Businesses increasingly run on data, and data runs on networks. One of the key roles of IT is to monitor those networks for both health and content. Now, with next generation firewalls (NGFW), network administrators can not only enforce security policy, but also monitor network transactions closely using deep packet inspection (DPI).
There’s just one question: given its complexity, can you trust your NGFW if you don’t understand what it’s doing?
What NGFWs Do, in Theory
The basic idea behind a NGFW is to insert L7-specific knowledge into the forwarding decisions of a firewall. For example, http isn’t exclusively found on port 80: there’s also 8000, 8080, etc. Conversely, not everything on port 80 is http: there’s also instant messaging, P2P, etc. Therefore, a rule which allows TCP port 80 will block some http, and allow some non-http. A NGFW validates that the L7 traffic is http, no matter what the L4 port is, so a NGFW rule to allow http should work better than a rule to allow port 80.
Some NGFWs extend into protocol-specific analysis. These devices will typically provide http breakdowns by URL category and Content-Type, to differentiate between a PDF or training video from a network vendor and a video on a humor site.
The value of a NGFW is a combination of the accuracy of filtering, the ease of creating and managing rules, and the reporting output. The danger of a NGFW is that a bad protocol identification may cascade into both wrong filtering and incorrect reporting output.
Fortunately, NGFW behavior is easy to test with a laptop and a packet sniffer.
Understanding and Auditing the NGFW
The basic test setup for a NGFW is relatively straightforward: you need to generate test traffic and to measure that traffic. This is easier than it sounds: your traffic generator will be one desktop connecting to the Internet and/or other parts of the internal network, and your measurement will be two separate packet capture points, just inside and outside the NGFW.
Plan your test based on your purchase decision criteria: what do you want your NGFW to do? Usually, it includes whether the NGFW allows your normal traffic, blocks abnormal behavior, and correctly reports on who did what.
For allowed traffic, start with critical external resources, like SaaS partner sites. Many NGFWs track deep into a site, so try performing (if applicable) uploads, downloads, searches, and other actions beyond simple browsing. Pay special attention and add non-standard ports into your test, like URL redirects to a different port, or special applications. Also consider blogs and feeds with common domains.
For negative tests, there are 3 common cases. The most obvious is websites that are Not Safe For Work (NSFW). Next is trying to bypass the firewall controls. Finally, there are sites of mixed utility.
Testing NSFW is a delicate matter. Test using a site which is unlikely to offend if you actually connect, such as sports or online gambling. There’s no reason to test your company HR rules while you’re trying to test a new device.
Bypassing the firewall is a dark art with a lot of skillful practitioners, but chances are that none of them work at your company. What you’re interested in is applications that bypass the firewall. Start with the ones which are likely found inside your company, like Skype and BitTorrent. Skype is difficult to block, since it uses dynamic ports. BitTorrent is also dynamic, and uses both cleartext and encrypted connections, so test in each mode. Again, use common sense: download something safe like a Linux installer.
The final category is sites of mixed utility, like social networks. Allow access for some users and not others. Do the rules only apply to IP addresses, to a “federated ID” for the node, or to userIDs on the sites? Use a combination of sites, like LinkedIn, Facebook, and YouTube.
Running the Test
Start captures on both sides of the firewall. Apply a capture filter for your test machine(s) on the inside, and the NAT address on the outside.
Follow your test plan. Use about a dozen sites and applications that need access, about 6 that should be blocked, and about 3 that need mixed access based on user. For each site, record what you tried – not just the home page – as well as the success or failure.
Most of the results of your testing will be obvious. If there were any surprises, check your packet captures to understand what happened. Start with the “internal” capture to see how far the test in question progressed, and compare interesting flows with the captures from the “outside.” Does the NGFW pass the connection directly, or does it rearrange or rewrite it?
Does the report clearly show you what happened? Think about what information you need. Are you most interested in what site was accessed, what the data was, or who tried to access it? Do you want the trend info, or the outliers?
Next Step: Pilot Program
After a controlled small-scale test, the next logical step is a larger test – more users, more time. Instead of one user for an hour, recruit a number of people for a week. The hardest part here will be finding the “right” people and configuring the network to forward only their traffic through the NGFW.
The Results: Trust and Relax
This test may seem like a lot of work, but remember that you’re trying to protect your business by protecting your network, both in terms of content and health. Once you’ve learned how your NGFW works, you’ll find what kinds of configurations work best for you, making maintenance and troubleshooting faster. Best of all, the NGFW will provide information you can trust.
Author Profile - Jim MacLeod is a Product Manager at WildPackets. He has been in the networking industry since 1994, and started doing protocol analysis in 1996. His experience includes positions in firewall and VPN setup and policy analysis, log management, Internet filtering, anti-spam, intrusion detection, network monitoring and control, and of course packet sniffing.