Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Study Guide
for NSE 1:
Next
Generation
Firewall
(NGFW)

February 1

2016

This Study Guide is designed to provide information for the Fortinet

Network Security Expert Program Level 1 curriculum. The study
guide presents discussions on concepts and equipment necessary as a
foundational understanding for modern network security prior to
taking more advanced and focused NSE program levels.

Fortinet
Network
Security
Solutions

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Contents
Figures ..................................................................................................................................................... iii
Tables ...................................................................................................................................................... iv
Next Generation Firewall (NGFW) ................................................................................................................ 1
Technology Trends .................................................................................................................................. 1
NGFW Characteristics: Fundamental Changes...................................................................................... 2
NGFW Evolution .................................................................................................................................... 4
Traditional NGFW Capabilities ............................................................................................................... 4
NGFW Functions ................................................................................................................................. 10
Extended NGFW Capabilities ................................................................................................................ 10
Sandboxes and APT ............................................................................................................................. 15
Advanced Persistent Threats (APT) ..................................................................................................... 16
Advanced Threat Protection (ATP)...................................................................................................... 17
NGFW Deployment ................................................................................................................................ 18
Edge vs. Core ....................................................................................................................................... 18
NGFW vs. Extended NGFW ................................................................................................................. 18
Summary ................................................................................................................................................ 20
Key Acronyms.............................................................................................................................................. 21
Glossary ....................................................................................................................................................... 23
References .................................................................................................................................................. 26

ii

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Figures
Figure 1. Bring Your Own Device (BYOD) practices in 2011.......................................................................... 2
Figure 2. Edge firewall vs. NGFW traffic visibility. ........................................................................................ 2
Figure 3. Traditional port configuration example. ........................................................................................ 3
Figure 4. NGFW configuration example by application, user ID. .................................................................. 3
Figure 5. NGFW evolution timeline............................................................................................................... 4
Figure 6. Intrusion Prevention System (IPS). ................................................................................................ 5
Figure 7. Deep Packet Inspection (DPI). ........................................................................................................ 5
Figure 8. Network application identification and control............................................................................. 6
Figure 9. Access enforcement (User identity)............................................................................................... 6
Figure 10. NGFW distributed enterprise-level capability. ............................................................................ 7
Figure 11. Extra-firewall intelligence IP list assignment. .............................................................................. 8
Figure 12. Notional network with managed security (MSSP). ...................................................................... 8
Figure 13. Application awareness: The NGFW application monitoring feature. .......................................... 9
Figure 14. Extending NGFW with Advanced Threat Protection (ATP). ....................................................... 11
Figure 15. Authentication functions integrated into NGFW. ...................................................................... 12
Figure 16. Web filtering profile control. ..................................................................................................... 13
Figure 17. Antivirus/malware. .................................................................................................................... 14
Figure 18. Anti-botnet protection. .............................................................................................................. 14
Figure 19. Web filtering capability. ............................................................................................................. 15
Figure 20. Sandbox deployed with NGFW Solution. ................................................................................... 16
Figure 21. The NGFW three-step approach to APT..................................................................................... 17
Figure 22. Advanced Threat Protection (ATP) model. ................................................................................ 17
Figure 23. NGFW deployment to edge network ......................................................................................... 18
Figure 24. Current NGFW vs. Extended NGFW capabilities. ....................................................................... 19

iii

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Tables
Table 1. Comparative security features of edge firewalls vs. NGFW. ........................................................... 3
Table 2. Comparison between flow-based and proxy-based inspections .................................................. 19

iv

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Next Generation Firewall (NGFW)
Just because youre paranoid that hackers are trying to steal your data
doesnt mean theyre not really out to get you!
Early firewalls acted much like a fire door in a buildingif something bad was happening in the hallway,
it protected what was in your room and other parts of the building. As personal computers became
more affordable and digital portable devices became more widespread, system and network threats
evolved as well, creating a need for protection technology able to evolve along withor ahead of
advanced threats. Legacy firewalls operated on the basis of port access, using source/destination IP
addresses or TCP/UDP port data to discern whether packets should be allowed to pass between
networks or be blocked or rejected. Most firewall configurations allowed all traffic from trusted
networks to pass through to untrusted networks, unless policy exceptions were implemented. In closed
networks and the early days of the Internet, this was a viable optionthis predominantly static firewall
configuration model no longer provides adequate protection against advanced and emerging system
and network threats to large, distributed enterprise businesses and organizations having to serve
customers, clients, and employees in an ever-evolving mobile environment.

Technology Trends
Trends in information technology development and employment over the last 15 years have led to a
need to rethink the methodology behind modern network security. To further exacerbate this challenge,
these trends occurred simultaneously across major industry, all levels of business, and personal
consumer environments.
Consumerization of IT has resulted in IT-enabled devicessuch
as smartphones, digital music and video players, recorders,
cameras, and othersbecoming so commonplace in the market
that their lower pricing resulted in an explosion of individual
consumers acquiring technology-enabled devices for personal
use. This extends beyond the obvious devices listed above. ITenabled devices now include such appliances as
refrigerator/freezers, home security systems, personal home networks that include WiFi-enabled
televisions, stereos, and even the automated smart house. In other words, what we have to be
mindful of today is the Internet of Things (IoT) when we acquire devices and appliances.
Because consumers have embraced technology devices for both communication and information
sharing, Social Media enterprise has been embraced at the business level as a way to reach consumer
markets and supplement Web and traditional marketing and communication pathways. With so many
applicationsespecially social mediabeing cloud based, the challenge of network security expands
beneath the surface of traffic and into substance.

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
With the proliferation of inexpensive, technology-enabled devices interacting with business networks
including both external users and those using personal devices for work purposes (Bring Your Own
Device BYOD), the question becomes one of how to provide security, network visibility, control, and
user visibility simultaneously without an exponential increase in required resources (Figure 1).

Figure 1. Bring Your Own Device (BYOD) practices in 2011.

NGFW Characteristics: Fundamental Changes

The primary benefits of NGFW is visibility and control of traffic entering the firewall ports. In legacy
firewalls, ports were opened and closed, or protocols allowed or disallowed without consideration
beyond basic characteristics.

Figure 2. Edge firewall vs. NGFW traffic visibility.

With NGFW, administrators are provided finer granularity that provides deeper insight into the traffic
attempting to access the network (Figure 2). This includes deeper visibility of users and devices, as well
as the ability to allow or limit access based on specific applications and content rather than accepting or
rejecting any traffic using a particular transmission protocol. This is the primary difference that
separates traditional and next generation firewalls (NGFW).

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
With a traditional firewall, traffic is accepted based on identification criteria of designated port and IP
address. Conversely, traffic is accepted with NGFW based on user ID (not port) and both the IP address
and traffic content. The diagrams in Figures 3 and 4 illustrate better the visibility and control capability
provided when NGFW is integrated into the network security architecture, supplanting the legacy edge
firewall.
When comparing the granularity in how
traditional and legacy firewalls assess data,
note that in NGFW the ports are identified with
traffic flowing through them as well as specific
information about the user sending the traffic,
traffic origin, and the type (content) of traffic
being received. This information goes beyond
the basic link level and brings security into OSI
levels 3 & 4 (application security capability).
Figure 3. Traditional port configuration example.

Figure 4. NGFW configuration example by application, user ID.

In addition to enhanced visibility over traffic, NGFW provides enhancements in both complex security
protection and administrator control simplicity over traditional firewalls, as compared in Table 1.
Table 1. Comparative security features of edge firewalls vs. NGFW.
Edge Firewall

NGFW

Gatekeeper

Gatekeeper

ISO/OSI L4 Port Protocol

Application-Centric (Content Flow) Protocol

Basic Security + Add-ons

Integrated Security Solutions

Complex Architecture

Integrated Architecture

Complex Control

Simplified Control

Simple Moderate Security

Integrated Complex Security

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
NGFW Evolution
Referring to an evolving technology offering high-performance protection, Next Generation Firewalls
(NGFW) provide solutions against a wide range of advanced threats against applications, data, and
users. Going beyond standard firewall protections, NGFW integrates multiple capabilities to combat
advanced and emerging threats. These capabilities include intrusion prevention system (IPS), deep
packet scanning, network application identification and control, and access enforcement based on user
identity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector,
persistent network or system attacks against large and distributed enterprise networks.
The concept of NGFW (Figure 5) was first coined by Gartner in 2004 in their paper discussing the need
for integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities
into firewalls [1]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level
firewall with integrating IPS or Deep Packet inspection, Application Identification, and extra-firewall
intelligence (such as Web Content Filter), but allowing for interoperability with third-party rule
management technology [2]. In 2009, Gartner published a new definition of NGFW, defining the
characteristics as including VPN, integrated IPS interoperability with firewall components, application
awareness, and extra-firewall intelligence [3].

Figure 5. NGFW evolution timeline.

Traditional NGFW Capabilities

Traditional NGFW provides solutions against a wide range of advanced threats against applications,
data, and users. Traditional enterprise network security solutions such as legacy firewalls and standalone intrusion detection/prevention systems (IPS) are no longer adequate to protect against todays
sophisticated attacks. In order to defend networks against the latest threats, NGFWs should include, at a
minimum, the ability to identify and control applications running over a network, an integrated intrusion
prevention system (IPS) with deep packet scanning capabilities, and the ability to verify a user or
devices identity and enforce access policies accordingly.
However, advanced threats require advanced protection. Some NGFW devicessuch as the FortiGate
lineinclude additional technologies that provides you with a real-time ranking of the security risk of
devices on your network and cloud-based threat detection and prevention. Traditional NGFW integrates
multiple capabilities to combat emerging threats.

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Figure 6. Intrusion Prevention System (IPS).

Intrusion Prevention System (IPS). Sometimes called integrated IDS/IPS. Monitors network and directs
firewall to allow or block traffic. Intrusion Detection System (IDS) detects threats but does not alert the
firewall to take action against identified threats or unknown traffic. IDS is integrated into IPS technology.
IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more
effective to tie it into network segregation, enabling protection against both internal and external
attacks against critical servers(Figure 6) [4].

Figure 7. Deep Packet Inspection (DPI).

Deep Packet Inspection (DPI). Examining the payload or data portion of a network packet as it passes
through a firewall or other security device (Figure 7). DPI identifies and classifies network traffic based
on signatures in the payload [5]. Examines packets for protocol errors, viruses, spam, intrusions, or policy
violations.

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Figure 8. Network application identification and control.

Network Application Identification & Control. Traditional firewall protection detects and restricts
applications by port, protocol and server IP address, and cannot detect malicious content or abnormal
behavior in many web-based applications (Figure 8). Next Generation Firewall (NGFW) technology with
Application Control allows you to identify and control applications on networks and endpoints
regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over
application traffic, even unknown applications from unknown sources and inspects encrypted
application traffic. Protocol decoders normalize and discover traffic from applications attempting to
evade detection via obfuscation techniques. Following identification and decryption, application traffic
is either blocked, or allowed and scanned for malicious payloads. In addition, application control
protocol decoders detect and decrypt tunneled IPsec VPN and SSL VPN traffic prior to inspection,
ensuring total network visibility. Application control even decrypts and inspects traffic using encrypted
communications protocols, such as HTTPS, POP3S, SMTPS and IMAPS.

Figure 9. Access enforcement (User identity).

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Access Enforcement (User Identity). When a user attempts to access network resources, Next
Generation Firewalls (NGFW) allow identification of the user from a list of names, IP addresses and
Active Directory (AD) group memberships that it maintains locally. The connection request will be
allowed only if the user belongs to one of the permitted user groups, and the assigned firewall policy
will be applied to all traffic to and from that user (Figure 9).

Figure 10. NGFW distributed enterprise-level capability.

Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks.
The foundation of the enterprise campus offering is a high performance next generation firewall (NGFW)
that adds intrusion prevention, application control and antimalware to the traditional firewall/VPN
combination (Figure 10). In particular, Fortinet NGFWs:
Provide fine-grained, user- or device-based visibility and control over more than 3000 discrete
applications to establish/enforce appropriate policies.
Include powerful intrusion prevention, looking beyond port and protocol to actual content of
your network traffic to identify and stop threats.
Leverage top rated antimalware to proactively detect malicious code seeking entry to the
network.
Deliver actionable application and risk dashboards/reports for real-time views into network
activity.
Run on purpose-built appliances with Custom ASICs for superior, multi-function performance,
even over encrypted traffic.

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Figure 11. Extra-firewall intelligence IP list assignment.

Extra-firewall Intelligence. This provides the ability to create lists for access or denial of external
traffic to the network. These lists may be designated by IP address List types include:
White List. Designated sources considered trusted and will be allowed access to the network.
Black List. Designated sources considered not trusted and will be denied access to the network.
A key point to this function is that the source is based on an address, therefore, access does not relate
to any specific type of information that may be carried on traffic from that source. This is a surface
screening rather than a content screening function.

Figure 12. Notional network with managed security (MSSP).

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Interoperable with Third-Party Management. Enterprise-class appliances deliver the comprehensive
security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full
suite of ASIC-accelerated security modules for customizable value-added features for specific customers.
NGFW appliances include the ability to create multi-tenant virtual security networks, supporting up to
5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated management
applicationsincluding granular reporting featuresoffer unprecedented visibility into the security
posture of customers while identifying their highest risks (Figure 12).
VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications
and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN
protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and
decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections
including antivirus, intrusion prevention, application control, email filtering and web filteringcan be
applied and enforced for all content traversing the VPN tunnel.

Figure 13. Application awareness: The NGFW application monitoring feature.

Application Awareness. While establishing port and protocol are important first steps in identifying
traffic, positive identification of application traffic is an important capability added by NGFW, requiring a
multi-factor approach independent of port, protocol, encryption, or evasive measures (Figure 13).
Application awareness includes protocol detection and decryption, protocol decoding, signature
identification, and heuristics (behavioral analyses). [6]

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
NGFW Functions
Two important functions of NGFW is to detect threats and prevent them from exploiting system or
network vulnerabilities. The best way to detect threats is to deploy an Intrusion Detection System (IDS)
as part of the network architecture. In order to prevent identified threats from exploiting existing
vulnerabilities, an Intrusion Prevention System (IPS) should be deployed. The purpose of IPS is to react to
detected threats to a network in order to block intrusion by traffic attempting to take advantage of
system vulnerabilities, deviations from standard protocols, or attacks generated by trusted sources [4].
NGFW appliances provide integrated capability for IDS and IPS to both detect and prevent intrusion and
exploitation of protected networks.
Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type
of inspection protects endpoint clients as well as Web and application servers from potentially hidden
threats. SSL Inspection intercepts and inspects encrypted traffic for threats before routing it to its
destination and can be applied to client-oriented traffic, such as users connected through a cloud-based
site, or to Web and application server traffic. Using SSL inspection allows policy enforcement on
encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. Like
other inspection protocols, however, the tradeoff to enabling SSL inspection is a decrease in throughput
speed.

Extended NGFW Capabilities

Beyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced and
emerging threats are clearly needed. Particularly within enterprise network security infrastructure, the
need to protect against new and evolving classes of highly targeted and tailored attacks designed to
bypass common defenses is needed. Because of these advanced and evolving threats, additional
defensesreferred to by Fortinet as Advanced Threat Protection (ATP)include anti-virus/malware,
anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional capabilities
appear in Figure 14.

10

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Figure 14. Extending NGFW with Advanced Threat Protection (ATP).

When integrated with NGFW, capabilities of ATP enhance security by providing additional protections
against evolving threats, including:
Dual-level sandboxing, allowing code activity examination in simulated and virtual environments
to detect previously unidentified threats.
Detailed reporting on system, process, file, and network behavior, including risk assessments.
Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing
communications with malicious sites and IPs.
Option to share identified threat information and receive updated in-line protections.
Option to integrate with other systems to simplify network security deployment.

11

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
With continued shift toward mobile and BYOD practices, integrated user authentication takes on
increased importance in visibility and control of applications being employed by network users. With the
sophistication of advanced and evolving threats, use of two-factoror strongauthentication has
become more prevalent. In addition to the capabilities discussed previously as additive measures to the
NGFW, a number of strong authentication factors may also be enabled:

Hardware, software, email, and SMS tokens

Integration with LDAP, AD, and RADIUS
End user self-service
Certificate Authority
Single sign on throughout the network

Illustration of authentication functions integrated into NGFW appear in Figure 15.

Figure 15. Authentication functions integrated into NGFW.

While the Application Control feature of the extended NGFW serves to identify network users, monitor
applications employed by those users, and block applications representing a risk to the organization, this
feature differs from how the Web Filtering function of ATP operates. Unlike Application Control that
focuses on the actual content of the accessed site, Web Filtering focuses on the Internet Sites (URLs)
based on a categorization of the site, or type of content [4]. This allows the NGFW to block web sites
known to host malicious content. An example of how Web Filtering categorizes site appears in Figure 16.

12

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Figure 16. Web filtering profile control.

Antivirus/malware. Responsible for detecting, removing, and reporting on malicious code. By

intercepting and inspecting application-based traffic and content, antivirus protection ensures that
malicious threats hidden within legitimate application content are identified and removed from data
streams before they can cause damage. Using AV/AM protection at client servers/devices adds an
additional layer of security.

13

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Figure 17. Antivirus/malware.

Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks. Organizations may prevent, uncover, and block botnet activities using
Anti-Bot traffic pattern detection and IP regulation services supplied in real-time. This capability is
important in detecting and reacting to Distributed Denial of Service (DDoS) or other coordinated
network attacks.

Figure 18. Anti-botnet protection.

14

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Web filtering. Function that allows or blocks Web traffic based on type of content, commonly defined
by categories. Web filtering protects endpoints, networks and sensitive information against Web-based
threats by preventing users from accessing known phishing sites and sources of malware.

Figure 19. Web filtering capability.

Code emulation. Allows testing of unknown or potentially malicious traffic in

a virtual environment by emulating the actual environment to which the
traffic was addressed.
Sandboxing. Isolating unknown or potentially malicious codes to fully execute all functions before
allowing the traffic to download into the network. Sandboxing has a unique capability to detect zero-day
exploits that other security solutions cannot identify. If malicious activity is discovered, Advanced Threat
Protection (ATP) can block it.

Sandboxes and APT

You might be thinking whether this is Back to the Future? After all, sandbox technology is old, having
long been a standard safety isolation to analyze code. So why would sandboxes be important when
examining the implications of Advanced Persistent Threats (APT)?

15

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Sandboxes were initially developed for executable files. Now they run application data that may contain
malicious code, like Adobe Reader or JavaScript, which sandbox identified malicious code before it can
infect your operating system. Modern sandbox technology can help detect and identify new threats
such as old legacy threats in new veneers, by emulating endpoint device environments to analyze how
the potential threat behaves. In this way, relatively unknown malwareconstantly being developed at
all levels of complexityand APTs may be detected, identified, cataloged, and blocked by the NGFW
(Figure 20). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic is
forwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.

Figure 20. Sandbox deployed with NGFW Solution.

Advanced Persistent Threats (APT)

Since widespread availability of computer technologyespecially since introduction of affordable
personal computing platforms and open availability of computer trainingpeople have used software to
target systems and networks to damage, steal, or deny access to data. Modern and future challenges
or Advanced Persistent Threatspresent a more daunting sophistication of malware, attack vectors, and
perseverance by which they mount offensives against their targets. Just as APT uses multiple attack
layers and vectors to enhance chances of success, network security administrators must also design and
implement a multi-layered defense to protect against these threats. It is critical to understand that no
single network security feature will stop an APT. Simplified, a three-step approach to how NGFW
addresses APTs appears in Figure 21.

16

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Figure 21. The NGFW three-step approach to APT.

Advanced Threat Protection (ATP)

In order to protect against modern and emerging future threats, adaptive defense tools like ATP are
being incorporated into network security infrastructures at an increasing pace. This level of protection
provides increased security across all network sizes from SMB to large enterprises. Critical capabilities
brought to bear by ATP include:
Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.
Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,
antimalware.
Threat Detection. Sandboxing, botnet detection, client reputation, network behavior analysis.
Incident Response. Consolidated logs & reports, professional services, user/device quarantine,
threat prevention updates.
Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.
The continuous nature of ATP protection is illustrated in Figure 22, below:

Figure 22. Advanced Threat Protection (ATP) model.

17

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
NGFW Deployment
Edge vs. Core
When deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFW
brings a unique combination of hardware- and software-related segmentation capabilities that allow
isolation of critical network sections, such as data centers. Deploying NGFW into an Edge Network
accomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 23).

Figure 23. NGFW deployment to edge network

NGFW vs. Extended NGFW

Another consideration that must be made is what NGFW capabilities are neededor desiredfor the
network being protected. A consideration whether to deploy extended NGFW capabilities depends on
the nature of what functions will be accomplished both internally and external to the network. In
particular, with movement to more cloud-based and web applications, the benefits of extended NGFW
may be best suited. As illustrated in Figure 24, Extended NGFW incorporates the capabilities of current
NGFW plus enhanced features that make it more capable against modern and emerging threats.

18

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)

Figure 24. Current NGFW vs. Extended NGFW capabilities.

One of the characteristics of most technologies is that with added capabilities comes concomitant tradeoffs. In the case of NGFW, the addition of inspection functions such as web filteringor anti-malware
presents options that balance capabilities and protection levels versus traffic processing speed. The two
methods used to inspect traffic are Flow-based and Proxy-based inspections. In flow-based inspection,
the NGFW performs a string comparison to examine patterns in the traffic without breaking the
connection, resulting in a small portion of the traffic stream being inspected but with a trade-off of
faster throughput. In proxy-based inspection, the entire traffic stream is analyzed, breaking the
connection and reestablishing it after analysis, resulting in slower throughput.
Table 2. Comparison between flow-based and proxy-based inspections
Type of Inspection
Speed/Performance Resources

Protocol Awareness

Flow-based
Faster
Comparing traffic to database of
known bad situations
TCP flow not broken. Only packet
headers changed if necessary.
Not required

File size limits

Only during scanning

Features supported

Antivirus, IPS, Application Control, Web

Content Filtering

Security Analysis Method

TCP Transparency

Proxy-based
Slower
Conducting specific analysis on
relevant information
TCP convention broken, TCP sequence
numbers changed.
Understands protocol being analyzed
Yes, when buffering, based on available
NGFW memory
Antivirus, DLP, Web Content Filtering,
AntiSpam

Because Flow Mode does not unpack compressed files or email/FTP attachments, deploying antimalware in Flow Mode may result in decreased detection rate.

19

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Summary
The concept of Next Generation Firewalls developed to address evolving threats as technology itself
evolved. With the rapid rise of technology integration, portability and BYOD models in business,
education, and other environments, combined with more widespread ability for hackers from novices to
experts to develop malicious code, a system deriving from the initial premise of NGFW needed to
develop for the future.
Because of these capabilities and the flexibility to proactively address modern and developing threat
environments across networks of varying sizes, NGFW will be the standard in network firewall
protection at least through 2020

20

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Key Acronyms
AAA

Authentication, Authorization, and

Accounting

AD

Active Directory

ADC

Application Delivery Controller

ADN

Application Delivery Network

ADOM Administrative Domain

GUI

Graphical User Interface

HTML Hypertext Markup Language

HTTP

Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

IaaS

Infrastructure as a Service

ICMP

Internet Control Message Protocol

ICSA

International Computer Security

Association

AM

Antimalware

API

Application Programming Interface

APT

Advanced Persistent Threat

ID

Identification

ASIC

Application-Specific Integrated Circuit

IDC

International Data Corporation

ASP

Analog Signal Processing

IDS

Intrusion Detection System

ATP

Advanced Threat Protection

IM

Instant Messaging

AV

Antivirus

IMAP

Internet Message Access Protocol

AV/AM Antivirus/Antimalware
BYOD Bring Your Own Device
CPU

Central Processing Unit

DDoS

Distributed Denial of Service

DLP

Data Leak Prevention

DNS

Domain Name System

DoS

Denial of Service

DPI

Deep Packet Inspection

DSL

Digital Subscriber Line

FTP

File Transfer Protocol

FW

Firewall

Gb

Gigabyte

GbE

Gigabit Ethernet

Gbps

Gigabits per second

GSLB

Global Server Load Balancing

IMAPS Internet Message Access Protocol

Secure
IoT

Internet of Things

IP

Internet Protocol

IPS

Intrusion Prevention System

IPSec

Internet Protocol Security

IPTV

Internet Protocol Television

IT

Information Technology

J2EE

Java Platform Enterprise Edition

LAN

Local Area Network

LDAP

Lightweight Directory Access Protocol

LLB

Link Load Balancing

LOIC

Low Orbit Ion Cannon

MSP

Managed Service Provider

MSSP Managed Security Service Provider

NGFW Next Generation Firewall

21

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
NSS

NSS Labs

SNMP Simple Network Management Protocol

OSI

Open Systems Infrastructure

SPoF

Single Point of Failure

OTS

Off the Shelf

SQL

Structured Query Language

PaaS

Platform as a Service

SSL

Secure Socket Layer

PC

Personal Computer

SWG

Secure Web Gateway

SYN

Synchronization packet in TCP

PCI DSS Payment Card Industry Data Security

Standard
PHP

PHP Hypertext Protocol

Syslog Standard acronym for Computer

Message Logging

POE

Power over Ethernet

TCP

POP3

Post Office Protocol (v3)

TCP/IP Transmission Control Protocol/Internet

Protocol (Basic Internet Protocol)

POP3S Post Office Protocol (v3) Secure

QoS

Quality of Service

TLS

Transmission Control Protocol

Transport Layer Security

Radius Protocol server for UNIX systems

TLS/SSL Transport Layer Security/Secure Socket

Layer Authentication

RDP

Remote Desktop Protocol

UDP

User Datagram Protocol

SaaS

Software as a Service

URL

Uniform Resource Locator

SDN

Software-Defined Network

USB

Universal Serial Bus

SEG

Secure Email Gateway

UTM

Unified Threat Management

SFP

Small Form-Factor Pluggable

VDOM Virtual Domain

SFTP

Secure File Transfer Protocol

VM

Virtual Machine

SIEM

Security Information and Event

Management

VoIP

Voice over Internet Protocol

SLA

Service Level Agreement

VPN

Virtual Private Network

SM

Security Management

WAF

Web Application Firewall

SMB

Small & Medium Business

SMS

Simple Messaging System

SMTP Simple Mail Transfer Protocol

SMTPS Simple Mail Transfer Protocol Secure

22

WANOpt Wide Area Network Optimization

WLAN Wireless Local Area Network
WAN

Wide Area Network

XSS

Cross-site Scripting

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Glossary
Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access to
a network and stays there undetected for a long period of time. The intention of an APT attack is to steal
data rather than to cause damage to the network or organization. APT attacks target organizations in
sectors with high-value information, such as national defense, manufacturing and the financial industry.
ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular
use, as opposed to a general-purpose device.
ATP. Advanced Threat Protection relies on multiple types of security technologies, products, and
research -- each performing a different role, but still working seamlessly together -- to combat these
attacks from network core through the end user device. The 3-part framework is conceptually simple
prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for
network, application and endpoint security, threat detection, and mitigation.
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of
malware attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and
reporting on malicious code. By intercepting and inspecting application-based traffic and content,
antivirus protection ensures that malicious threats hidden within legitimate application content are
identified and removed from data streams before they can cause damage. Using AV/AM protection at
client servers/devices adds an additional layer of security.
Botnet. A botnet (also known as a zombie army) is a number of Internet computers that, although their
owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to
other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer
"robot" or "bot" that serves the wishes of some master spam or virus originator.
BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,
whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a
Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were
owned by the employee.
Code Emulation. A virtual machine is implemented to simulate the CPU and memory management
systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the
scanner, and no actual virus code is executed by the real processor.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.

23

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions, including:
IP Security (IPSec)
Antivirus/Antispyware
Firewall
Web Filtering
Intrusion Detection System/Intrusion
Antispam

Prevention System (IDS/IPS)

Traffic Shaping [7]
Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall
the gatekeeper.
Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to
the Internet & identify themselves to other devices. IoT is significant because an object that can
represent itself digitally becomes something greater that the object by itself.
IDS. Intrusion Detection System (IDS) detects threats but does not alert the firewall to take any action
against identified threats or unknown traffic.
IPS. Intrusion Prevention System protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including: predefined
and custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode, similar to IDS),
packet logging, and IPS sensors. IPS can be installed at the edge of your network or within the network
core to protect critical business applications from both external and internal attacks.
NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall
appliance instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities
of a traditional firewall with advanced features including:
Intrusion Prevention (IPS)
Deep Packet Inspection
Network App ID & Control
(DPI)
Access Enforcement
Distributed Enterprise
Extra Firewall Intelligence
Capability
Third Party Management
VPN
Application Awareness
Compatibility
Sandbox. A sandbox is a security mechanism for separating running programs. It is typically used to
execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users,
and untrusted websites, in an area segmented off from the device/network operating system and
applications.

24

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires usually the
Internet to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
Web Filtering. Web Filtering technology gives you the option to explicitly allow web sites, or to pass web
traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most
advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control
perimeter web traffic at a granular level. Using web content filtering technology, these appliances can
classify and filter web traffic using multiple pre-defined and custom categories.

25

Study Guide for NSE 1: Next Generation Firewall 2016

(NGFW)
References
1.

Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.

2.

Gartner, Magic Quadrant for Enterprise Network Firewalls. 2008.

3.

Gartner, Defining the Next Generation Firewall. 2009.

4.

Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.

5.

Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.

6.

Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.

7.

UAB, M., Fortinet Secure Gateways, Firewalls. 2013.

26