In this lesson, I'll talk about advanced firewalls. Advanced firewalls are also considered next generation firewalls, which have been around for several years. So, what is a next generation firewall? Well, a next generation firewall is basically a firewall that has the basic features. So, we have our source, destination, protocols and ports. However, we also can implement a bunch of other techniques to detect what is going on within our network or within our systems. So, it can look at applications. It can look within the packet itself, and put things together to try to determine what it's doing. Looks at intrusion or it has built in intrusion detection technology, and intrusion prevention technology. It can also decrypt web traffic, or other kinds of traffic. So, if, for example, if you have a web application that is https, and you need to inspect that traffic. Well, because the way SSL works is, well, it's encrypted from end to end. If you have a client on the inside accessing a internal network or internal system that's encrypted over SSL, the firewall cannot understand, or anybody cannot understand what's inside that packet traversing the network because it's encrypted. Well, what the next generation firewall will do, as long as you put the private certificate on the firewall, it will decrypt that traffic, and then re-encrypt it as it's going back out, so that we can inspect the data. Now, that creates a massive amount of overhead. However, some organizations think it's necessary. Personally, I think SSL is meant to be private. So, you know, even though you may be under attack, you should have other mechanisms looking at that overall traffic. So, when you have an advanced firewall, you may want to determine whether or not that you want SSL decryption and re-encryption to take place. But like I said, it's a lot of additional overhead. Other features that you may have enabled on advanced firewall are website filtering quality of service, bandwidth management, anti-virus inspection, anti-spyware inspection, and also identity management. Let's talk about one of the advanced firewalls that we use here on campus. This is our border firewall. It's a Palo Alto firewall. And we went with Palo Alto because of the workflow. Now, most next generation firewalls out there do roughly the same thing. They have all the same features enabled. However, even though Palo Alto networks are more expensive than most, I was concerned about the workflow. So, when you are experiencing an incident, or when you need to block activity, or when you need to do an investigation, how quickly can your security department look at the incident, and figure out what's going on? This is very important to understand, that not all firewalls are created equal. Because if you need to look at something, you have to access things quickly, in an event or in an emergency. So, we went with Palo Alto. We did a bake-off between a couple of different vendors, and decided Palo Alto was the easiest one. So, we could react to security incidents the fastest. So, I was talking about user activity. So, this is just a snapshot of the past 24 hours. It was a Friday. Today is Saturday. So, past 24 hours, there's barely anything going on on the network. Actually, let's look at it real quick here. So, right now, it's around noon on a Saturday. So, we have about 200 megabytes or 200 megabits going through the network to the Internet. Which is nothing compared in the middle of the semester. But let's look at this. So, user activity, we could drill down user activity into what we could; next generation firewalls break that down into a user, based off a user. And we can drill down to see what people are actually doing within reason. Now, this is somewhere where you want to get your legal department involved in as well, saying who has access to this data. How much are you going to allow other people to see. Now, you may also ask yourself, well, can law enforcement get this? We have a law enforcement, or we have actually campus police, that are sworn officers on campus. Do we allow the officers to see this data? And the answer is actually no. Not without a legal reason, do they get to see this, and that's always approved by our attorneys. However, let's look at some of these other features of advanced firewall's real quick. You'll notice that we have different protocols here. So, we can break down applications within a next generation firewall or an advanced firewall. It understands what applications or the patterns are for that application. So, GRE tunnels are traditionally VPNs. Web browsing is going to be http or https. Http video is actually categorized all on its own. So, this could be YouTube traffic. SHOUTcast is used by a lot of different vendors to display audio, or to listen to audio. And so, we can also drill down into source IPs and destination IPs. Let's look at the threats. Now, one of the big features of advanced firewalls are how they can look at threats, and identify threats coming into the network. So, here's just a few. We have; and this is just the past 24 hours, suspicious http evasion found. That's 127,000 hits. SSH2 log in attempts of 43,000, or 23,000 attempts to log into some of our SSH. All these are threats that the firewall has identified as threats. So, if we look at the blocked activity, the blocked activity is actually more serious. So, when we have a next generation firewall, we can turn on the intrusion prevention technology within the firewall. And this I actually goes into the packet. Does depack and inspection, puts packets together and strings together, and looks at the entirety of the system. Or the entirety of the session in packets. So, you'll notice here, we've had SQL injection attempts, 139 in the past 24 hours. WordPress brute force attempts, we've blocked 74 of those. Microsoft Windows, win.ini access. Now, if a system were compromised on campus, this would also block that activity. I saw the other day where we actually had ZeroAccess, which is an attack kit traversing. So, the firewall blocked that. So, the thing that I want you to understand about advanced firewalls is that advanced firewalls have a lot more features, and can do a lot more inspection than dish just a traditional firewall. Now, they're going to cost a lot more, and they take a lot more maintenance to run effectively. However, they protect your organization much, much greater than a normal firewall. These firewalls that we have in place are connected together to make sure that if one fails, the other one kicks in right away. And to help with some load balancing as well.
