Modern Network Security NSE1 Study Guide Ebook

Modern Network Security: Study Guide for NSE 1 2015
Modern
Network
Security:
Study Guide
for NSE 1
January 1
2015
This Study Guide is designed to provide information for the Fortinet

Network Security Expert Program Level 1 curriculum. Each chapter
in the study guide corresponds to a module in the NSE level 1
curriculum and examinations. The study guide presents discussions
on concepts and equipment necessary as a foundational
understanding for modern necessary security prior to taking more
advanced and focused NSE program levels.
Fortinet
Network
Security
Solutions

Introduction ............................................................................................................................................ 8
Infrastructure Evolution ....................................................................................................................... 9
Threat Landscape .............................................................................................................................. 10
Threat Timeline ............................................................................................................................. 11
Advanced Threats .......................................................................................................................... 11
Advanced Threats and Network Security: Continuing Evolution ......................................................... 12
Module 1: Data Center Firewalls............................................................................................................ 13
Data Center Evolution........................................................................................................................ 13
Market Trends Affecting Data Centers ............................................................................................... 13
Infrastructure Integration .............................................................................................................. 14
Edge vs. Core Data Center Firewalls ............................................................................................... 14
Data Center Firewall Characteristics .................................................................................................. 16
Virtual Firewalls ............................................................................................................................. 19
Data Center Network Services ........................................................................................................... 21
Application Systems....................................................................................................................... 21
Application Services ....................................................................................................................... 22
Summary ........................................................................................................................................... 24
Module 2: Next Generation Firewall (NGFW) ......................................................................................... 25
Technology Trends ............................................................................................................................ 25
NGFW Characteristics: Fundamental Changes.................................................................................... 26
NGFW Evolution ............................................................................................................................ 27
Traditional NGFW Capabilities ........................................................................................................... 28
NGFW Functions ............................................................................................................................ 32
Extended NGFW Capabilities ............................................................................................................. 33
Sandboxes and APT........................................................................................................................ 36
Advanced Persistent Threats (APT) ................................................................................................ 37
Advanced Threat Protection (ATP) ..................................................................................................... 38
NGFW Deployment............................................................................................................................ 38
Edge vs. Core ................................................................................................................................. 38
NGFW vs. Extended NGFW ............................................................................................................ 39

Summary ........................................................................................................................................... 40
Module 3: Unified Threat Management (UTM) ...................................................................................... 41
The Key to UTM: Consolidation ...................................................................................................... 41
UTM Features .................................................................................................................................... 41
UTM Distributed Enterprise Advanced Features ............................................................................. 43
Extended UTM Features .................................................................................................................... 44
Evolving UTM Features .................................................................................................................. 45
UTM Functions .................................................................................................................................. 47
Where UTM Fits In .......................................................................................................................... 48
UTM: Scalable Deployment ............................................................................................................ 49
Summary ........................................................................................................................................... 50
Module 4: Application Security .............................................................................................................. 51
Application Challenges to Meeting User Needs .................................................................................. 51
Application Layers: The OSI Model ................................................................................................. 52
Application Vulnerabilities ................................................................................................................. 53
OWASP .......................................................................................................................................... 53
Distributed Denial of Service (DDoS) .................................................................................................. 55
Application Security Solutions............................................................................................................ 58
Application Delivery Controllers (ADC) ........................................................................................... 58
Application Delivery Network (ADN) .............................................................................................. 59
ADC: Solutions and Benefits Part I...................................................................................................... 60
Web Application Firewall (WAF) Characteristics ................................................................................. 61
Heuristics....................................................................................................................................... 62
WAFs and PCI DSS Compliance ....................................................................................................... 63
ADC: Solutions and Benefits Part II..................................................................................................... 64
Summary ........................................................................................................................................... 66
Module 5: Management and Analytics .................................................................................................. 67
Security Management ....................................................................................................................... 67
Managing the Security Console ...................................................................................................... 69
Policy and Security............................................................................................................................. 70
Analytics ............................................................................................................................................ 73

Security Information and Event Management ................................................................................ 73
Network Visibility .......................................................................................................................... 74
Summary ........................................................................................................................................... 76
Key Acronyms........................................................................................................................................ 77
References ............................................................................................................................................ 79

Figure 1. From closed networks to Global Information Grid ..................................................................... 9
Figure 2. The scope of modern global network users. .............................................................................. 9
Figure 3. Fortinet UTM versus traditional ad hoc model......................................................................... 10
Figure 4. Chronology of major networks attacks since October 2013. .................................................... 11
Figure 5. Advanced Threat Protection (ATP)........................................................................................... 11
Figure 6. Notional edge firewall configuration. ...................................................................................... 15
Figure 7. Notional data center firewall deployment. .............................................................................. 15
Figure 8. Data center firewall adaptability to evolving capabilities. ........................................................ 16
Figure 9. Data center in a distributed enterprise network. ..................................................................... 17
Figure 10. Data center core firewall. ...................................................................................................... 19
Figure 11. North-South (Physical) vs. East-West (Virtual) traffic. ............................................................ 20
Figure 12. Notional network. ................................................................................................................. 22
Figure 13. Differences between IaaS, PaaS, and SaaS. ............................................................................ 23
Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models. ......................................... 24
Figure 15. Bring Your Own Device (BYOD) practices in 2011. .................................................................. 26
Figure 16. Edge firewall vs. NGFW traffic visibility. ................................................................................. 26
Figure 17. Traditional port configuration example. ................................................................................ 27
Figure 18. NGFW configuration example by application, user ID. ........................................................... 27
Figure 19. NGFW evolution timeline. ..................................................................................................... 28
Figure 20. Intrusion Prevention System (IPS).......................................................................................... 28
Figure 21. Deep Packet Inspection (DPI)................................................................................................. 29
Figure 22. Network application identification and control. ..................................................................... 29
Figure 23. Access enforcement (User identity). ...................................................................................... 30
Figure 24. NGFW distributed enterprise-level capability. ....................................................................... 30
Figure 25. Extra-firewall intelligence IP list assignment. ......................................................................... 31
Figure 26. Notional network with managed security (MSSP). ................................................................. 31
Figure 27. Application awareness: The NGFW application monitoring feature. ...................................... 32
Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP). ..................................... 33
Figure 29. Authentication functions integrated into NGFW. ................................................................... 34
Figure 30. Web filtering profile control. ................................................................................................. 35
Figure 31. FortiGate antivirus/malware. ................................................................................................ 35
Figure 32. FortiGuard Anti-botnet protection. ....................................................................................... 36

Figure 33. FortiGate Web filtering capability. ......................................................................................... 36
Figure 34. Sandbox deployed with NGFW Solution. ............................................................................... 37
Figure 35. The NGFW three-step approach to APT. ................................................................................ 37
Figure 36. Fortinet Advanced Threat Protection (ATP) model................................................................. 38
Figure 37. NGFW deployment to edge network ..................................................................................... 39
Figure 38. Current NGFW vs. Extended NGFW capabilities. .................................................................... 39
Figure 39. Legacy network security add-ons vs. UTM architecture ......................................................... 41
Figure 40. Unified Threat Management (UTM)....................................................................................... 42
Figure 41. LAN control. .......................................................................................................................... 45
Figure 42. Typical Power over Ethernet (POE) cable configuration. ........................................................ 46
Figure 43. UTM scalability...................................................................................................................... 48
Figure 44. Fortinets concept of Connected UTM. ............................................................................... 50
Figure 45. DDoS architecture. ................................................................................................................ 56
Figure 46. SYN Flood DDoS attack. ......................................................................................................... 56
Figure 47. ICMP Flood DDoS attack. ....................................................................................................... 57
Figure 48. Zombie DDoS attack. ............................................................................................................. 57
Figure 49. Application Delivery Controller (ADC). ................................................................................... 58
Figure 50. Typical Application Delivery Network (ADN) infrastructure. ................................................... 59
Figure 51. Intelligent Load Balancing. .................................................................................................... 60
Figure 52. SSL offloading and HTTP compression. .................................................................................. 61
Figure 53. Web Application Firewall (WAF). ........................................................................................... 62
Figure 54. Global Server Load Balancing (GSLB). .................................................................................... 64
Figure 55. Server ID masking with ADC. ................................................................................................. 65
Figure 56. Security Management (SM) conceptual diagram ................................................................... 68
Figure 57. Integrated security control console ....................................................................................... 70
Figure 58. Policy Package example......................................................................................................... 71
Figure 59. Global Policy Bookend flow. ............................................................................................... 71
Figure 60. Network visibility benefits. .................................................................................................... 75

Table 1. Comparative security features of edge firewalls vs. NGFW. ...................................................... 27
Table 2. Comparison between flow-based and proxy-based inspections ................................................ 40
Table 3. Comparative models for layers, protocols, and devices............................................................. 51
Table 4. Translation of ISO/OSI layers to TCP/IP model. ......................................................................... 52
Table 5. Function of network layers in OSI model. ................................................................................. 52
Table 6. OWASP top 10 2010 vs. 2013 comparison. ............................................................................... 54
Table 7. Web Application Firewall (WAF) application-level security measures........................................ 62
Table 8: Payment Card Industry Data Security Standards (PCI DSS). ....................................................... 63

Introduction
Welcome to the fascinating world of network security
or, on second thought, should we be letting you in?
That is the question around which this primer was writtenhelping you learn the background,
processes, capabilities, and questions to consider when configuring your systems and networks to help
analyze, identify, and either allow or block traffic from entering or leaving your computer network in the
dynamic 21st Century information technology environment. In other wordsmodern network security.
Modern network security is comprised of many facets, some of which are in your control, others which
may not be. In an increasingly mobile world, traditional network security measures focused on desktop
platforms and dumbphones are no longer relevant to the world of tablets, phablets, and smartphones.
Because of the constantly changing landscape of network environments, organizations of all sizes and
complexities face challenges in keeping pace with change, developing counters to emerging threats, and
controlling network and security policies. Once the realm of the highly trained and richly resourced,
development of malicious code has become widespread to the degree that school children have been
known to compete with each other in hacking contests. To meet modern and emerging threats,
companies and organizations must adopt dynamic network security programs that keep pace with
changing trends and activities.
Back to the opening question: Should we be letting you in? Peopleor the man-machine interfaceis
the weakest link in any security process. People are easily lulled into a false sense of security about the
effectiveness of passwords and access codes, identity verification, and policies regarding the use of
information technology (IT) systems and networks. It takes just one careless moment to potentially
breach the integrity of protected information and systemsif network security user policies and
protocols are too complicated, compliance is less likely. Because of this human factor it is important to
ensure that network security schema are clear and simple for network administrators and users to
operate, with the necessary complexity to identify, deter, or contain threats being embedded in stateof-the-art hardware and software solutions that are nearly transparent to internal network users.
But a note of cautionjust as every organization is not alike, neither will their networks, hardware,
software, or needs be alike. Each organization needs a customized strategic network security program
tailored to balance its needs against its operating environment, perceived threats, and operating
budget. Of course, the best network security program would be an end-to-end, 24/7 monitored program
with regular analytics informing plan effectiveness and potential enhancementsthis would be the holy
grail of network security. Systems like Fortinets Unified Threat Management (UTM) provide the ability
to balance needs, capabilities, and resources to secure networks while maintaining the ability of the
organization to operate. In essence, this book will help you learn about how to take steps to mitigate
best the threats to your network and optimize network security while balancing those factors.

Infrastructure Evolution
In a world growing ever more complex with network portability being built into an increasing number of
devices of varying capabilities, network security continues to evolve in complexityand importance. In
the 1980s a transition from early closed networks to a broader Internet occurred, with the advent of
Ethernet, Bitnet, TCP/IP, SMTP, DNS, and in 1985the first .com domain name registration. It was not
until six years later, in 1991, that the Worldwide Web (WWW) came into existence; by 1995, what we
know now as the modern Internet became established as a fixture in how businessand the world
would communicate in the future (Figure 1).
Figure 1. From closed networks to Global Information Grid

No longer was high-tech the sole domain of major companies, organizations, and government agencies,
but the global information network became the domain of everyone from multi-billion dollar
international conglomerates to grade school children (Figure 2). As technologies developed, the industry
response was typically the addition of new stand-alone, single- or dual-purpose hardware or integrated
hardware-software packages designed to address newly identified threats. This resulted in a constant
state of expensive upgrades that added network complexity, integration of new devices and scrubbing
and repurposing or disposing of legacy hardware, new policy development and new management
consoles. This served to increase workload, retraining, and complexity for network administrators and
end users, exacerbating the balancing problem between security and productivity.
Figure 2. The scope of modern global network users.

Because new products were not always able to integrate fully into existing systems, the piecemeal
approach to network development and security led to potential blind spots that threats may exploit
undetected. In order to solve this growing challenge, a move toward more strategic solutions to network
security were needednot new stand-alone systems addressing individual threat vectors; rather,
strategic systems and processes designed to protect networks comprised of systems-of-systems. From
this problem developed the Unified Threat Management (UTM) concept, which goes beyond a systemof-systems approach to integrate individual system characteristics into strategic systems (Figure 3) [1].
Figure 3. Fortinet UTM versus traditional ad hoc model.
Threat Landscape
One may view the threat landscape much the same as law enforcement views threats using three
primary characteristicsmotive, means, and opportunity. In terms of technology threats, these terms
are translated into motivation (motive), knowledge (means), and access (opportunity). Motivation may
be as simple as a student trying to get into protected information or as malicious as a competitor trying
to delay or disable a companys ability to reach the market. Knowledge on networksand hackingis
widespread, with books and guides available
globally through the Internet and often at little or
no cost. As for access, this is the area where the
veracity of your network security will pay off
identifying potential threats, analyzing them, and
either determining validity or cataloging and
rejecting them as a threat.
Contemporary and future threat landscapes are dynamic and often include unforeseen technological
advances. Devices and applications are under development and appear on the market at more rapidly
and with those new technologies come new threats. Not only companies and organizations, but
individual users of less expensive technology such as smartphones, tablets, and laptop computers who
are novices where information security is concerned must deal with optimizing their devices and
applications while blocking potential threats. With the explosion of social media as the primary source of
connectivity for so many people internationally, addressing the hidden threats from social media sites is
a continuing challengeand more cross-platform sharing and integration will continue to make device
and network security an evolving challenge at all levels.
10

Threat Timeline
Since the last quarter of 2013, major network attacks have affected large companies and billions of
consumers. These attacks not only affected business systems, but also had the ability to infect personal
systems and mobile devices, such as the Heartbleed and Find My iPhone attacks. Figure 4 below
chronicles these threats and the targets affected by them.
Figure 4. Chronology of major networks attacks since October 2013.

Advanced Threats
Experienced hackers or groups of hackers possessing significant resources pose an increased threat to
systems and networks, including developing and implementing techniques not previously used to
compromise, gain control of, or shut down service. Advanced Threat Protectionalso referred to as
Advanced Persistent Threat Protectionprovides integrated measures to detect and block advanced
threats. These measures include botnet and phishing antivirus profiling, as well as zero-day threat
protection using sandboxing to analyze, identify, and block suspicious code and add the suspicious code
profile to the ATP signature database.
Figure 5. Advanced Threat Protection (ATP).
11

Advanced Threats and Network Security: Continuing Evolution
The early days of personal computer availability to consumers and the advent of the Internet and
Worldwide Web are behind us. These events were followed by parallel development of more powerful
hardware appliances and more complex applications for those machines. Unfortunately, with those
developments also came a thriving developmental path for malware and other methods by which to
breach system and network security to obtain data from or deny use of targeted platforms. This Modern
Network Security Primer presents current and future appliances, applications, and concepts to provide
the options to keep pace with emerging capabilities and threatsand maintain the safety and security
of your system and network.
12

Module 1: Data Center Firewalls
Data centers have become abundant in the increasingly technology-based business environment of the
21st Century. Because of this growth, data centers provide a new field for trends in computing and
networking driving revisions to IT infrastructure strategies and, along with new strategies, new methods
to bolster network security. Presented in this module are characteristics and functions of data center
firewalls as they apply to networks and applications.
Data Center Evolution

A common notion in todays business environment is that No
matter what business you are in, you are a technology
business. In the 21st Century, this is not only true of large
businesses, but also applies to successful small and medium
businesses (SMB). Modern data centers typically contain a
servers with a variety of purposes, including web, application,
and database servers.
Along with growing use of technology came a need to not only develop more specialized applications
but also develop innovative ways to store ever-increasing volumes of digital data. This growing storage
requirement spurred a new sector in the technology operationsthe Data Center. As new technologies
for end users of computing platforms evolve, so must security measures for the data centers they will
access for operations such as email, social media, banking, shopping, education, and myriad other
purposes. Developing strategies to keep pace with the accelerating integrated and distributed nature of
technology has become a critical industry in protecting personal, business, and organizational data and
communications from legacy, advanced, and emerging threats.
Market Trends Affecting Data Centers

As mentioned previously, consumer trends influenced data center development; however, the business
sector was also instrumental in spurring on this development. As technology evolved, businesses
learned to step to the leading edge of innovation in order to get aheador stay aheadof competing
enterprises. To this end, changes in business practices that influenced data center development
included:
Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,
network or even an operating system where the framework divides the resource into one or more
execution environments.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be
classified as public, private or hybrid.
Software-Defined Networks (SDN). An approach to networking in which control is decoupled from
hardware and given to a software application called a controller. Dynamic, manageable, costeffective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's
applications.
13

BYOD. Refers to employees taking their own personal device to work, whether laptop, smartphone
or tablet, in order to interface to the corporate network. According to a Unisys study conducted by
IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by the employee.
Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to
process using traditional databases and software techniques. In many enterprise scenarios, the data
is too big, moves too fast, or exceeds current processing capacity.
The Internet of Things (IoT). The [once future] concept that everyday objects have the ability to
connect to the Internet & identify themselves to other devices. IoT is significant because an object
that can represent itself digitally becomes something greater that the object by itself. When many
objects act in unison, they are known as having ambient intelligence.
Infrastructure Integration
Meeting the challenge of data center growth while maintaining
throughput capability requires the use of technology integration to
reduce potential for signal loss and speed reduction because of
bridging and security barriers between ad hoc arrangements of
independent appliances. There are definitely two camps on what
should be at the heart of a modern firewall, with two types of
hybrid design being prevalent:
CPU + OTS ASIC. A design whereby a general purpose central processing unit (CPU) is augmented by
an off the shelf (OTS) processor.
CPU + Custom ASIC. Most difficult but best design, bringing together a general CPU linked closely to
a number of custom built application-specific integrated circuits (ASICs). By matching ASICs that are
designed to handle the specific tasks for which the processor and device is intended, the ability to
process data is enhanced and system performance is optimized.
On one side, there are vendors who want to use off-the-shelf (OTS) central processing unit (CPU) design.
This is the simplest design but suffers from performance degradation. On the other side are those
advocating the use of hybrid designs, merging CPUs with application-specific integrated circuits (ASIC),
which are more efficient and may provide the necessary infrastructure to meet the demand for
throughput, growth, and security.
Edge vs. Core Data Center Firewalls
Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall
the gatekeeper. In addition to gatekeeper duties, the edge firewall may have capabilities added as other
security appliances are linked to the firewall. This method, however, leads to a complex architecture
that results in complex networkand securitycontrols. A typical edge firewall is depicted in Figure 6.
14
Figure 6. Notional edge firewall configuration.

Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions. Depending on network size and configuration, the data center firewall may also provide
additional security functions, such as segregating internal resources from access by malicious insiders,
and ensuring compliance with regulations protecting consumer, patient, and other sensitive user data.
These functions are referred to as Multi-Layered Security, and may include:
IP Security (IPSec)
Firewall
Intrusion Detection System/Intrusion Prevention System (IDS/IPS)
Antivirus/Antispyware
Web Filtering
Antispam
Traffic Shaping [2]
These functions work together, providing integrated security for the data center, concurrently providing
consolidated, clear control for administrators while presenting complex barriers to potential threats.
Figure 7 shows a notional data center firewall deployment, providing gatekeeper duty, integrated
security solutions (as depicted in Figure 6, above), with simplified control and complex protection.
Figure 7. Notional data center firewall deployment.
15

Data Center Firewall Characteristics
As end user devices and activities evolve, data centers must evolve to ensure both service and security
keep pace. Some market trends affecting data centers include increasing use of mobile devices,
employee device portabilityor BYOD, data center consolidation through server virtualization, cloud
computing, and software-defined networking.
The key benefit of a data center network core firewall configuration with high-speed, high-throughput,
low-latency is the ability to evolve as technology develops.
Throughput speeds have potential to double every 18 months
High-speed 40/100 GbE ports are already going into existing systems
External users moving from Internet Protocol version 4 (IPv4) to IPv6
Figure 8 illustrates how the data center firewall is adaptable to evolving technology and user trends.
Figure 8. Data center firewall adaptability to evolving capabilities.

Size Matters. Historically, a determining factor in network firewall selection included consideration
based on the size of usersboth internal and externalaccessing the network or its components. Using
data center firewalls in small and medium businesses (SMB) makes sense, because modern data center
firewall systems provide higher throughput speeds, higher connectivity (port capacity), and a higher
capacity for concurrent sessions.
As a business or organization grows and network access begins to grow into multiple locations and
thousands of users, the option to consider using an enterprise campus firewall may become a necessary
investment. While the capacity to handle thousands of users and multiple locations may be
accomplished with enterprise firewalls, the trade-off is in the need for redundancy to ensure reliability
resulting in significantly higher costs and equipment complexityand the need for extensive training if
an organization intends to self-manage the enterprise firewall. Because of these complexities, enterprise
16

data centers may reside on-premises at a company site, in a dedicated co-location space in a providers
data center facility, or as an outsource service in a multi-tenant provider cloud environment.
Figure 9. Data center in a distributed enterprise network.

Because of the increasing size and complexity of data center operations and needs of external usersas
well as the increased costs associated with enterprise firewall equipment and training needs
companies may decide to outsource data center security operations to a third party, or Managed
Security Service Provider (MSSP). A growing market along with evolving technologies, MSSPs provide a
wide range of network security services, from one-time servicessuch as configuring routersto
ongoing services such as network monitoring, upgrade, and configuration. This provides small and
medium businesses (SMB) enhanced capabilities without having to increase technical staff, while
providing large and high-visibility businesses with supplemental protection beyond their technical staff.
When deciding on whether to engage an MSSP for network security operations, a number of
considerations must be taken into account. From the most basic perspective, the MSSP should align with
your business and security philosophy. Will they sign a non-disclosure agreement, so details about your
companys security will be secure? The MSSP needs to be highly available to you, especially if you run
24/7 operations and reach a global audience (and who on the Internet doesnt these days?). It is worth a
visit to their facility to check out their operations and talk with staff. The MSSPs service must be
sustainablewhat are their redundancy capabilities in case of primary system failures or disaster; what
is the likelihood they may go out of business (the market is still maturing and the current failure rate is
high). Identify clearly the level of serviceability you can expect from the MSSPdemand a strong service
level agreement (SLA) spelling out all roles and responsibilities for both parties. These requirements are
foundational to success with using an MSSP to manage data center security.
As cloud services and software-defined networks (SDNs) became prevalent, network functions
virtualization (NFV) such as VMware NSX and Cisco ACI also began to take the place of physical devices,
encapsulating appliances such as firewalls, load balancers, and switches as scalable virtual appliances
within the same physical devices. The emergence of OpenFlow from behind the research lab walls and
17

into mainstream management in cellular, TELCO, and data center operations has brought major network
operators and manufacturers onboard in making OpenFlow the standard protocol for communications
between controllers and network switches in the SDNor virtualenvironment. The OpenFlow
protocol abstracts the network control plane from the data control plane in order to program network
traffic flows to be more dynamic and automated.
As virtualization and SDN deployment expanded, the practice became available for implementation by
private individuals and organizations outside traditional boundaries of those with large amounts of
available capital and resources. With broad availability of open-source software enabling low-cost
network development, cloud computing has reached into the realm of private and personal clouds. One
popular open-source platform for cloud computing is OpenStack, which provides capability to develop
and manage private and public clouds, even providing compatibility with popular enterprise and opensource technologies for controlling large pools of data center computing, storage, and networking
resources.
By designing and implementing network infrastructures combining high throughput with a dynamic
software-defined network (SDN), the data center firewall provides the capability to evolve with
consumer and industry trends. To accomplish this, data center firewalls must focus on three primary
areas as foundations for security: performance, segmentation, and simplification.
Performance. As the need for network speeds to accelerate continues, the data center will be at the
forefront of network design enabling higher performance through high-speed, high-capacity, and low
latency firewalls. Currently, the minimum required throughput of a data center firewall is 10 Gbps, with
an expectation by large company data center users that throughput may be increased up to an
aggregate 100+ Gbps. Similarly, enabling high throughput requires a minimum port size connectivity of
10 Gigabits for Ethernet ports on the data center firewall, with some capabilities already expanding in
the 40-100 Gigabit range.
Segmentation. With the evolution of IT devices and evolving network threats, organizations using data
centers have adopted network segmentation as a best practice to isolate critical data against potential
threats. Common data isolation criteria include applications, user groups, regulatory requirements,
business functions, trust levels, and locations. To support the use of network segmentation in network
security schema, data center firewalls must provide high density and logical abstraction supporting both
physical and virtual segmentation clouds. Benefits include keeping sensitive data partitioned from
unauthorized access for security and compliance purposes, limiting lateral movement of advanced
threats that gain initial footholds in the network, and ensure employees and users have access to only
the services and applications for which they are authorized.
Simplification. Because data centers extend to external users of varying trust levels, the need to extend
a Zero-Trust model for data access beyond the traditional data center edge and into the segmentation
throughout the networks core. This requires a consolidatedsimplifiedsecurity platform that can
manage multiple functions while supporting high speed network operations. In order to further simply
data center firewall operations, integration of network routing and switching functions into firewall
18

controls provides added centralized visibility and control to network functions and security monitoring.
Consolidation may also be accomplished by putting multiple physical server workloads onto a shared
physical host by using virtual machines on a hypervisor.
A good example of a data center core firewall that incorporates all the requirements of low-latency, high
throughput, and high performance is the FortiGate platform line. These firewalls includes models that
deliver over 100 Gbps performance with less than 5 s latency (Figure 10).
Figure 10. Data center core firewall requirements.

One of the benefits to a data center network core firewall configuration as illustrated in Figure 10 is the
ability to evolve as trends in technology develop. With an estimated potential for throughput speeds to
double every 18 months, and adoption of high-speed network interfaces such as 40/100Gb Ethernet
ports into existing architectures, data center firewalls will need to be ready for the challenge. With these
developments, and as external users move from transmitting traffic using Internet Protocol version 4
(IPv4)which currently carries over 95% of the worlds Internet trafficto IPv6, firewalls such as the
FortiGate line provide ability to keep pace and maintain data center service and security.
Virtual Firewalls
Traditional firewalls protect physical computer networksthose running on physical hardware and
cabling. As such, the most effective means of security was and still is a physical, locked, fire door. This is
also referred to as North-South traffic. Unlike physical machines and networks, virtual machines
operate in a virtual environment, isolated on a host but acting as though it were an independent system
or network. Even as a virtual reality, however, the network may be subject to threats and intrusion from
external sources. Virtual trafficthat traffic moving laterally between servers without leaving the data
centeris referred to as East-West traffic (Figure 11).
19

Today, 60-70% of traffic is E-W because of the trend in virtualization and consolidation
which is why virtual networks are of vital importance in the emergence of data centers
and need for reliable and adaptable data center security in modern networks.
Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physical
switchto secure data being transmitted between virtual machines in a virtual network, the virtual
firewall was developed. A virtual firewall is simply a firewall service running entirely within the virtual
environment, providing the typical packet filtering and monitoring that would be expected when using a
physical device in a physical network. The virtual firewall may take a number of forms: it may be loaded
as a traditional software firewall on the virtual host machine, it can be built into the virtual environment,
it can be a virtual switch with additional capabilities, or it can be a managed kernel process within the
host hypervisor for all virtual machine activity.
Figure 11. North-South (Physical) vs. East-West (Virtual) traffic.

Virtual firewalls may operate in one of two modes, depending how they are deployed, either bridge
mode or hypervisor mode. A virtual firewall operating in bridge mode acts like a physical firewall,
normally situated at an inter-network switch or bridge to intercept network traffic needing to travel
over the bridge. In this way, the virtual firewall may decide to allow passage, drop, reject, forward, or
mirror the packet. This was the standard for early virtual networks and some current networks still
retain this model.
In hypervisor mode the virtual firewall is not actually part of the virtual network at all; rather, it resides
in the host virtual machineor hypervisorin order to capture and analyze packets destined for the
virtual network. Since virtual firewalls operating in hypervisor mode are not part of the virtual network
20

in a virtual machine, they are able to run faster within the kernel at native hardware speeds. Examples
of popular hypervisors on the market include VMware vSphere, Citrix Xen, and Microsoft HyperV.
As these developments in virtual capabilities occurred, they necessarily gave way to a new paradigm by
which to consider the definition of the data center itself. Instead of the need for a traditional physical
infrastructure that defines the data centersuch as a building or a server room within a structure
what if the paradigm shifted to a data center that resided within a software-defined space? Because of
continued evolution of virtual technology, this capability is a reality. The software-defined data center
(SDDC) presents a paradigm that infrastructure such as servers, network, and storage can be logically
and dynamically orchestrated without the need for adding or configuring new physical appliances or
expanding into new facilities. Because of the virtual nature of these SDDCs, the emergence of ondemand data centers was enabled that provided benefits to small consumers and SMBs, such as pay-asyou-use infrastructure, delivery on demand without extended provisioning times, and no requirement
for long-term obligations or contracts. In other words, the emergence of SDDCs provided new paths for
economical flexibility in data center definition and operation.
In summary, the flexible deployment capability for data center firewalls provides for targeting of the
threats identified as most important to the network or system. Deploying the firewall at the network
edge is effective to block external intrusions from accessing the network. Deploying the firewall at the
network core provides segmentation in the event that an external threat gains access to the network. At
the virtual layer, the firewall is able to monitor traffic between virtual machines (VM).
Data Center Network Services

As technology evolved, more and more services moved from running as physically resident to virtual or
cloud-based applications to reduce bottlenecks, increase throughput, and optimize data sharing, among
other benefits. Data center traffic has increased because of factors such as the increased number of
users depending on mobile applications to access data anytime and anyplace, businesses aggregating
and storing increasing amounts of data to enable analytics, and increased use of SaaS cloud storage over
local physical drive storage appliances. Because of these shifts, networks from distributed enterprises
down to SMB and home businesses began to depend on virtual and cloud applications for remote and
mobile capability. This led to a parallel focus on development of threats to the application layers of the
Open Systems Infrastructure (OSI), which will be discussed later in this book. The remainder of this
module will focus on how the data center serves to facilitate the use of applications in the modern
mobile, virtual and cloud-based technology environment.
Application Systems
Application systems typically consist of user interfaces, programming (logic), and databases. A user
interface is the control or method by which the user interacts with the computer, system, or network,
often consisting of screens, web pages, or input devices. Some application systems have non-visual
interfaces that exchange data electronically with other systems in a network. Figure 12 illustrates a
notional network.
21

Programming consists of the scripts or computer instructions used to validate data, perform
calculations, or navigate users through application systems. Many large computers use more than one
computer language to drive the system and connect with networks. This allows linking of systems
performing specialized functions into a centrally-manageable network.
Figure 12. Notional network.

Databases are simply electronic repositories of data used to store information for the organization in a
structured, searchable, and retrievable format. Most databases are configured to facilitate access for
downloading, updating, andwhen applicablesharing with other authorized network users.
Computer systems are simply sets of components that are assembled into an integrated package. The
heart of a computer system is the central processing unit (CPU), around which various other
components such as data storage, drives, displays, memory, input devices, and other peripherals are
built. Computer system components may vary in size and complexity and can be designed for single or
multiple purposes.
Control is accomplished through user interfaces. The level of application control found in Next
Generation Firewalls (NGFWs) is not generally necessary as a data center core firewall, primarily
because of the lack of end-users running in the data center itself. Typically data center applications are
accessed and used as cloud services or database information, rather than platforms for writing and
execution of programming by external users.
Application Services
With increasing use of the cloud to enable mobileeven globaluse of applications and access to
organization databases, technology services designed to fulfill the needs of various industries from SMB
to large international corporations developed. In todays marketand the foreseeable futurecloud
22

services continue to grow quickly. Integral to this broad range of services are three primary
components: infrastructure (IaaS), platforms (PaaS), and software (SaaS) as services. The primary
difference between models rests in responsibility tradeoffs between developer (user) and vendor
(provider), as illustrated in Figure 13 [3].
Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The service
provider creates the infrastructure, which becomes a self-service platform for the user for accessing,
monitoring, and managing remote data center services. The benefit to IaaS is that the user does not
have to invest large amounts into infrastructure and ongoing upgrades and service, while retaining
operational flexibility. The down side is that this model requires the user to have a higher degree of
technical knowledgeor at least know or employ someone who does. Examples of businesses using the
IaaS model appear in Figure 14.
Figure 13. Differences between IaaS, PaaS, and SaaS.

Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyond
the IaaS model. In this model, the provider not only builds the infrastructure, but also provides
monitoring and maintenance services for the user. Users of PaaS cloud services have access to
middleware to assist with application development, as well as inherent characteristics including
scalability, high availability, multi-tenancy, SaaS enabling, and other features. This allows the user to
focus on what is most important to their businesstheir application(s). In particular, businesses large or
complex enough to employ an enterprise data center model benefit greatly from PaaS because it
reduces the amount of coding necessary and automate business policy. Examples of businesses using
the PaaS model appear in Figure 14.
Software as a Service (SaaS). The SaaS model represents the largest cloud market and continues to
grow. This model takes the final step of bringing the actual software application into the set of functions
managed by the provider, with the user having a client interface. Because the application resides in the
cloud itself, most SaaS applications may be operated through a web browser without the need to
23

download or install resident software on individual physical systems. This allows businesses to develop
software and operational requirements, but to have those requirements written and fulfilled by a third
party vendoralthough such designs typically involve customization of pre-existing software
applications, because SaaS does not provide the broad flexibility of software development options
available in the SaaS model. Examples of businesses using the IaaS model appear in Figure 14 [4].
Figure 14. Examples of businesses using IaaS, PaaS, and SaaS cloud models.
The Shared Security Responsibility (SSR) Model. When using application servicesthe cloudfor
applications and access to databases, these services come with a shared responsibility for security and
operations split between the cloud provider and the cloud tenant. Depending upon which model is
chosen for operationsIaaS, PaaS, or SaaSyour level of security responsibility changes in magnitude.
Referring back to Figure 13, as you relinquish more control of operations and decisionmaking/configuration to the vendor/provider, such as with the SaaS model, your degree of security
responsibility also declines. Conversely, if you decide to retain more management, such as in the IaaS
model, your security responsibility increases in magnitude.
Summary
From an introduction to the current status of computer network options and configurations, to the
challenges posed by evolving technologies and advanced threats, this module has prepared a foundation
for more focused discussion on emerging threats and the development of network security technologies
and processes designed to provide organizations with the tools necessary to defend best against those
threats and continue uninterrupted, secure operations. The next module will focus on the Next
Generation Firewall (NGFW), an evolving technology in network security.
24

Module 2: Next Generation Firewall (NGFW)
Just because youre paranoid that hackers are trying to steal your data
doesnt mean theyre not really out to get you!
Early firewalls acted much like a fire door in a buildingif something bad was happening in the hallway,
it protected what was in your room and other parts of the building. As personal computers became
more affordable and digital portable devices became more widespread, system and network threats
evolved as well, creating a need for protection technology able to evolve along withor ahead of
advanced threats. Legacy firewalls operated on the basis of port access, using source/destination IP
addresses or TCP/UDP port data to discern whether packets should be allowed to pass between
networks or be blocked or rejected. Most firewall configurations allowed all traffic from trusted
networks to pass through to untrusted networks, unless policy exceptions were implemented. In closed
networks and the early days of the Internet, this was a viable optionthis predominantly static firewall
configuration model no longer provides adequate protection against advanced and emerging system
and network threats to large, distributed enterprise businesses and organizations having to serve
customers, clients, and employees in an ever-evolving mobile environment.
Technology Trends
Trends in information technology development and employment over the last 15 years have led to a
need to rethink the methodology behind modern network security. To further exacerbate this challenge,
these trends occurred simultaneously across major industry, all levels of business, and personal
consumer environments.
Consumerization of IT has resulted in IT-enabled devicessuch as
smartphones, digital music and video players, recorders, cameras,
and othersbecoming so commonplace in the market that their
lower pricing resulted in an explosion of individual consumers
acquiring technology-enabled devices for personal use. This extends
beyond the obvious devices listed above. IT-enabled devices now
include such appliances as refrigerator/freezers, home security systems, personal home networks that
include WiFi-enabled televisions, stereos, and even the automated smart house. In other words, what
we have to be mindful of today is the Internet of Things (IoT) when we acquire devices and appliances.
Because consumers have embraced technology devices for both communication and information
sharing, Social Media enterprise has been embraced at the business level as a way to reach consumer
markets and supplement Web and traditional marketing and communication pathways. With so many
applicationsespecially social mediabeing cloud based, the challenge of network security expands
beneath the surface of traffic and into substance.
With the proliferation of inexpensive, technology-enabled devices interacting with business networks
including both external users and those using personal devices for work purposes (Bring Your Own
Device BYOD), the question becomes one of how to provide security, network visibility, control, and
user visibility simultaneously without an exponential increase in required resources (Figure 15).
25
Figure 15. Bring Your Own Device (BYOD) practices in 2011.
NGFW Characteristics: Fundamental Changes

The primary benefits of NGFW is visibility and control of traffic entering the firewall ports. In legacy
firewalls, ports were opened and closed, or protocols allowed or disallowed without consideration
beyond basic characteristics.
Figure 16. Edge firewall vs. NGFW traffic visibility.

With NGFW, administrators are provided finer granularity that provides deeper insight into the traffic
attempting to access the network (Figure 16). This includes deeper visibility of users and devices, as well
as the ability to allow or limit access based on specific applications and content rather than accepting or
rejecting any traffic using a particular transmission protocol. This is the primary difference that
separates traditional and next generation firewalls (NGFW).
With a traditional firewall, traffic is accepted based on identification criteria of designated port and IP
address. Conversely, traffic is accepted with NGFW based on user ID (not port) and both the IP address
and traffic content. The diagrams in Figures 17 and 18 illustrate better the visibility and control
capability provided when NGFW is integrated into the network security architecture, supplanting the
legacy edge firewall.
26

When comparing the granularity in how
traditional and legacy firewalls assess data,
note that in NGFW the ports are identified with
traffic flowing through them as well as specific
information about the user sending the traffic,
traffic origin, and the type (content) of traffic
being received. This information goes beyond
the basic link level and brings security into OSI
levels 3 & 4 (application security capability).
Figure 17. Traditional port configuration example.
Figure 18. NGFW configuration example by application, user ID.

In addition to enhanced visibility over traffic, NGFW provides enhancements in both complex security
protection and administrator control simplicity over traditional firewalls, as compared in Table 1.
Table 1. Comparative security features of edge firewalls vs. NGFW.
Edge Firewall
NGFW
Gatekeeper
Gatekeeper
ISO/OSI L4 Port Protocol
Application-Centric (Content Flow) Protocol
Basic Security + Add-ons
Integrated Security Solutions
Complex Architecture
Integrated Architecture
Complex Control
Simplified Control
Simple Moderate Security
Integrated Complex Security
NGFW Evolution
Referring to an evolving technology offering high-performance protection, Next Generation Firewalls
(NGFW) provide solutions against a wide range of advanced threats against applications, data, and
users. Going beyond standard firewall protections, NGFW integrate multiple capabilities to combat
advanced and emerging threats. These capabilities include intrusion prevention system (IPS), deep
packet scanning, network application identification and control, and access enforcement based on user
identity verification. Emerging tools include Advanced Threat Protection (ATP) to mitigate multi-vector,
persistent network or system attacks against large and distributed enterprise networks.
27

The concept of NGFW was first coined by Gartner in 2004 in their paper discussing the need for
integrated IPS coupled with Deep-Packet Inspection and general application-inspection capabilities into
firewalls [5]. In 2008, Gartner redefined NGFW as security devices including an enterprise-level firewall
with integrating IPS or Deep Packet inspection, Application Identification, and extra-firewall
intelligence (such as Web Content Filter), but allowing for interoperability with third-party rule
management technology [6]. In 2009, Gartner published a new definition of NGFW, defining the
characteristics as including VPN, integrated IPS interoperability with firewall components, application
awareness, and extra-firewall intelligence [7].
Figure 19. NGFW evolution timeline.
Traditional NGFW Capabilities

Traditional NGFW provides solutions against a wide range of advanced threats against applications,
data, and users. Traditional enterprise network security solutions such as legacy firewalls and standalone intrusion detection/prevention systems (IPS) are no longer adequate to protect against todays
sophisticated attacks. In order to defend networks against the latest threats, NGFWs should include, at a
minimum, the ability to identify and control applications running over a network, an integrated intrusion
prevention system (IPS) with deep packet scanning capabilities, and the ability to verify a user or
devices identity and enforce access policies accordingly.
However, advanced threats require advanced protection. Some NGFW devicessuch as the Fortigate
lineinclude additional technologies that provides you with a real-time ranking of the security risk of
devices on your network and cloud-based threat detection and prevention. Traditional NGFW integrates
multiple capabilities to combat emerging threats.
Figure 20. Intrusion Prevention System (IPS).

Intrusion Prevention System (IPS). Sometimes called integrated IDS/IPS. Monitors network and directs
firewall to allow or block traffic. Intrusion Detection System (IDS) detects threats but does not alert the
firewall to take action against identified threats or unknown traffic. IDS is integrated into IPS technology.
IPS has been used as part of edge-based protection as a firewall enhancement; however, it is more
28

effective to tie it into network segregation, enabling protection against both internal and external
attacks against critical servers [8].
Figure 21. Deep Packet Inspection (DPI).

Deep Packet Inspection (DPI). Examining the payload or data portion of a network packet as it passes
through a firewall or other security device. DPI identifies and classifies network traffic based on
signatures in the payload [9]. Examines packets for protocol errors, viruses, spam, intrusions, or policy
violations.
Figure 22. Network application identification and control.

Network Application Identification & Control. Traditional firewall protection detects and restricts
applications by port, protocol and server IP address, and cannot detect malicious content or abnormal
behavior in many web-based applications. Next Generation Firewall technology with Application Control
allows you to identify and control applications on networks and endpoints regardless of port, protocol,
and IP address used. It gives you unmatched visibility and control over application traffic, even unknown
applications from unknown sources and inspects encrypted application traffic. Protocol decoders
normalize and discover traffic from applications attempting to evade detection via obfuscation
techniques. Following identification and decryption, application traffic is either blocked, or allowed and
scanned for malicious payloads. In addition, application control protocol decoders detect and decrypt
tunneled IPsec VPN and SSL VPN traffic prior to inspection, ensuring total network visibility. Application
control even decrypts and inspects traffic using encrypted communications protocols, such as HTTPS,
POP3S, SMTPS and IMAPS.
29
Figure 23. Access enforcement (User identity).

Access Enforcement (User Identity). When a user attempts to access network resources, Next
Generation Firewalls allow identification of the user from a list of names, IP addresses and Active
Directory group memberships that it maintains locally. The connection request will be allowed only if
the user belongs to one of the permitted user groups, and the assigned firewall policy will be applied to
all traffic to and from that user.
Figure 24. NGFW distributed enterprise-level capability.

Distributed Enterprise-level Capability. Capable of operating in large, distributed enterprise networks.
The foundation of the enterprise campus offering is a high performance next generation firewall (NGFW)
that adds intrusion prevention, application control and antimalware to the traditional firewall/VPN
combination. In particular, Fortinet NGFWs:
Provide fine-grained, user- or device-based visibility and control over more than 3000 discrete
applications to establish/enforce appropriate policies.
Include powerful intrusion prevention, looking beyond port and protocol to actual content of
your network traffic to identify and stop threats.
Leverage top rated antimalware to proactively detect malicious code seeking entry to the
network.
Deliver actionable application and risk dashboards/reports for real-time views into network
activity.
Run on purpose-built appliances with Custom ASICs for superior, multi-function performance,
even over encrypted traffic.
30
Figure 25. Extra-firewall intelligence IP list assignment.

Extra-firewall Intelligence. This provides the ability to create lists for access or denial of external
traffic to the network. These lists may be designates by IP address List types include:
White List. Designated sources considered trusted and will be allowed access to the network.
Black List. Designated sources considered not trusted and will be denied access to the network.
A key point to this function is that the source is based on an address, therefore, access does not relate
to any specific type of information that may be carried on traffic from that source. This is a surface
screening rather than a content screening function.
Figure 26. Notional network with managed security (MSSP).

Interoperable with Third-Party Management. Enterprise-class appliances deliver the comprehensive
security solution Managed Security Service Providers (MSSPs) require. They allow you to utilize the full
suite of ASIC-accelerated security modules for customizable value-added features for specific customers.
FortiGate NGFW appliances include the ability to create multi-tenant virtual security networks,
supporting up to 5,000 separate Virtual Domains (VDOMs) in a single device. The full suite of integrated
management applicationsincluding granular reporting featuresoffer unprecedented visibility into
the security posture of customers while identifying their highest risks.
VPN. Virtual Private Network (VPN) technology allows organizations to establish secure communications
and data privacy between multiple networks and hosts using IPSec and secure sockets layer (SSL) VPN
protocols. Both VPN services leverage custom ASIC network processors to accelerate encryption and
31

decryption of network traffic. Once the traffic has been decrypted, multiple threat inspections
including antivirus, intrusion prevention, application control, email filtering and web filteringcan be
applied and enforced for all content traversing the VPN tunnel.
Figure 27. Application awareness: The NGFW application monitoring feature.

Application Awareness. While establishing port and protocol are important first steps in identifying
traffic, positive identification of application traffic is an important capability added by NGFW, requiring a
multi-factor approach independent of port, protocol, encryption, or evasive measures. Application
awareness includes protocol detection and decryption, protocol decoding, signature identification, and
heuristics (behavioral analyses). [10]
NGFW Functions
Two important functions of NGFW is to detect threats and prevent them from exploiting system or
network vulnerabilities. The best way to detect threats is to deploy an Intrusion Detection System (IDS)
as part of the network architecture. In order to prevent identified threats from exploiting existing
vulnerabilities, an Intrusion Prevention System (IPS) should be deployed. The purpose of IPS is to react to
detected threats to a network in order to block intrusion by traffic attempting to take advantage of
system vulnerabilities, deviations from standard protocols, or attacks generated by trusted sources [8].
NGFW appliances, such as the FortiGate line of network hardware, provide integrated capability for IDS
and IPS to both detect and prevent intrusion and exploitation of protected networks.
Another function of NGFW is providing Secure Socket Layer (SSL)-Encrypted Traffic Inspection. This type
of inspection protects endpoint clients as well as Web and application servers from potentially hidden
threats. SSL Inspection intercepts and inspects encrypted traffic for threats before routing it to its
destination and can be applied to client-oriented traffic, such as users connected through a cloud-based
32

site, or to Web and application server traffic. Using SSL inspection allows policy enforcement on
encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. Like
other inspection protocols, however, the tradeoff to enabling SSL inspection is a decrease in throughput
speed.
Extended NGFW Capabilities

Beyond the capabilities defined by Gartner for NGFW, adding capabilities focused on advanced and
emerging threats are clearly needed. Particularly within enterprise network security infrastructure, the
need to protect against new and evolving classes of highly targeted and tailored attacks designed to
bypass common defenses is needed. Because of these advanced and evolving threats, additional
defensesreferred to by Fortinet as Advanced Threat Protection (ATP)include anti-virus/malware,
anti-botnet, web filtering, code emulation, and sandboxing. Integration of these additional capabilities
appear in Figure 28.
Figure 28. Extending FortiGate NGFW with Advanced Threat Protection (ATP).
When integrated with NGFW, capabilities of ATP enhance security by providing additional protections
against evolving threats, including:
Dual-level sandboxing, allowing code activity examination in simulated and virtual environments
to detect previously unidentified threats.
Detailed reporting on system, process, file, and network behavior, including risk assessments.
Secure Web Gateway through adding web filtering, botnet, and call back detection, preventing
communications with malicious sites and IPs.
Option to share identified threat information and receive updated in-line protections.
Option to integrate with other systems to simplify network security deployment.
33

With continued shift toward mobile and BYOD practices, integrated user authentication takes on
increased importance in visibility and control of applications being employed by network users. With the
sophistication of advanced and evolving threats, use of two-factoror strongauthentication has
become more prevalent. In addition to the capabilities discussed previously as additive measures to the
NGFW, a number of strong authentication factors may also be enabled:
Hardware, software, email, and SMS tokens

Integration with LDAP, AD, and RADIUS
End user self-service
Certificate Authority
Single sign on throughout the network
Illustration of authentication functions integrated into NGFW appear in Figure 29.
Figure 29. Authentication functions integrated into NGFW.

While the Application Control feature of the extended NGFW serves to identify network users, monitor
applications employed by those users, and block applications representing a risk to the organization, this
feature differs from how the Web Filtering function of ATP operates. Unlike Application Control that
focuses on the actual content of the accessed site, Web Filtering focuses on the Internet Sites (URLs)
based on a categorization of the site, or type of content [8]. This allows the NGFW to block web sites
known to host malicious content. An example of how Web Filtering categorizes site appears in Figure 30.
34
Figure 30. Web filtering profile control.

Antivirus/malware. Responsible for detecting, removing, and reporting on malicious code. By
intercepting and inspecting application-based traffic and content, antivirus protection ensures that
malicious threats hidden within legitimate application content are identified and removed from data
streams before they can cause damage. Using AV/AM protection at client servers/devices adds an
additional layer of security.
Figure 31. FortiGate antivirus/malware.

Anti-botnet. Responsible for detecting and reacting to Distributed Denial of Service (DDoS) or other
coordinated network attacks. Organizations may prevent, uncover, and block botnet activities using
Anti-Bot traffic pattern detection and IP regulation services supplied in real-time. This capability is
important in detecting and reacting to Distributed Denial of Service (DDoS) or other coordinated
network attacks.
35
Figure 32. FortiGuard Anti-botnet protection.

Web filtering. Function that allows or blocks Web traffic based on type of content, commonly defined
by categories. Web filtering protects endpoints, networks and sensitive information against Web-based
threats by preventing users from accessing known phishing sites and sources of malware.
Figure 33. FortiGate Web filtering capability.
Code emulation. Allows testing of unknown or potentially malicious traffic in

a virtual environment by emulating the actual environment to which the
traffic was addressed.
Sandboxing. Isolating unknown or potentially malicious codes to fully execute all functions before
allowing the traffic to download into the network. Sandboxing has a unique capability to detect zero-day
exploits that other security solutions cannot identify. If malicious activity is discovered, Advanced Threat
Protection (ATP) can block it.
Sandboxes and APT
You might be thinking whether this is Back to the Future? After all, sandbox technology is old, having
long been a standard safety isolation to analyze code. So why would sandboxes be important when
examining the implications of Advanced Persistent Threats (APT)?
36

Sandboxes were initially developed for executable files. Now they run application data that may contain
malicious code, like Adobe Reader or JavaScript, which sandbox identified malicious code before it can
infect your operating system. Modern sandbox technology can help detect and identify new threats
such as old legacy threats in new veneers, by emulating endpoint device environments to analyze how
the potential threat behaves. In this way, relatively unknown malwareconstantly being developed at
all levels of complexityand APTs may be detected, identified, cataloged, and blocked by the NGFW
(Figure 34). Integrating NGFW with sandboxing allows inspection of traffic so that only suspect traffic is
forwarded to the sandbox, increasing sandbox performance by reducing unnecessary operations.
Figure 34. Sandbox deployed with NGFW Solution.

Advanced Persistent Threats (APT)
Since widespread availability of computer technologyespecially since introduction of affordable
personal computing platforms and open availability of computer trainingpeople have used software to
target systems and networks to damage, steal, or deny access to data. Modern and future challenges
or Advanced Persistent Threatspresent a more daunting sophistication of malware, attack vectors, and
perseverance by which they mount offensives against their targets. Just as APT uses multiple attack
layers and vectors to enhance chances of success, network security administrators must also design and
implement a multi-layered defense to protect against these threats. It is critical to understand that no
single network security feature will stop an APT. Simplified, a three-step approach to how NGFW
addresses APTs appears in Figure 35, below.
Figure 35. The NGFW three-step approach to APT.
37

Advanced Threat Protection (ATP)
In order to protect against modern and emerging future threats, adaptive defense tools like ATP are
being incorporated into network security infrastructures at an increasing pace. This level of protection
provides increased security across all network sizes from SMB to large enterprises. Critical capabilities
brought to bear by ATP include:
Access Control. Layer 2/3 firewall, vulnerability management, two-factor authentication.
Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email filtering,
antimalware.
Threat Detection. Sandboxing, botnet detection, client reputation, network behavior analysis.
Incident Response. Consolidated logs & reports, professional services, user/device quarantine,
threat prevention updates.
Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.
The continuous nature of ATP protection is illustrated in Figure 36, below:
Figure 36. Fortinet Advanced Threat Protection (ATP) model.
NGFW Deployment
Edge vs. Core
When deploying the NGFW, segmentation is a key consideration (see Module 1, page 8), and NGFW
brings a unique combination of hardware- and software-related segmentation capabilities that allow
isolation of critical network sections, such as data centers. Deploying NGFW into an Edge Network
accomplishes the goal of providing control while optimizing critical infrastructure protection (Figure 37).
38
Figure 37. NGFW deployment to edge network

NGFW vs. Extended NGFW
Another consideration that must be made is what NGFW capabilities are neededor desiredfor the
network being protected. A consideration whether to deploy extended NGFW capabilities depends on
the nature of what functions will be accomplished both internally and external to the network. In
particular, with movement to more cloud-based and web applications, the benefits of extended NGFW
may be best suited. As illustrated in Figure 38, Extended NGFW incorporates the capabilities of current
NGFW plus enhanced features that make it more capable against modern and emerging threats.
Figure 38. Current NGFW vs. Extended NGFW capabilities.

One of the characteristics of most technologies is that with added capabilities comes concomitant tradeoffs. In the case of NGFW, the addition of inspection functions such as web filteringor anti-malware
presents options that balance capabilities and protection levels versus traffic processing speed. The two
methods used to inspect traffic are Flow-based and Proxy-based inspections. In flow-based inspection,
the NGFW performs a string comparison to examine patterns in the traffic without breaking the
connection, resulting in a small portion of the traffic stream being inspected but with a trade-off of
faster throughput. In proxy-based inspection, the entire traffic stream is analyzed, breaking the
connection and reestablishing it after analysis, resulting in slower throughput.
39

Table 2. Comparison between flow-based and proxy-based inspections
Type of Inspection
Speed/Performance Resources
Protocol Awareness
Flow-based
Faster
Comparing traffic to database of
known bad situations
TCP flow not broken. Only packet
headers changed if necessary.
Not required
File size limits
Only during scanning
Features supported
Antivirus, IPS, Application Control, Web

Content Filtering
Security Analysis Method

TCP Transparency
Proxy-based
Slower
Conducting specific analysis on
relevant information
TCP convention broken, TCP sequence
numbers changed.
Understands protocol being analyzed
Yes, when buffering, based on available
NGFW memory
Antivirus, DLP, Web Content Filtering,
AntiSpam
Because Flow Mode does not unpack compressed files or email/FTP attachments, deploying antimalware in Flow Mode may result in decreased detection rate.
Summary
The concept of Next Generation Firewalls developed to address evolving threats as technology itself
evolved. With the rapid rise of technology integration, portability and BYOD models in business,
education, and other environments, combined with more widespread ability for hackers from novices to
experts to develop malicious code, a system deriving from the initial premise of NGFW needed to
develop for the future.
Because of these capabilities and the flexibility to proactively address modern and developing threat
environments across networks of varying sizes, NGFW will be the standard in network firewall
protection at least through 2020
40

Module 3: Unified Threat Management (UTM)
Unified Threat Management (UTM) is a security management approach providing administrators the
ability to monitor and manage multiple security-related applications and infrastructure components
through a single management console. Through this simplified management approach, UTM provides
administrators the ability to protect both local and branch offices from potential threats, rather than
having to depend on coordination with remote site administrators or multiple control panels. This
integrated approach to security control is an extension of the philosophy that resulted in integration of
multiple security functions into hardware and software appliances, compared to legacy network security
systems that used single- or dual-function add-on appliances that resulted in complex hardware,
software, and management control systems (Figure 39).
Figure 39. Legacy network security add-ons vs. UTM architecture

UTM provides administrators the ability to monitor and manage multiple, complex security-related
applications and infrastructure components through a single management console. Because UTM is
designed as an integrated solution, it does not suffer the problems of network address translation,
overheating, or throughput difficulties caused by activating multiple security services in legacy systems.
The Key to UTM: Consolidation
Similar to NGFW, one of the strengths of UTM is integration of components and functions into both
hardware appliances and associated security software applications. The advantage to UTM is that it goes
beyond the NGFW focus of high performance protection of data centers by incorporating a broader
range of security capabilities to provide administrator-friendly, threat-unfriendly management. Using
firewall capabilities as a foundation, UTM integrates additional VPN, intrusion detection and prevention,
and secure content management capabilities.
UTM Features
UTMs are generally acquired as either cloud services or network appliances, and integrate firewall,
intrusion detection system (IDS), anti-malware, spam and content filtering, and VPN capabilities (Figure
40). These can be installed and updated as necessary to keep pace with emerging threats. [11]
41
Figure 40. Unified Threat Management (UTM).

Firewall. The most basic, necessary, and deployed network security technology, which uses sets or rules
or policies to determine which traffic is allowed into or out of a system or network. UTM builds on this
foundation to integraterather than add onenhanced security capabilities. [8]
Intrusion Detection System (IDS). IDS is capable of detecting potential threats to the network, but does
not react by sending a message to the firewall to block the threat. [8] The function of IDS is an
integrated feature in Intrusion Prevention System (IPS).
Antivirus/malware. Antivirus/Antimalware (AV/AM) provides multi-layered protection against viruses,
spyware, and other types of malware attacks. It enables scanning for e-mail for viruses, but it doesnt
stop there. You can also apply anti-virus protection to File Transfer Protocol (FTP) traffic, instant
messaging (IM), and web content at the network perimeter. Some solutions support Secure Sockets
Layer (SSL) content scanning, which means that you can protect the secure counterparts to those types
of traffic as well, such as HTTPS, SFTP, POP3S, and so on. A UTM virus filter examines all files against a
database of known virus signatures and file patterns for infection. If no infection is detected, the file is
sent to the recipient. If an infection is detected, the UTM solution deletes or quarantines the infected
file and notifies the user. [9]
Antispam. This is a module that detects and removes unwanted email (spam) messages by applying
verification criteria to determine if the email fits defined parameters as spam traffic. Anti-spam filtering
can block many Web 2.0 threats like bots, many of which arrive in your users e-mail boxes. Multiple
anti-spam technologies incorporated into UTM can detect threats through a variety of techniques
[9].These parameters may be as simple as a list of senders identified by a user or comparison against
databases of known bad messages and spam server addresses [8].
Content filtering. These devices block traffic to and/or from a network by IP address, domain
name/URL, type of content (for example, adult content or file sharing), or payload. They maintain a
42

whitelist of trusted sites and a blacklist of forbidden sites to prevent users from violating acceptable use
policies or being exposed to malicious content. [9]
VPN. A Virtual Private Network (VPN) uses special protocols to move packets of information across the
Internet securely. In general, VPN protocols encrypt traffic going from sender to receiver. This makes
such traffic appear completely garbled to anyone who might intercept and examine those packets while
theyre on the Internet. VPNs use encryption to protect the traffic they carry from unauthorized access.
Because the VPN packets wrap the encrypted data inside a new protocol envelope a technique
known as encapsulation a VPN creates a private, encrypted tunnel through the Internet. [9]
UTM Distributed Enterprise Advanced Features
Enterprise customers may have access to more advanced features, such as identity-based access
control, load balancing, intrusion prevention (IPS), Quality of Service (QoS), SSL/SSH inspection, and
application awareness [11].
Access (Application) control. Application control can identify and control applications, software
programs, network services, and protocols. In order to protect networks against the latest web-based
threats, application control should be able to detect and control Web 2.0 apps like YouTube, Facebook,
and Twitter. Enterprise-class app control provides granular policy control, letting you allow or block
apps based on vendor, app behavior, and type of technology. For example, you can block specific sites,
block only your users ability to follow links or download files from sites, or block games but allow chat.
Another feature of application control is the ability to enforce identity-based policies on users. The UTM
system tracks user names, IP addresses, and Active Directory user groups. When a user logs on and tries
to access network resources, UTM applies a firewall policy based on the requested application or
destination. Access is allowed only if the user belongs to one of the permitted user groups.
Load balancing. Load balancing distributes traffic and routes content across multiple web servers. This
load balancing increases application performance, improves resource utilization and application stability
while reducing server response times. With data compression and independent SSL encryption
processor, this capability increases further transaction throughput and reduce processing requirements
from web servers, providing additional acceleration for web application traffic.
Intrusion Prevention System (IPS). An IPS acts as a networks watchdog, looking for patterns of network
traffic and activity, and records events that may affect security. An IPS issues alarms or alerts for
administrators, and is able to block unwanted traffic. IPS also routinely log information as events occur,
so they can provide information to better handle threats in the future, or provide evidence for possible
legal action [9]. IPS is the best way to detect threats trying to exploit network vulnerabilities.
Quality of Service (QoS). QoS refers to a networks ability to achieve maximum bandwidth and deal with
other network performance elements like latency, error rate and uptime. Quality of service also involves
controlling and managing network resources by setting priorities for specific types of data (video, audio,
43

files) on the network. QoS is exclusively applied to network traffic generated for video on demand, IPTV,
VoIP, streaming media, videoconferencing and online gaming. [12]
SSL/SSH inspection. This provides the ability to inspect content encrypted by applications using Secure
Socket Layer (SSL) cryptologic technique, in which it performs a man-in-the-middle takeover of the SSL
traffic. This allows other inspections to be applied such as DLP, web filtering, and antivirus/malware.
Some popular examples of SSL protocols are HTTPS, FTPS, and mail protocols SMTPS, POP3S, and IMAPS.
[8]
Application awareness. Web Application Security solutions provide specialized, layered application
threat protection for medium and large enterprises, application service providers, and SaaS providers.
FortiWeb application firewall protects your web-based applications and internet-facing data. Automated
protection and layered security protects web applications from layer 7 DoS and sophisticated attacks
such as SQL Injection, Cross Site Scripting attacks and data loss. Web Vulnerability Assessment module
adds scanning capabilities to provide a comprehensive solution to meet your PCI DSS section 6.6
requirements.
Tradeoffs. The main advantage to UTM is reducing operational complexity. In particular, reducing
operational complexity for network administrators increases the likelihood that they will use the
available protection features to optimize network security. However, while simplification presents the
advantage of security optimization by administrator, the main drawback may be positioning UTM as a
single point of failure (SPOF) in a system or network.
Extended UTM Features

One of the key factors that enables specialized UTM products to achieve the highest levels of
performance and boost network throughput is incorporating custom application-specific integrated
circuits (ASICs) into UTM hardware components. As discussed previously in Module 1, using customdesigned ASICs present a more challenging design process, but the tradeoff is achieving the highest
levels of system performance by having tailored the ASICs to the device capabilities and intended
functions. As with most highly efficient technologies, planning and configuration are critical in achieving
optimum performance and control when systems and networks are brought online.
Expanding on the foundation of an integrated firewall, UTM builds additional capabilities to enhance
network security management. With ever-increasing capabilities for data transfers between remote
users, integration of capabilities not resident in NGFW include Data Leak Prevention (DLP) (sometimes
referred to as Data Loss Prevention), helps prevent unauthorized transfer of information to someone
outside an organization by protecting the contents of email, web pages, and transferred files. DLP
provides a strong authentication appliance to control data by methods such as inbound/outbound
filtering and fingerprinting.
DLP filtering scans inbound and outbound files, searching for text string and patterns that, when
compared against the DLP database, determine whether the content will be allowed, blocked, or
archived.
44

Fingerprinting consists of a method by which each document file is encoded with a unique
fingerprintbased on the fingerprint, DLP determines whether the document is a sensitive or
restricted file that should be blocked or if the file is allowed to be shared beyond the network.
DLP has the ability to scan and identify data patterns using supported scanable protocolsfor example,
FortiGate systems are capable of detecting HTTP, FTP, SMTP, POP3, IMAP, and instant messaging
protocols for Yahoo, MSN, AOL, and ICQ messaging services [8]. A limitation of DLP, however, is that it is
affected by the same limitations as antivirus scanningmaximum file size, data fragmentation (but not
necessarily packet fragmentation), and encryptionall of which may limit effective data leak detection
and subsequent prevention.
Evolving UTM Features
As mentioned previously, UTM is a user-simplified, protection-complex, integrated concept with the
ability to evolve as technologies, user trends, and threats evolve. With this focus on being flexible and
future-ready, additional technologies are increasingly being integrated to UTM devices. Among these
capabilitiessuited to various size networksare switching, Wireless Local Area Network (WLAN)
control, and Power-over-Ethernet (POE).
Switching. By integrating Switching into UTM, the capability to manage switching is added to single
control console security management. This again reduces the number of physical hardware devices and
control monitors necessary to manage the UTM system. From this integrated control panel, individual
ports can be switched on or off to physically isolate network traffic. This is important, because some
applications attempt to use port 80 to avoid detection from traditional port-based firewall security
systems. Port 80 is the primary port used by the Worldwide Web (WWW) and is how web servers
listen for incoming unsecure (HTTP) connections from web browsers. This is a primary port through
which malicious code tries to sneak through via Internet applications. Conversely, secure WWW
connections are monitored through port 443 (HTTPS) using TLS/SSL security protocols.
Figure 41. LAN control.

Wireless LAN (WLAN). Integrating the WLAN into UTM provides more than added economy of
hardware. Integrating WLAN into UTM provides a simplified method to ensure each network on the full
infrastructurephysical, WLAN, and VPNmay be controlled together to maintain consistent security
45

policies and controls across all networks on the control interface. This approach also detects and
eliminates potential blind spots and better prevents unauthorized or rogue wireless access to the
combined network. WLAN is also important for SMB networks where secure wireless coverage must
take the place of non-existent cable-based network connectivity, such as rented small office spaces.
With continued increases in mobile computing and BYOD operations, many people in todays
technologically-empowered workforce expect the ability to replicate their office environment wherever
they happen to be conducting business. Because of the many variables involved in such an endeavor
variations in available Internet speeds, availability of secured versus open networks, volume of users on
remote networks, the cost of high-speed links, and so fortha technique needs to be available to
enable effective remote communication for authorized network users. In this situation, a process called
WAN Optimization (WANOpt) is such a technique for use with UTM-empowered network
infrastructures.
WANOpt provides improved application and network performance to authorized remote users through
five primary methods [9]:
Protocol optimization. Improves efficiency of FTP, HTTP, TCP, and other protocols to accelerate
network performance.
Byte caching. Caches files and data to reduce amount of data necessary to be sent across WAN.
Web caching. Stores/caches web pages to serve on request to avoid reloading over the WAN to
reduce latency and delays between servers.
SSL offloading. Offloads SSL decryption/encryption onto SSL acceleration hardware to boost
web server performance.
Secure tunneling. Secures traffic crossing the WAN.
Power over Ethernet (POE). POE allows UTM to provide power to external devices, much like legacy
systems such as Universal Serial Bus (USB). With POE, power can be supplied over Ethernet data cables
along extensive cable lengths, either on the same conductors as data or on a dedicated conductor in the
same cable (Figure 42). USB data + power capabilities are designed for up to 5m (16ft), compared to POE
capability up to 100m (330ft) or even more with new POE-plus developments.
Figure 42. Typical Power over Ethernet (POE) cable configuration.

UTM applications utilizing POE enables connection of Wireless Access Points, 3G/4G Extenders, Voice
over Internet Protocol (VoIP) handsets, and IP cameras to the network security platform while keeping
the devices away from system main power supplies. Depending on how it is applied, some advantages of
46

POE over other technologies include: lower cost because of combined cabling for power and data, ability
to remotely cycle appliance power, and fast data rates.
3G/4G. 3G/4G extenders integrate with UTM to provide a secure WAN connection for SMB and
distributed enterprise locations, with ability to serve as a secondary failover connection to the wired
WAN link for business continuity or, if desired, as a primary WAN link.
UTM Functions
UTM provides a number of integrated functions beyond the
scope of NGFW. Two of these important functions focus on
threats inherent in platform capabilities used daily by users in
systems and networks of all sizes, from personal computers,
to smartphones and phablets, to networks and data center
operations and automated business functions. In particular,
these common threatswhich continue also to evolve with
technology and more widespread integration of technology
components into common devicesinclude email and
Surfing the Web.
You may have heard on many different commercialsboth online and on other mediathe phrase we
have an app for that! Fortunately, UTM has appsor solutionsto help protect your networks from
these continually evolving threats.
Antispam. One of most widely used buttons on email applications is the one
that allows users to designate messages from a particular sender as spam,
thereby delegating it to be routed to a folder for which the user receives no alert
when the message arrives and the message is often automatically deleted at a
programmed periodicity. UTM has an integrated Anti-Spam function as well,
acting as a filter to block many threats like botsmany of which arrive in user
email boxes. The multiple anti-spam capabilities integrated into UTM may detect
threats using a variety of methods, including:
Blocking known spam IP addresses to prevent receipt.
Blocking messages with any URL in the message body associated with known spam addresses.
Comparing message hashes against those for known spam messages. Those that match may
be blocked without knowledge of actual message content.
Comparing the client IP address and sender email address to stored whitelist/blacklist profiles.
Whitelist matches get through; blacklist matches get blocked.
Conducting a DNS lookup on the domain name to see if the domain exists or is blacklisted.
Blocking email based on matching message keywords or key phrases in a banned word/phrase
filter list. [9]
47

Intrusion Prevention Systems (IPS). IPS performs a dual protection function. In the UTM environment,
IPS protects the internal network from attacks that originate from outside the network perimeter as well
as those that originate from within the network itself. IPS is also discussed as a component of NGFWin
a UTM solutions environment, the IPS component provides a range of security tools to both detect and
block malicious activity, including:
Predefined signatures. A database of malicious attack signatures is included, which is updated
regularly to keep pace with newly identified threats.
Custom signatures. Customizable entries that add to the standard threat signature library to add
protection against new, little known, or unknown attacks.
Out-of-band mode. Alternately referred to as one-arm IPS mode, the component may be
programmed to operate as only an Intrusion Detection System (IDS), detecting but not acting
upon identified threats and attacks. In this configuration, such identified threats/attacks would
be analyzed on a separate switch port.
Packet logging. This feature provides the option to save network packets that match identified
IPS signatures and analyze the log files with analysis tools. [9]
Where UTM Fits In

UTM provides a scalable security solution for networks from SMB to large and distributed enterprise
networks.
Figure 43. UTM scalability.

As network magnitude and function complexity grow, so also must the capabilities of the security
apparatus. One of the considerations for both SMB and smaller, remote offices tied to a corporate
headquarters or central database, is consideration of implementing UTM security as an all-in-one
solution that provides flexible, future-ready security that is user-friendly and threat-complex. Figure 43
illustrates how UTM may be deployed to support satellite branches in a distributed enterprise network,
while NGFW and ATP technology is maintained at the central office where increased staff and capability
exists to monitor and manage security parameters at all network locations.
48

Home Office / Administrator. Next Generation Firewall (NGFW)
Application Visibility & Control. Identify and control applications on a network regardless of the
port, protocol, or IP address used.
Advanced Threat Protection (ATP). Sophisticated on-device and cloud-based detection and
mitigation techniques block Advanced Persistent Threats (APTs) that target specific people or
functions within an organization, and use extensive evasion techniques to remain stealthy for
long periods before exfiltrating data.
Remotes. Unified Threat Management (UTM)
Content Security & Web filtering. Combines sophisticated filtering capabilities together with a
powerful policy engine and cloud-based model to create a high performance and flexible web
content filtering solution.
Antispam. Real-time protection against spam.
IPS/IDS. Intrusion Detection and Prevention Systems monitor, log, identify and block malicious
network activity
UTM: Scalable Deployment
Because UTM may be configured to provide network security tailored to specific environments, UTM is
designed for deployment across a broad range of organizational needs. The integrated hardware and
software features of UTM make it ideal for SMB networks, while simultaneous control of wired, VPN,
and wireless infrastructure components provide the means for distributed enterprise and select large
enterprise deployment (Figure 44). Across these various deployment environments, UTM provides
enhanced and cost-effective network security options.
SMB networks. Simple controls and multiple scalable options. Provides option for control and scalable
security for businesses with limited physical space and IT staff, or branch offices where IT policy and
control is managed from a central location (Figure 43).
Distributed enterprise networks. Simultaneous control of wired, VPN, and wireless infrastructure
components, with centralized control with advanced features to effectively run operations up to a global
scale.
Like many other sectors of the technology industry, UTM deployment may be accomplished in various
ways. A common method for vendorsfollowing traditional hardware procurement paradigmswas to
license UTM infrastructure based on the amount of devices included in the deployment package. In
other words, the standard was an a la carte menu of options. However, in an effort to provide a better
option for organizations wanting to upgrade to the UTM security model, leading UTM companies
developed a new licensing model that more closely reflects the bundle model offered by cable and
DSL companies. Fortinet, recognized by Gartner as a leader in UTM development and implementation
along with CheckPoint, offers a bundle concept that includes the purchased hardware, software
updates, security feature updates for all included security components, and system support [8]. This not
49

only provides simplified licensing and reduced costs, but also enables better future budget planning for
UTM system customers.
Figure 44. Fortinets concept of Connected UTM.
Summary
NGFW improved on the basic gatekeeping security of Edge Firewalls by introducing such features as IPS,
Deep Packet Scanning, Network Application Identification and Control, and Access Enforcement.
However, beyond those capabilities, additional security functions meant additional appliances and
software configurations, increasing operational complexity for the network administrator.
Because increased operational complexity often results in bypassing of processes in the interest of time
or administrator overload, development was needed for a new dynamic vision of a flexible, future-ready
security solution to meet the needs of todays network environments and keep paceor think ahead
ofadvanced threats of the future. This dynamic, integrated network security conceptUnified Threat
Management (UTM)is in place today and ready for tomorrows evolving challenges.
Overcoming the difficulties of patching together legacy systems with newer, state of the art systems,
UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have
international reach. Combining user-simple interfaces with threat-complex protections, as well as cost
effective procurement, operations, and support, UTM provides an optimum system to best ensure
continued network operations in a secure environment.
50

Module 4: Application Security
Because threats are constantly evolving, network security technologies and methods must evolve also.
One of the most important points about application security is that threatsincluding such evils as Bots,
Ransomware, Advanced Persistent Threats (APT), Viruses, and Spam, to name some recent prevalent
threatshave a heavy content component and not just focused on the physical and data layers. In this
context, content refers to packet payload analysis and how they are transportedin particular, layers 37 of the OSI Model (Table 3) [13].
Table 3. Comparative models for layers, protocols, and devices.
Because of the focus of these threats on the application content component and transport rather than
link and physical components, firewalls designed to protect, load balance, and accelerate content
between web servers are necessary. This type of appliance is the Web Application Firewall (WAF),
designed to provide protection for web applications and related database content [8]. In order to
understand better the type of threats that the WAF faces in protecting networks, an examination of the
vulnerable areas targeted by application threats provides the necessary context.
Application Challenges to Meeting User Needs

With increased reliance of businesses on cloud-based applications, focus on the vulnerabilities of webbased applications is essential to system and network security. These applications reside deep in layer 7
of the OSI Model, which will be discussed further in this module, but remain vulnerable to targeted
attacks. Of these attacks, Denial of Service (DoS)or more importantly, Distributed Denial of Service
(DDoS)attacks designed to inhibit use of such applications have evolved as technology evolved,
becoming much more sophisticated than early hacker methods.
The mobility of modern business, combined with distributed enterprise networking, demands VPNs with
secure access to resources. SSL VPNs establish connectivity at L4 & L5; information is encapsulated at L6
& L7. So, these VPNsand other remote accessing sites to network resourcesfunction in the top tiers
of the OSI Model, known as the Application Layers when translated into the broader TCP/IP Model.
51

Table 4. Translation of ISO/OSI layers to TCP/IP model.
Secure Socket Layer (SSL) traffic poses a challenge because legacy servers and load balancers cannot
manage increased loads caused by increased SSL traffic requiring decryptionscanreencryption in
order to detect potential malicious code attempting to sneak into the network in encrypted data
packets.
Scalability is the concept of enabling a system, network, or application to handle a growing volume of
work in an efficient manner or, if necessary, to be enlarged to accommodate growth. Scalability may be
accomplished through the use of hardware, software, or a combination of both, in order to improve
availability and reliability by:
Managing data flow and workload across multiple servers to increase capacity
Improve application response times by either hardware upgrades or software solutions
Reducing costs by optimizing resources through improved allocation
Allocating data across multiple data centers to facilitate redundancy and recovery
Application Layers: The OSI Model

The Open Systems Interconnection (OSI) model defines computer networks by functional levels. As the
level increases, so also increases the complexity and critical nature of the data contained therein. A
description of the OSI layers and their functions appear in Table 4.
Table 5. Function of network layers in OSI model.
7
6
5
4
3
2
1
52
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application and end-user processes. Application-specific data.

Translates between application and network formats (syntax layer).
Establishes, manages, terminates connections between applications.
Transfer of data between end systems, error recovery, flow control.
Switching and routingvirtual circuits to transmit between nodes.
Data packets are encoded and decoded, transmission protocols.
The bit stream mechanical and electrical level.

Applications are what allow users to accomplish tasks using computer systems and networks without
having to learn the complex languages of writing their own code. Many common applications include
word processing, spreadsheet, and graphics design programs, email applications, games, and media, and
may apply across platforms from wired desktop systems to smartphones and myriad others. Many of
these applications are now web-based, as discussed in the Module 1 section on Application Services
such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Application Vulnerabilities
Because threats are constantly evolving, network security technologies and methods must evolve also.
An important point about modern and emerging threats is that they have a heavy content component
focused beyond physical and data link layers (L1 & L2). These threats focused on content include such
current challenges as:
Bots
Viruses
Ransomware
Spam
Advanced Persistent Threats (APT)

and others
In this context, content refers to packet payload analysis and how they are transported, particularly
focusing on layers 3, 4, & 7 of the OSI Model.
Widespread use of applications provides commonality between business users and private consumers,
making application threats a problem with the potential for repeated instances if such a threat infects
the systems of multiple private users who interface with organizational networks. This may occur from
innocuous sources such as customers, clients, or those using a BYOD model who fail to accomplish
regular security screenings on their equipment. They may also occur as a dedicated effort to adversely
affect the success of the organization by an outside competitor, malcontent, or hacker.
OWASP
Fortunately, a global project exists that assists application developers and system/network security
administrators in identifying and understanding the prevalent and emerging application security threats.
This project is the Open Web Application Security Project (OWASP) and is also supported by an OWASP
Foundation in the United States.
OWASP is an open community dedicated to enabling organizations to conceive, develop,
acquire, operate, and maintain applications that can be trusted. All of the OWASP tools,
documents, forums, and chapters are free and open to anyone interested in improving
application security Our freedom from commercial pressures allows us to provide
unbiased, practical, cost-effective information about application security. OWASP is not
affiliated with any technology company, although we support the informed use of
commercial security technology. [14]
One of the primary studies accomplished by OWASP is cataloging and ranking of the most prevalent
threats in web applications. A comparative analysis between the 2010 and 2013 findings appears in
Table 6 [27].
53

Table 6. OWASP top 10 2010 vs. 2013 comparison.
Over the prior four years, OWASP found consistency among the top four application threats to system
and network security:
SQL Injection
Broken Authentication & Session Mgmt
Cross-site Scripting (XSS)

Insecure Direct Object References
Of note, the OWASP analysis also provides information on which threats have increased and declined,
indicating trends that may assist security administrators in determining the most effective system and
network configurations.
SQL Injection. Insertion or injection of an SQL query via input data from the client to the application.
This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void
transactions of various types, enable complete disclosure of the systems databaseor destroy it or
make it unavailable, or even become a new database server administrator. Common with PHP and ASP
applications, less likely with J2EE and ASP.NET applications. Severity depends on the attackers creativity
and computer skills, but have the potential to be devastating. SQL Injection is a high impact threat.
Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into otherwise
benign and trusted web sites, generally used in the form of browser side scripts to be transmitted to end
users. Because the end users browser regards the site as trusted, it will execute the script, allowing
access to any cookies, session tokens, or other information retained by the browser and used with the
site. Some of these scripts are even capable of rewriting content on HTML pages.
54

Broken Authentication & Session Management. This area includes all aspects of user authentication
and active session management handling. Even robust authentication protocols may be undermined by
flawed credential management functions, such as password changing, forgot my password and
remember my password options, account update options, and other functions. The complexity for this
issue comes with the fact that many developers prefer to create their own session tokenswhich may
not be properly protected, depending on the skill of the creator, steps may not be in place to protect
them throughout the applications life cycle, and if not protected with SSL and against other flaws (such
as XSS), an attacker may hijack the users session and assume their identity.
Insecure Direct Object References. When an application provides direct access to objects because of
user-based inputs, attackers may bypass authorization and access resources in the system directly.
These resources may include valuable data such as databases and organizational files. Insecure Direct
Object References allow attackers to bypass authorization and gain access to resources by modifying
parameter values used to point directly to objects. These resources may be any type of information
stored on the system. This method simply takes the users supplied input and uses it to retrieve data as
though the attacker were the authorized user.
Individual, targeted attacks are often manageable and, in many cases, traceable. These attacks aim
increasingly at denying use of a network to outside users, known as Denial of Service (DoS). However,
with continued evolution of networking for both productive purposes as well as malicious intentions,
the prospect for coordinated networks attacks from multiple sources present an even more critical
challenge for continued secure and uninterrupted network operations. These simultaneous coordinated
attacks target a network from a number of outside systems, referred to as a Distributed Denial of Service
(DDoS), which will be addressed in the following section.
Distributed Denial of Service (DDoS)

A malicious act designed to deny access to a system, network, application, or information to a legitimate
user is called Denial-of-Service (DoS). In a Distributed Denial-of-Service (DDoS) attack, the malicious act
originates from a large number of systems. DDoS are most often launched from a single system, using a
large remote network to actually conduct the attack [15]. A basic DDoS method is called the Smurf
Attack, where the hacker sends a ping packet to a large network while spoofing the target systems
source address to overload the target system. A more sophisticated DDoS method is the Low-Orbit Ion
Cannon (LOIC) that allows hackers to allow others to use their own systems temporarily as a slave in a
DDoS attack. More detailed discussion of DDoS attacks appear following the notional DDoS architecture
illustration in Figure 45.
Referring back to the classifications illustrated in Table 3 (page 50), attacks focusing on content
components of systems and networks focus on ISO/OSI Model layers 3, 4, and 7 application services.
Although layers 3, 4, and 7 are at risk from DDoS attacks, the attacks against layer 7 are often detected
through actions affecting the associated port in layer 4 as a method by which to sneak undetected into
layer 7 to accomplish its malicious task. As an analogy, one may think of it as the attack on layer 7 riding
55

like a signal on the carrier wave into layer 4. As a result, most recommended parameter adjustments
focus on layers 3 and 4, while events to watch include a broader range of indicators.
Figure 45. DDoS architecture.

DDoS attacks have a wide range of methods, from simple to complex, from a single hacker using a single
system to a network of hackers coordinating multiple systems. Common types of DDoS attacks include
the SYN flood, ICMP flood, and Zombie attack. In each case, the DDoS relies on overloading network
capability to process seemingly valid traffic, resulting in denial of service. These attacks are referred to
as volumetric attacks because of their focus on overloading the network in order to deny service.
SYN Flood. This attack consists of an excessive

number of packets directed to a specific TCP port. In
most cases, the source address is spoofed (Figure 46).
Figure 46. SYN Flood DDoS attack.
56
ICMP Flood. This attack results from an

excessive number of ICMP packets targeting the
network (Figure 47).
Figure 47. ICMP Flood DDoS attack.
Zombie Attack. This attack results when

too many legitimate IP sources send
valid TCP packets to the network (Figure
48).
Figure 48. Zombie DDoS attack.

The common thread in each of these DDoS attacks is the flooding of the network with seemingly valid
inputs in a way that slows, stalls, or shuts down the networks ability to operate. For each of these
attacks, threshold monitoring and adjustments at layer 3 and 4 protocols, ports, and SYN may allow
network administrators to detect and counter DDoS efforts against layers 3, 4, and 7 and keep the
network from extended down times.
Even with the global trend toward increasing IPv6 traffic, DDoS attacks above the 50 Mbps benchmark
are rare. South Koreas average network speed leads the world with 24.6 Mbps, with Hong Kong a
distant second at 15.7 Mbps. The US ranks 14th at 11.4 Mbps. As the shift from IPv4 to IPv6 traffic moves
forward, the incidences of DDoS attacks appear to be inversely proportional to IPv6 network growth
[16]. This may be an indicator that average network speeds available through IPv6 are making the cost
and coordination of DDoS more difficultor prohibitively costly, in some cases.
57

Application Security Solutions
The Next Generation Firewall (NGFW) [Module 2] and Unified Threat Management (UTM) [Module 3]
brought enhanced capabilities to network security.
An important tool in protecting the network is Intrusion Prevention System (IPS), which looks beyond
port and protocol to examine the signatureor actual contentof network traffic to identify and stop
threats. FortiGate NGFW and UTM appliances, using enhanced capabilities such as Advanced Threat
Protection (ATP), protect the L3 & L4 regions of the network against DDoS attacks by combining
hardware and programmable software solutions to target modern and emerging threats. In addition to
protection against L3 & L4 threats, the enhanced NGFW and UTM capabilities also include L4 routing
and load balancing to increase efficiency and availability of application traffic in the network.
Beyond NGFW and UTM as stand-alone capabilities, using these appliances in concert with other
network security capabilities presents additional end-to-end protection that is both scalable and futureready. The capabilities discussed in the following sections add critical security solutions to protect
against DDoS attacks and protect L3, L4, and L7 functions.
Application Delivery Controllers (ADC)
Application Delivery Controllers (ADC) are network devices that manage client interfaces to complex
Web and enterprise applicationsbeyond the scope of SMB and home office applications. An ADC
functions primarily as a server load balancer, resulting in optimized end-user system performance and
reliability by increased Gbps of L4 throughput, accessibility to data center resources, and enterprise
application security. ADC controllers are deployed in data centers, strategically placed behind the
firewall and in front of application server(s), acting as the point of control for application security and
providing authentication, authorization, and accounting (AAA) [17].
Figure 49. Application Delivery Controller (ADC).

The ADC is part of a larger process that makes applications available, responsive, and secure for users.
This end-to-end model is called the Application Delivery Network (ADN), consisting of an application
delivery controller, firewall, and link load balancer. Figure 50 illustrates a typical ADN infrastructure.
58

Application Delivery Network (ADN)
The ADN is divided into three elementsa server side, security, and an outer perimeter. Each of these
elements performs functions that enable user access to applications (Figure 50):
Figure 50. Typical Application Delivery Network (ADN) infrastructure.

Server Side. When applications outgrow a single server, an ADC manages multiple servers to enable
applications beyond a single serveressentially creating a single virtual server. Once the ADC selects the
best server for the application, the ADC uses Connection Persistence to maintain a connection back to
the original server where the transaction began. The ADC routes traffic to the best available server
based on configurable rules, as well as providing options to offload encrypted traffic and conduct HTTP
compression for bandwidth reduction. SSL offloading does not protect against DDoS attacks; however,
the ADC may reduce the need for additional servers by as much as 25%.
Security Core. This element is where the tools and services to defend applications from threats reside.
Capabilities include a strong firewall, VPN, AV/antimalware scanning, and other security features, which
may include NGFW with IPS and deep packet scanning, application control, and user access policies to
enhance protection.
Outer Perimeter. Basic Link Load Balancing (LLB) manages bandwidth and redundancy using multiple
WAN links. If application use includes multiple data center access for operations such as disaster
recovery, Global Server Load Balancing (GSLB) uses a DNS-based resolution platform to route traffic
between multiple data centers, allowing either automatic or programmable data center routing based
on infrastructure performance needs.
59

ADC: Solutions and Benefits Part I
An advanced, modern ADC provides enhanced capabilities that provide both security and efficiency to
networks. The capabilities brought by ADCs to the Server Side of the ADN include:
Server Load Balancing. The ADC allows the use of software-based intelligent load balancing to enhance
performance over hardware-based simple load balancing. This not only provides a path to open server
capability, but also matches the best server for the incoming traffic based on programmed policies and
application-layer knowledge that supports business requirements (Figure 51).
Benefits. Because the ADC conducts continuous health checks of network servers, only routes
traffic to online devices, and routes to the best performing devices using intelligent load
balancing capability, Server Load Balancing provides a 25% increase in capacity and reduces
servers hardware requirements by 25% over traditional DNS round-robin configurations.
Figure 51. Intelligent Load Balancing.

L7 Content Routing. By designating different servers for different types of data functions, the ADC may
be configured to route traffic to the server(s) best configured to process applications based on their
specific needs (Figure 51).
Benefits. By using L7 content routing, the ADC can optimize data center resources while
protecting the network and applications from security threats.
Connection Persistence. This capability is critical to transaction-based applications. For example, if you
begin a transaction, add an item to your virtual shopping cart, and are then load balanced to a different
server for checkout without a persistent connection back to the original server, your cart will be empty
at checkout. The ADC uses session state with HTTP headers and cookies to ensure that users and servers
remain persistent throughout the transaction.
Benefits. By maintaining a persistent connection to the original server that started the
transaction, the transaction may be completed without loss of data or loss of connection.
60

SSL Offloading/Acceleration. SSL traffic may result in overloading servers, reducing capacity to a range
in the 100s TPS. By offloading and accelerating SSL encryption, decryption, and certificate management
from servers, the ADC enables web and application servers to focus CPU and memory resources to
deliver application content, responding more quickly to user requests. This offloading boosts capacity up
to 10s of 1,000s TPS, pushes HTTPS to servers, and HTTPS to users (Figure 52).
Benefits. SSL offloading and acceleration provides a 100X increase in traffic flow, reducing the
need for additional servers in order to accommodate data volume.
Figure 52. SSL offloading and HTTP compression.

HTTP Compression. One of the challenges as the number of network users grow, application
programming becomes more complex, and data sets become larger, is concerns over bandwidth
limitations. One way that an ADC acts to reduce bandwidth constraints is through HTTP compression to
remove non-essential data from traversing network links between servers to user web browsers (Figure
52).
Benefits. By reducing bandwidth demands, HTTP compression creates increased throughput
capability, increasing data flow efficiency to the user.
In addition to the ADC, the ADN includes a firewall component that provides security for traffic flowing
between the server side and outer perimeter. To accomplish this function in a content-focused,
application-level environment, the Web Application Firewall (WAF).
Web Application Firewall (WAF) Characteristics

Essential for businesses that host web-based applications, Web Application Firewalls (WAFs) deployed in
the data center provide protection, load balancing, and content acceleration to and from web servers.
The primary use of WAFs is to protect web-based applications from attacks that attempt to exploit
vulnerabilities. They protect web applications and associated database content by WAF Vulnerability
Scanning, mitigating prevalent threats such as cross-site scripting (XSS), buffer overflows, denial of
61

service (DoS), SQL injection, and cookie poisoning, as well as focusing on the OWASP Top 10 web
application vulnerabilities [8]. The primary use of WAFs is to protect web-based applications from
attacks that attempt to exploit vulnerabilities (Figure 53).
Figure 53. Web Application Firewall (WAF).

The question may be asked why the NGFW or IPS cannot mitigate these threats. As discussed in modules
2 and 3, IPS signatures only detect known problem, may produce false positives, do not protect against
threats embedded in SSL traffic, and have no application or user awareness. Basic firewalls look for
network-based attacks, not at application-based attacks. For these reasons, the Web Application
Firewall (WAF) provides critical protections to the network security arsenal (Table 7).
Table 7. Web Application Firewall (WAF) application-level security measures.
Heuristics
One of the key features that enables WAFs to counter DDoS threats is heuristicor behavior-based
analysis. Behavior-based DDoS protection measures, however, require different mitigating parameters
than content-based protections. Some of these protection measures include configuring systems to
identify potential threats based on source volume (intent vs. content), ping rates (hardcoded vs.
custom), packet dimensions (coarse vs. granular), and trend-matching (fixed vs. adaptive). When using
these behavior-based DDoS protection measuresfocusing on traffic characteristics rather than
contentpolicies do not require threat signature updates like content-based measures do.
62

WAFs and PCI DSS Compliance
In the increasingly more technology-driven and mobile lifestyle of the 21st Century, the ability to provide
secure data transactions is not limited to considerations of data and program corruption, throughput
limitations, or network operational parameters in the strict sense of providing digital pathways and
storage. Additional considerations regarding Personal Identifiable information (PII), credit security, and
other personal account and data safety are regulated from outside the technology sector. Payment Card
Industry Data Security Standards (PCI DSS) set requirements for security practices that apply to any
vendors or organizations that process, store, or transmit cardholder data. Regulated also by government
agencies and addressable by fines of up to $10,000 per breach, the PCI DSS program is a necessary
consideration for most of the technology industry.
PCI Data Security Standard consists of 12 requirements covering 6 common sense goals that reflect
security best practices. Table 8 depicts the current standards for PCI data security compliance [18]. Of
the 6 goals listed, goal number 3 most closely influences the ability of the network to maintain secure
operations and effective monitoring against DDoS and other malicious threats to network security. Of
course, all appliances, software, policy and processes within control of the network administrator should
be regularly monitored and updated against modern, advanced, and emerging complex threats.
Table 8: Payment Card Industry Data Security Standards (PCI DSS).
63

ADC: Solutions and Benefits Part II
While the modern ADC provides enhanced capabilities to the Server Side of the ADN, an ADC also
provides capabilities to the Outer Perimeter function of the ADN, which include:
Disaster Recovery. This capability of the ADC provides redundancy while scaling applications across
multiple data centers. This DNS-based function uses Global Server Load Balancing (GSLB) smart routing
between data centers using configurable business rules, with automatic response that switches between
data centers for disaster recovery contingency when a data center or connectivity link becomes
unavailable (Figure 54).
Benefits. The disaster recovery and GSLB feature provide important network security
capabilities. The automatic switching feature provides the ability to survive data center or
transmission link outages while ensuring data is automatically recovered. Because of intelligent
switching, users are rerouted to the next best data center for their needs, making the process
seamless to the end user.
Figure 54. Global Server Load Balancing (GSLB).

Mask Server IPs. A challenge to keeping individual servers secure from threats is to segregate them
from access by unauthorized users. One method to accomplish this is to mask the individual server ID by
rewriting contentsuch as headers and other identifying informationto a single IP address when data
is transmitted outside the internal network (Figure 55).
Benefits. By masking individual server IDs behind the ID of the ADC routing data to individual
servers, all data flows through the ADC, reducing chances for external threats to gain access to
individual servers without passing through network security inspections.
64
Figure 55. Server ID masking with ADC.

Quality of Service (QoS). One of the challenges to the seemingly constant increase in data traffic as
society becomes more mobile and more web- and application-enabled is identifying and prioritizing
important traffic over routine or less important traffic. QoS is managed by configuring rules and policies
for traffic policing, traffic shaping, and queuing that ensure the most important traffic for the
organization is prioritized above other data.
Benefits. QoS results in higher quality data flow for the most critical traffic based on
organization priorities, whether it be VoIP for sales and customer support, eCommerce
transactions, or corporate file transfers. By setting the appropriate rules and policies in the ADC,
organization and user quality of serviceand efficiency and satisfactionmay be enhanced.
Link Load Balancing (LLB). LLB addresses the issues of bandwidth and redundancy by using multiple
WAN links. A link load balancer connects many WAN links to the network and routes inbound and
outbound traffic based on criteria like availability, performance, or business rules to use lowest-cost
links. If a link should fail, traffic is routed to others to ensure your application remains available to users.
Benefits. LLB provides redundancy to maintain application availability by rerouting traffic to
users via another available link. By selectively routing traffic over the most available and
appropriate links based on programmed rules and policies, LLB optimizes bandwidth use,
reducing bandwidth needs. These two features both serve to influence improved application
response times to users.
65

Summary
Because applications are a primary method by which users of all types create, access, transmit, and
store data, application security is a critical concern for modern and future technologyfrom personal to
corporate use, handheld to mainframes, and small to multinational global scopes. Application threats
evolve along with applications and technology. Complex threatssuch as Distributed Denial of Service
(DDoS) attacksrequire new and robust protections and countermeasures. Developments like IPv6,
Web Application Firewalls (WAF), and use of Application Delivery Controllers (ADC) in integrated
Application Delivery Networks (ADN) provide layered defenses to protect the integrity and operability of
application functions in OSI levels 3-7. Building on these protections and those discussed in previous
modules, the final module will focus on management of security apparatus and the importance of
analytics in network management.
66

Module 5: Management and Analytics
Modules 1-4 provide insight into how hardware and software development work to protect systems and
networks from modern and emerging threats. This continued technology evolution allows users to
conduct business, participate in commerce, maintain communications across the globe, and manage
personal affairs with minimal interruption or threat of critical information vulnerability and loss. This
module provides discussion on how effective management through the use of analytic tools allows
system and network administrators to optimize the secure environment users have come to expect
and upon which businesses and global commerce rely.
Security Management
Simply stated, security management exists at the region where the
scope of IT security and IT operations meet.
As organizational structures grow in size and complexity, the
tendency is for more network resourcesmachines, servers,
routers, etc.to be deployed. As the network grows, so also does
the scope of potential threats to secure and efficient operation of
the network to meet organizational goals. With the global nature of
modern business and e-commerce, the sheer number of branch and remote locationsand managed
devicesmake a consolidated network security management essential for effective IT administration.
To this end, the primary goal of security management is to reduce security risks by ensuring that
systems are properly configuredor hardenedto meet internal, regulatory, and/or compliance
standards. Security management is a software-based solution that integrates three primary elements:
Vulnerability Assessment. Network security analysis designed to identify critical IT security weaknesses
that a cyber-attacker could exploit.
Automated Remediation. Allows automated correction of faults or deficienciesvulnerabilities
identified in the assessment process. Provides reports and tools to track vulnerabilities that must be
remediated manually.
Configuration Management. Evaluates the security of a networks critical servers, operating system,
application-level security issues, administrative and technical controls, and identifies potential and
actual weaknesses, with recommended countermeasures.
IT managers are faced with challenges that range from simple codes to threats hidden in secure packets
designed to target cloud-based applications. Modern and emerging future threats present dynamic and
potentially complex challenges to network security demanding comprehensive, complex security
solutions. Unfortunately, studies have shown that the more complex administrative functions become,
the less likely network administrators will spend the requisite amount of attention to the various
apparatus and displays. For this reason, consolidating security management into a single console
enabling monitoring and management of network security was developed. Through this integrated
monitoring and control solution, IT managers may address the following issues:
67

Device Configuration. Manages the configuration of each device on the network and maintains the
system-level configuration required to manage the network environment. This includes monitoring
device firmware to ensure it is kept up to date.
Firewall Policy. Provides viewing and modification of firewall configurationsaccess rules and
inspection rulesin the context of the interfaces whose traffic are filtered.
Content Security Policy. Computer security concept to prevent cross-site scripting (XSS) and related
application-level attacks. It provides a standard HTTP header allowing website administrators to
determine approved sources of content that browsers may load on designated pages. Covered types
include JavaScript, CSS, HTML frames, fonts, images, and embeddable objects like Java applets, ActiveX,
audio, and video files.
A conceptual diagram of security management is illustrated in Figure 56 below:
SM
Analyst
SM
Console
SM
Database
SM Monitored Devices
Figure 56. Security Management (SM) conceptual diagram

The primary goal is to provide high availability for the network, implying redundancy and fault tolerance
managed by the network security solution. In small and medium business (SMB) networks and many
large and distributed enterprise networks, network security may be provided by a managed security
service provider (MSSP) for a number of reasonsas discussed in Module 1. To facilitate effective
network security management, MSSPs and network administrators must have access to essential
features that enable them to provide protection to the network as a whole and the data contained
therein. Three principles drive these essential features: segmentation, scalability, and high performance.
Segmentation. Multi-tenancy architecture is one in which the single instance of a software application
serves multiple customers, with each customer being referred to as a tenant. The key purpose of multitenancy is segmenting customers in a managed service provider environment. Tenants have limited
68

capabilities within the application, such as choosing interface colors or business rules, but have no
access to application code. Administrative domains (ADOMs) are virtual domains used to isolate devices
and user accounts. This enables regular user accounts visibility only into devices and data that are
specific to their ADOM, such as a geographic location or business division.
Scalability. Virtual firewall positioning & deployment. Very few organizations use 100% physical or 100%
virtual IT infrastructure, necessitating deployment of interoperable hardware and virtual appliances in
security strategies. For both of these firewall options, control through a centralized panel provides ease
of operation to security administrators while enabling the use of complex measures to counter modern
and emerging complex threats. Virtual domains (VDOMs) were introduced by Fortinet in 2004 and offer
virtualized security from SMB to large and distributed enterprise networks by rapid deployment within
existing virtual infrastructures. [8]
High Performance. Because security management spans the scope from home networks to SMB to large
and distributed enterprise networks, security management must be able to be customized to meet the
needs of each level of operation. For example, the Application Program Interface (API) specifies how
software components should interact and are used when programming the graphical user interface
(GUI), allowing visibility of the customized network functions. Automation is important especially for
large and distributed enterprise networks, providing an automated workflow enabling users to approve,
deny, defer, or even execute remediation of configuration errors, potentially saving considerable time
and effort.
Managing the Security Console
Network security management includes both hardware and software appliances and virtual machine
(VM) capabilities. They may be deployed as physical network security appliances, virtual appliances, or
software packages. Flexible interfacing allows IT administrators to address the management system via a
command line interface, web-based graphical user interface, or programmatically using JSON/XML
requests (scripting, customization, etc.). This provides network security flexibility for a wide range of
network sizes, from home networks and SMB up to large and distributed enterprise networks that are
geographically separated.
The most important function commonly associated with a security management solution
is maintaining firewall policies across a distributed enterprise. In large and distributed
enterprise environments, security management and reporting/compliance functions are
usually separated, with local personnel managing local nodes and a central site having
visibility over configuration compliance, generally from the data center at the corporate
headquarters or designated IT management division.
Because of the wide range of network security device deployment options, network security consoles
are typically licensed based on the number of devices they will be managing. This provides tailored,
flexible security options appropriate to organization requirements [8]. These security consoles are
enabled by use of simple network management protocol (SNMP), which provides administrators
capability to monitor and, when necessary, configure hosts on a network. This centralized ability to
69

configure network devices is referred to as device management, and is a critical capability in allowing IT
administrators to managemonitor and configuredistributed enterprise networks.
Figure 57. Integrated security control console

Administrative Domains (ADOMs) provide the capability to organize better the network environment. A
domain is the equivalent of an organizational unit. The purpose of using ADOMs is:
Limiting administrative scope to specific devices
Segmenting tenants in a managed service provider environment
Administrative domains are further segregated into Accounts, each which must have at least one User.
However, permissions and policies must be set at the domain administrator and network administrator
levels. [8]
Policy and Security

Policy packages enable the addressing of specific needs for an organizations different sites by creating a
tailored policy package for each site. Policy packages provide flexibility to administrators, because they
may be applied to individual or multiple devices. The advantage to using a policy package is that it
simplifies the installation of a set of firewall rules for sites. [8]
Object libraries contain the names and entry points of the code located in the library, as well as
a list of objects on which the applications or systems using the code require in order to run the
object. An example would be needing an application capable of reading a .jpg file in order to use
the object with a .jpg extension. Object libraries may be configured to direct which applications
are used to open or run which types of files besides the manufacturers default settings. Object
libraries may be dragged into policy packages to define actions for traffic meeting criteria
matching the identified object characteristics.
70
Figure 58. Policy Package example.

Global policy packages become increasingly important as network complexity, size, or distributed
configuration grow. Because large and distributed enterprise networks may delegate remote security
management to local administrators, as previously introduced in the previous slide, it is important for
central network administrators to have the ability to retain overall visibility and control of the entire
network. To this end, global policies allow administrators of large enterprises and MSPs to bookend
segmented/tenant firewall rules in order to ensure compliance with overall network policies and
operating regulations [8].
Figure 59. Global Policy Bookend flow.
71

Firewall rules (also called firewall policies) are a major challenge for network security administrators,
making it important for companies and organizationsespecially distributed enterprise operationsto
have and implement a firewall policy management solution. Depending on the size of the operation and
network, this function may be accomplished by the network security administrator or, if a large enough
enterprise, a firewall administrator. But with the fast-paced and rapidly-evolving dynamics of technology
and its use, the threat of security gaps being created because of a disjointed firewall policy program is as
real as the threat from external sources.
To assist the network security administrator or firewall administrator in developing, implementing, and
monitoring firewall policy requirements and effectiveness, regular, systematic reviews of firewall
policies should be put in place. These reviews provide important benefits, mitigating challenges such as:
Mistakenly adding duplicate, similar, or overriding firewall policies
Missing the impact of corporate policy changes that may impact particular rules
Creation of policies that are too specific at the time of implementation and may need to be
broadened to be effective
Determining what/when policies should be implemented by a policy pushapplying the new
policies to individual security devices
In order to facilitate inputs to the firewall policy development and review process, a firewall policy
workflow process should be established by which policy change recommendations are submitted,
approved, and implemented by IT staff, and then the document retained for archival purposes for later
analytic review. As these processes become institutionalized, the end result becomes not only more
effective firewall rules management, but efficiency that leads to rules reduction, or a decrease in firewall
rules via periodic reviews or automation.
Rules reduction through automationthis is where the technology of adept security change
management is necessary to improve probability that the network will remain secure. Security Change
Management is the industry term for the product or feature that seeks to reduce or optimize the
number of firewall rules and provides IT staff and network auditors with a clear picture of how changes
were implemented. With more complex firewalls incorporating more featuressuch as the Next
generation Firewall (NGFW)simplification of user interfaces of complex processes increases the
likelihood that comprehensive security measures will be engaged, monitored, and updated as necessary
to keep up with emerging threats.
Auditing has important advantages in the security management environment. Because auditing is a
mechanism that records actions that occur on a system, the associated audit log(s) contain information
detailing the events (such as login, logout, file access, upload, download, etc.), who performed the
action and when it was accomplished, and whether the action was successful. Some important events
that should be logged include:
Login/Logoff (incl failed)
Network connections (incl failed)
72
Supervisor/administrator login & function

Sensitive file access

In the context of security management, auditing provides the following advantages:
Ensures that the organization maintains compliance with programs such as HIPAA and PCI
Helps track workflows/approvals for firewall policy changes
Associates security event logs with an individual owner for forensics
Analytics
Without applying analytics to future decisions, they cease to serve a vital function to administrators. The
most important function of analytics is to ensure security effectiveness and improvement while enabling
optimum system and network performance.
Analytic reporting is designed to provide end-to-end analysis of system and network performance. In the
context of security management, this analysis includes factors concerning potential impacts on
performance due to attempted or successful attacks, actions taken by preventative policies and
apparatus that detected and prevented intrusion, forensic records of user data for system and network
functions, and so forth.
Reporting is designed to be a cyclical processnot linear; that is, the data analyzed is used to inform
decisions regarding whether policies, programming, or apparatus need to be updated or may remain as
currently constituted. If updates are necessary, analytics inform decision-makerssuch as corporate
compliance groupsin determining what updates or reconfigurations are the right ones to accomplish.
Security Information and Event Management
Security Information and Event Management (SIEM) [8] is a system that gathers security logs from
multiple sources and correlates logged events to be able to focus on events of importance. SIEM
ecosystem is designed to address the unique requirements of a wide range of customers, from large
enterprises to managed security service providers (MSSPs) that manage thousands of individual
customer environments.
Key features include near real-time visibility for threat detection and prioritization, delivering visibility
across the entire IT infrastructure. It reduces and prioritizes alerts to focus investigations on an
actionable list of suspected incidents, enabling more effective threat management while producing
detailed data access and user activity reports.
SIEM operates on the basis of what logs the administrator has authorized to be forwarded from the
Syslog to the SIEM. These logs may be tuned further to provide a minimum security level for log
forwarding, including (in order of severity from least):
Debugging
Information
Notification
Warning
73
Error
Critical
Alert
Emergency

SIEM provides three primary functions for network security:
Event logging. How systems and applications record and save data that shows what events
happened at what time and place with what results on the system, in the network, or in an
application.
Event correlation. Comparing of events indicated in the event and correlating like events together to
determine significant instances of repetitious or associated events.
Incident alerting. Provides alerts for security incidents on the network. [8]
Perhaps the most critical function upon which the SIEM concept depends is logging, because it forms the
basis for making decisions regarding system and network functions and potential anomalies. Logging is
how systems and applications record and save data that shows what events happened at what time and
place with what results on the system, in the network, or in an application. Logging is one of the forensic
tools that may be used to analyze successful attacks, malware infections, or attempted network
intrusions. This capability, although it becomes more complex as networks grow and become
geographically distributed, is important to networks of all sizes against modern and future network
threats.
In the 1980s, Syslog was developed as part of the Sendmail project, but proved so valuable a tool that it
began being used by other applications as well. In todays IT world, Syslog is still the de facto industry
standard for security event logging. In fact, Syslog has become entrenched as the standard, such that
operating systems such as Windows and UNIX, as well as regulations such as SOX, PCI DSS, and HIPAA
either use Syslog format or have embedded capability for conversion to Syslog. [19]
Because is a necessity for networks of every size, the factor of resource balancing is an important
consideration. As with determining whether application services as IaaS, PaaS, or SaaS are best suited,
the most cost-effective logging/reporting method for SMB is cloud-based event logging. Similarly, some
organizations may opt for standalone logging/reporting solutions to more effectively manage logs
collected from multiple security devices.
Network Visibility
Network Visibility refers to the ability for administrators to know what type of traffic is crossing their
network, including Web, applications, email, etc. It allows optimization of bandwidth for business critical
applications. Because modern and emerging threats are able to take advantage of different traffic types
in different ways, network visibility is a key capability in the administrators arsenal, providing the
opportunity to achieve:
Network monitoring and faster troubleshooting

Application monitoring and profiling
Capacity planning and network trends
Detection of unauthorized WAN traffic
74
Figure 60. Network visibility benefits.

Network visibility is of the utmost importance to security administrators. This includes visibility of every
component of the network, including remote components geographically separated as part of a large
distributed enterprise network. In order to adequately monitor system and network security events, the
security administrator must have access to logging from across the entire infrastructure, including
firewalls, email gateways, endpoint devices, and other network components, both physical and virtual.
Network visibility must be treated as a cyclical process in order to be effective. As illustrated in Figure
60, network visibility provides a wealth of information about many facets of network operations. All of
this data, however, is lost if not used to inform analyses that may improve further network operations
and security. For this reason, network visibility data should be used to inform reporting on network
operations and be used in developing future plans and policy.
75

Summary
Security management provides vulnerability assessment, automated remediation, and configuration
assessment in and environment providing complex protection with simplified administration. The goal
of security management is to reduce security risks through proper configuration and compliance.
Across all sizes and types of networks, security management provides customization and automation to
assist network security administrators through administrative domains to segment users, firewall &
global policy packages enabling reduction and optimization of rules, and auditing that provides oversight
of compliance, workflow, approvals, and forensic tracing.
Security Information and Event Management (SIEM) provides a wide range of administrator services in
managing logged events and analysis to correlate and determine the most appropriate security
measures, policy updates, and reactions to network incidents.
Network visibility provides administrators with the necessary end-to-end monitoring, troubleshooting,
profiling, and analysis tools to plan and address modern and emerging threats to the network. Adept
management, using the right analytics to inform decisions and actions, are key to establishing and
maintaining an efficient and secure network environment.
76

Key Acronyms
AAA
Authentication, Authorization, and

Accounting
AD
Active Directory
ADC
Application Delivery Controller
ADN
Application Delivery Network
ADOM Administrative Domain
HTML Hypertext Markup Language

HTTP
Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure

IaaS
Infrastructure as a Service
ICMP
Internet Control Message Protocol
ICSA
International Computer Security

Association
AM
Antimalware
API
Application Programming Interface
ID
Identification
APT
Advanced Persistent Threat
IDC
International Data Corporation
ASIC
Application-Specific Integrated Circuit
IDS
Intrusion Detection System
ASP
Analog Signal Processing
IM
Instant Messaging
ATP
Advanced Threat Protection
IMAP
Internet Message Access Protocol
AV
Antivirus
IMAPS Internet Message Access Protocol

Secure
AV/AM Antivirus/Antimalware
BYOD Bring Your Own Device
CPU
Central Processing Unit
DDoS
Distributed Denial of Service
DLP
Data Leak Prevention
DNS
Domain Name System
DoS
Denial of Service
DPI
Deep Packet Inspection
DSL
Digital Subscriber Line
FTP
File Transfer Protocol
FW
Firewall
Gb
Gigabyte
GbE
Gigabit Ethernet
Gbps
Gigabits per second
GSLB
Global Server Load Balancing
GUI
Graphical User Interface
77
IoT
Internet of Things
IP
Internet Protocol
IPS
Intrusion Prevention System
IPSec
Internet Protocol Security
IPTV
Internet Protocol Television
IT
Information Technology
J2EE
Java Platform Enterprise Edition
LAN
Local Area Network
LDAP
Lightweight Directory Access Protocol
LLB
Link Load Balancing
LOIC
Low Orbit Ion Cannon
MSP
Managed Service Provider
MSSP Managed Security Service Provider

NGFW Next Generation Firewall
NSS
NSS Labs
OSI
Open Systems Infrastructure

OTS
Off the Shelf
SPoF
Single Point of Failure
PaaS
Platform as a Service
SQL
Structured Query Language
PC
Personal Computer
SSL
Secure Socket Layer
SWG
Secure Web Gateway
SYN
Synchronization packet in TCP
PCI DSS Payment Card Industry Data Security

Standard
PHP
PHP Hypertext Protocol
POE
Power over Ethernet
Syslog Standard acronym for Computer

Message Logging
POP3
Post Office Protocol (v3)
TCP
POP3S Post Office Protocol (v3) Secure

QoS
Quality of Service
Radius Protocol server for UNIX systems
Transmission Control Protocol
TCP/IP Transmission Control Protocol/Internet

Protocol (Basic Internet Protocol)
TLS
Transport Layer Security
RDP
Remote Desktop Protocol
TLS/SSL Transport Layer Security/Secure Socket

Layer Authentication
SaaS
Software as a Service
UDP
User Datagram Protocol
SDN
Software-Defined Network
URL
Uniform Resource Locator
SEG
Secure Email Gateway
USB
Universal Serial Bus
SFP
Small Form-Factor Pluggable
UTM
Unified Threat Management
SFTP
Secure File Transfer Protocol
VDOM Virtual Domain
SIEM
Security Information and Event

Management
VM
Virtual Machine
SLA
Service Level Agreement
VoIP
Voice over Internet Protocol
SM
Security Management
VPN
Virtual Private Network
SMB
Small & Medium Business
WAF
Web Application Firewall
SMS
Simple Messaging System
SMTP Simple Mail Transfer Protocol

SMTPS Simple Mail Transfer Protocol Secure
SNMP Simple Network Management Protocol
78
WANOpt Wide Area Network Optimization

WLAN Wireless Local Area Network
WAN
Wide Area Network
XSS
Cross-site Scripting

References
1.
StrataIT. Did you leave your backdoor open over the holidays? 2012 [cited 2014 October 20];
Image: Fortinet UTM vs. Adhoc Network Security Model]. Available from:
http://www.stratait.com/content/did-you-leave-your-backdoor-open-over-holidays.
2.
UAB, M., Fortinet Secure Gateways, Firewalls. 2013.
3.
Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.
4.
Bray, G., SaaS vs PaaS vs IaaS. 2010, Stack Exchange.
5.
Gartner, Next Generation Firewalls will include Intrusion Prevention. 2004.
6.
Gartner, Magic Quadrant for Enterprise Network Firewalls. 2008.
7.
Gartner, Defining the Next Generation Firewall. 2009.
8.
Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
9.
Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
10.
Miller, L., Next-Generation Firewalls for Dummies. 2011, Wiley Publishing, Inc.: Indianapolis, IN.
11.
Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential
Guide, 2014.
12.
Janssen, C., Quality of Service (QoS), in Techopedia.com. n.d.
13.
Rischbeck, T. XML Appliances for Service-Oriented Architectures. SOA Magazine, 2010.
14.
OWASP. About the Open Web Application Security Project. 2014 [cited 2014 October 31];
Available from: https://www.owasp.org/index.php/About_OWASP.
15.
Maiwald, E., Network Security: A Beginner's Guide. 3rd ed. 2013, New York, NY: McGraw-Hill.
16.
Nichols, S. Peak IPv4? Global IPv6 traffic is growing, DDoS dying, says Akamai. The Register,
2014.
17.
Rouse, M. Application Delivery Controller. Essential Guide 2013 [cited 2014 October 15];
Available from: http://searchnetworking.techtarget.com/definition/Application-deliverycontroller.
18.
Council, P.S.S., PCI Quick Reference Guide. 2008.
19.
Gerhards, R., The Syslog Protocol.
79

Modern Network Security NSE1 Study Guide Ebook

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Modern Network Security NSE1 Study Guide Ebook

Enviado por

Direitos autorais:

Formatos disponíveis

Modern Network Security: Study Guide for NSE 1 2015

This Study Guide is designed to provide information for the Fortinet

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Figure 1. From closed networks to Global Information Grid

Figure 2. The scope of modern global network users.

Modern Network Security: Study Guide for NSE 1 2015

Figure 3. Fortinet UTM versus traditional ad hoc model.

Modern Network Security: Study Guide for NSE 1 2015

Figure 4. Chronology of major networks attacks since October 2013.

Figure 5. Advanced Threat Protection (ATP).

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Data Center Evolution

Market Trends Affecting Data Centers

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Figure 6. Notional edge firewall configuration.

Figure 7. Notional data center firewall deployment.

Modern Network Security: Study Guide for NSE 1 2015

Figure 8. Data center firewall adaptability to evolving capabilities.

Modern Network Security: Study Guide for NSE 1 2015

Figure 9. Data center in a distributed enterprise network.

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Figure 10. Data center core firewall requirements.

Modern Network Security: Study Guide for NSE 1 2015

Figure 11. North-South (Physical) vs. East-West (Virtual) traffic.

Modern Network Security: Study Guide for NSE 1 2015

Data Center Network Services

Modern Network Security: Study Guide for NSE 1 2015

Figure 12. Notional network.

Modern Network Security: Study Guide for NSE 1 2015

Figure 13. Differences between IaaS, PaaS, and SaaS.

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Modern Network Security: Study Guide for NSE 1 2015

Figure 15. Bring Your Own Device (BYOD) practices in 2011.

NGFW Characteristics: Fundamental Changes

Figure 16. Edge firewall vs. NGFW traffic visibility.

Modern Network Security: Study Guide for NSE 1 2015

Figure 18. NGFW configuration example by application, user ID.

ISO/OSI L4 Port Protocol

Application-Centric (Content Flow) Protocol

Basic Security + Add-ons

Integrated Security Solutions

Simple Moderate Security

Integrated Complex Security

Modern Network Security: Study Guide for NSE 1 2015

Figure 19. NGFW evolution timeline.

Traditional NGFW Capabilities

Figure 20. Intrusion Prevention System (IPS).

Modern Network Security: Study Guide for NSE 1 2015

Figure 21. Deep Packet Inspection (DPI).

Figure 22. Network application identification and control.

Modern Network Security: Study Guide for NSE 1 2015

Figure 23. Access enforcement (User identity).