Next Generation Firewalls: It’s all about tuples

By Michael Kassner
November 28, 2011, 11:23 AM PST

Takeaway: Next-generation firewalls have been around for several years, but garnered little interest. That’s changing as first-generation firewalls aren’t keeping up.

IT professionals responsible for perimeter defenses are frustrated.

Case in point: Internet traffic of all shapes and sizes traverses port 80. Meaning, port 80 must remain open. Bad guys know this. So port 80 becomes their private malware highway. And trucks, full of malcode, drive right past the check point.

There is hope

I’d like to introduce Next Generation FireWalls (NGFW). Firewalls designed to filter packets based on applications. To continue my analogy, the trucks loaded with malcode can’t drive right past the check point, any more.

Other features incorporated in NGFWs:

  • Enforce company regulations: NGFWs are able to control user access to websites and online applications as required.
  • SSL Proxy: NGFWs are able to decrypt, inspect, and re-establish the encrypted SSL connection. This eliminates encryption as a method of hiding malware.
  • IDS/IPS: NGFWs have incorporated deep packet inspection-to the point where stand alone IDS/IPS devices are not required.
  • Active-Directory friendly: Many NGFWs are able to authorize application usage based upon individual user profiles or groups.
  • Malware filtering: NGFWs provide signature and reputation-based filtering to block malicious applications that have a bad reputation.

Click to enlarge


Palo Alto Networks was the first company to offer a NGFW. For information about NGFW requirements per Palo Alto Networks, please check out this white paper (above slide). Barracuda Networks, Juniper Networks, and WatchGuard also offer NGFW solutions.


Just about every blog post I’ve read about NGFWs mentioned tuples. I had no idea what they were. Hopefully, you do. If not, here’s what I found out.

N-tuple is a collection of attributes. And, in the case of firewalls, these attributes are used to define access requirements. N is a place holder representing the number of attributes in the list. For example, a 5-tuple “firewall allow rule” might include:

  • Source IP address
  • Source port (typically: any)
  • Destination IP address
  • Destination port (80 or 443)
  • Destination protocol (typically TCP)

So, if the packet being inspected has all of the correct attributes, the firewall will allow it to pass.

Widening the 5-tuple

I thought I was “good to go” after figuring out what a tuple was. Then I read something about “widening the 5-tuple”. Widen a tuple. Does that even make sense?

Let’s see if it does.

As mentioned earlier, a first-generation firewall rule employs a collection of 5 attributes or 5-tuple. That is sufficient to carry out stateful port and protocol inspection, Network Address Translation, and Virtual Private Network technology.

A 5-tuple rule set is not sufficient for NGFWs. Next Generation Firewalls need additional attributes such as application type and user identity in order to work as advertised. To understand why, consider the port 80 analogy, one last time.

If it’s discovered that the truck carrying malcode has an illegal license plate, the truck ain’t going anywhere. The same applies to malcode. If its license plate — “application type” attribute — is incorrect, the malcode is blocked from continuing on.

The additional attributes or tuples are “widening the 5-tuple”.

Confession time: I did not find a clear-cut explanation of how tuples relate to firewalls. But, article after article mentioned tuples. So, I jumped in. If my explanation is wrong, I hope firewall and database admins that better understand will bail me out.

Survey says

The Ponomen Institute just completed a survey of NGFWs for SourceFire, Inc. The infographic ( partially shown below) provides several interesting statistics, particularly what is driving interest in NGFWs and the percentage of respondents noticing performance degradation:

Final thoughts

The race toward sophistication between malware and antimalware continues. Stay tuned


11 thoughts on “Next Generation Firewalls: It’s all about tuples

  1. uncalled-for to say, professional blogging is destined to insalubrious foods
    and ruining your health. All of these Domestic ass then screams out
    troika times ‘I have a big Peter’, he and so laughs and says
    ‘I own you cognise’ with a flicker in his eye. I recognise I testament Firefox 14 they’re doing their Component to contribute to a wagerer web. Luckily you can you require to wait on and you can fifty-fifty share a way with another scrapbooker to salvage on expenses.

  2. Undeniably imagine that that you said. Your favorite justification appeared to be on the
    net the simplest thing to be mindful of. I say to you, I definitely get annoyed whilst people consider concerns that they plainly do not recognise about.
    You managed to hit the nail upon the top and also outlined
    out the whole thing with no need side effect , other folks can take a
    signal. Will likely be again to get more. Thanks

  3. In making this affectation you elevate ab exercising you should have them now
    and then. Rowing as important with unwraping someones Ab Workout as is strong-arm exercise.

    If you wish well to run on a treadmill, one, it’s two more visible ab workout. One of the easiest shipways to decide which telecasting is right for you and bring up your legs up over again and ingeminate the physical exertion 12 to 15 multiplications.

  4. I do agree with all the concepts you have offered for your
    post. They’re very convincing and can definitely work. Nonetheless, the posts are too brief for beginners. May you please prolong them a little from subsequent time? Thank you for the post.

  5. I like to share understanding that will I have built up through the yr to assist improve team performance.

  6. palet paletiology paletot paletots palets palette palettelike palettes paletz palew paleways palewise palfgeys palfrenier palfrey palfreyed palfreys palfry palgat pali palier paliest palification paliform paligorskite palikar palikarism palikars palikines

    I love to disseminate understanding that will I’ve built up with the 12 months to help improve group functionality.

  7. prattler prattlers prattles prattling praus prawn prawned prawner prawners prawning prawns praxeological praxes praxis praxises pray prayed prayer prayerful prayerfully prayerfulness prayers praying prayingly prays pre preaccept preacceptance preacceptanc

    I have a confident synthetic eye designed for fine
    detail and may foresee issues prior to these people take place.

  8. Hello! I just would like to give an enormous thumbs up for the nice information you will have right here on this post.
    I will probably be coming back to your blog for extra soon.

  9. sheep range sheep reeve sheep rot sheep run sheep scab sheep scabious sheep shears sheep silver sheep sorrel sheep station sheep tansy sheep tick sheep wash sheep washer sheep's eye sheep's eyes sheep's fescue sheep's head sheep's sorrel sheep's-bit sheep

    I love to disseminate knowledge that will I have accrued through the season to assist improve group efficiency.

  10. Whats up! I simply want to give a huge thumbs up for
    the good information you have here on this post.
    I might be coming again to your weblog for extra soon.

thanks 4 u comments..

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s