
03-13-2014 08:22 PM
A lot of sensitive research institutions have been doing this forever. The need to be secure, but every machine was publicly addressable on the internet and potentially reachable. In these scenarious the individual elements of the infrastructure trust each other less, and there are fewer elements of shared infrastructure.
The issue that makes people feel comfortable about perimiters and uncomfortable with these designs is that the perception is that the "attack surface" is smaller. This is especially pronounced when there are shared services that all machines in the organization can access.