Next Generation Firewalls: It’s all about tuples

By Michael Kassner
November 28, 2011, 11:23 AM PST

Takeaway: Next-generation firewalls have been around for several years, but garnered little interest. That’s changing as first-generation firewalls aren’t keeping up.

IT professionals responsible for perimeter defenses are frustrated.

Case in point: Internet traffic of all shapes and sizes traverses port 80. Meaning, port 80 must remain open. Bad guys know this. So port 80 becomes their private malware highway. And trucks, full of malcode, drive right past the check point.

There is hope

I’d like to introduce Next Generation FireWalls (NGFW). Firewalls designed to filter packets based on applications. To continue my analogy, the trucks loaded with malcode can’t drive right past the check point, any more.

Other features incorporated in NGFWs:

  • Enforce company regulations: NGFWs are able to control user access to websites and online applications as required.
  • SSL Proxy: NGFWs are able to decrypt, inspect, and re-establish the encrypted SSL connection. This eliminates encryption as a method of hiding malware.
  • IDS/IPS: NGFWs have incorporated deep packet inspection-to the point where stand alone IDS/IPS devices are not required.
  • Active-Directory friendly: Many NGFWs are able to authorize application usage based upon individual user profiles or groups.
  • Malware filtering: NGFWs provide signature and reputation-based filtering to block malicious applications that have a bad reputation.

Click to enlarge

Vendors

Palo Alto Networks was the first company to offer a NGFW. For information about NGFW requirements per Palo Alto Networks, please check out this white paper (above slide). Barracuda Networks, Juniper Networks, and WatchGuard also offer NGFW solutions.

N-tuple?

Just about every blog post I’ve read about NGFWs mentioned tuples. I had no idea what they were. Hopefully, you do. If not, here’s what I found out.

N-tuple is a collection of attributes. And, in the case of firewalls, these attributes are used to define access requirements. N is a place holder representing the number of attributes in the list. For example, a 5-tuple “firewall allow rule” might include:

  • Source IP address
  • Source port (typically: any)
  • Destination IP address
  • Destination port (80 or 443)
  • Destination protocol (typically TCP)

So, if the packet being inspected has all of the correct attributes, the firewall will allow it to pass.

Widening the 5-tuple

I thought I was “good to go” after figuring out what a tuple was. Then I read something about “widening the 5-tuple”. Widen a tuple. Does that even make sense?

Let’s see if it does.

As mentioned earlier, a first-generation firewall rule employs a collection of 5 attributes or 5-tuple. That is sufficient to carry out stateful port and protocol inspection, Network Address Translation, and Virtual Private Network technology.

A 5-tuple rule set is not sufficient for NGFWs. Next Generation Firewalls need additional attributes such as application type and user identity in order to work as advertised. To understand why, consider the port 80 analogy, one last time.

If it’s discovered that the truck carrying malcode has an illegal license plate, the truck ain’t going anywhere. The same applies to malcode. If its license plate — “application type” attribute — is incorrect, the malcode is blocked from continuing on.

The additional attributes or tuples are “widening the 5-tuple”.

Confession time: I did not find a clear-cut explanation of how tuples relate to firewalls. But, article after article mentioned tuples. So, I jumped in. If my explanation is wrong, I hope firewall and database admins that better understand will bail me out.

Survey says

The Ponomen Institute just completed a survey of NGFWs for SourceFire, Inc. The infographic ( partially shown below) provides several interesting statistics, particularly what is driving interest in NGFWs and the percentage of respondents noticing performance degradation:

Final thoughts

The race toward sophistication between malware and antimalware continues. Stay tuned

Advertisements

Microsoft Boasts 90,000,000 Windows 7 Sold


Windows 7: Over 90 Million Served.

Even when Windows 7 launched into a warm reception (and brisk sales), Microsoft didn’t reveal exact sale numbers for its new OS – until today.

Microsoft CFO Peter Klein announced at the Morgan Stanley Technology, Media & Telecom Conference that Windows 7 has sold 90 million licenses to-date.

Up until recently, Microsoft’s company line when boasting about Windows 7 sales is that is the fastest selling operating system in history, but without any accompanying number.

Windows 7 Anti-Piracy Update Now Live

New patch checks for more activation hacks.
Earlier this month, we detailed that Microsoft was prepping a Windows 7 Update that would improve Windows Activation Technologies to detect more than 70 known and potentially dangerous activation exploits.

Those paying attention to their Windows Update will see that the patch KB971033 is now live. It’s not explicitly named anything to do with Windows Activation Technologies, as it’s simply termed as an «Update for Windows 7.»

Microsoft previously pointed out that this update is completely voluntary and users can decline the update when it appears (though we can’t imagine why legitimate users would worry). Of course, if a hack or exploit is found, Windows 7 will alert the user by removing the desktop background and pop up periodic reminders of just how non-genuine it is feeling.
Read more about the patch here.

Microsoft Help: How to Install, Reinstall, Upgrade or Uninstall Windows

Install, reinstall, upgrade or uninstall Windows – a new Microsoft Windows webpage providing information for when you need to Install, Reinstall, Upgrade, or Uninstall Microsoft’s Windows. (Thanks Chris)

INSTALL WINDOWS:  If you’re installing Windows for the first time on a new computer and you don’t have any existing version of Windows to remove, upgrade, or replace.  To install Windows and keep an earlier version of Windows on your computer, click on: Install Multi-boot

Install Windows XP or Install Multi-boot
Install Windows Vista or Install Multi-boot
Install Windows 7 or Install Multi-boot (More Info)
 

UNINSTALL WINDOWS:

How To Lock Idle Computer Automatically

Lock How many times you left the computer without locking and worried that someone is going to sneak into your personal mails & documents? At office many of us face this problem quite often.

How about locking the computer automatically when left idle for sometime? Well that will be very helpful. To lock a computer automatically we don’t need any software or special tools. All we need to do is to set a screen screensaver and configure it to ask for password on resume. That’s a very simple solution right?

In all the versions of Windows Operating systems (XP, Vista, Windows 7, etc), it is possible to configure to activate a screensaver after a desired amount of idle time and ask for password on resume.

The below screen capture of Windows 7 shows the configuration settings required to automatically lock the PC after 5 minutes of idle time(in other versions of Windows the options are more or less same)

lock_computer_automatically_after_some_idle_time

I’m not a big fan of screensavers also I consider it’s little annoying to set flashy screensavers at work place. So I choose Blank as the screensaver

Find Model Number and Serial Number Of Your Computer Using DOS Commands

Desktops and Laptops purchased from manufactures like DELL, IBM, etc comes with a serial number(or service tag) and a model name. If you ever loose this information, then you can use MS DOS commands to retrieve the information

To retrieve serial number of the computer run the following command

wmic bios get serialnumber

To retrieve model name of the computer run the following command

wmic csproduct get name

Universal phone charger OK’d

Micro_USB_Charger (Universal Charger)

Micro_USB_Charger (Universal Charger)

A standard for a universal phone charger was approved this week by the International Telecommunication Union, a branch of the United Nations.

Side by side view of a Micro-USB connector and a regular USB connector.
(Credit: Wikimedia Commons)

The Universal Charging Solution will enable the creation of one-size-fits-all chargers that can be used on any future phone, according to the ITU.

The standard is based on input from the GSM Association, which expects the shift to eliminate 51,000 tons of redundant chargers, or 13.6 million tons of greenhouse gas emissions each year.

Based on Micro-USB, the new chargers will also be energy efficient.

“Universal chargers are a common-sense solution that I look forward to seeing in other areas,” Malcolm Johnson, director of ITU’s telecommunication standardization bureau, said in a statement.

Manufacturers are not required to adopt the new chargers, but some have already signed up, such as Sony Ericsson, according to the BBC.