Overview

firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network’s firewall builds a bridge between the internal network or computer it protects, upon securing that the other network is secure and trusted, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted.

Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions

 

Firewalls Types

Network layer firewalls

Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IPprotocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply. The term “packet filter” originated in the context of BSDoperating systems.

Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that “state information” to speed packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection’s lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall’s state table, it will be allowed to pass without further processing

The Benefits of Firewalls

  • Secures a computer network from hostile intrusions.
  • Firewalls can monitor and record information. This can be of value in determining who is accessing what type of information.
  • Firewalls can be used to complement or supplement content and email filtering solutions.
  • Firewalls can automatically block most email viruses and malware attacks even before they start.
  • Firewalls can be set up to allow access for certain users to access certain information but prevent others from doing so.
  • Firewalls can also calculate usage of the internet, i.e. who spends most time using the internet and how this affects the performance of the network.
  • Some firewalls can cause constraints or bottlenecks on the network as they concentrate security in one area.
  • Organisations need to have a written policy or procedure that outlines what information can be accessed by employees and by whom. A firewall can be used to enforce these policies.

Proxy server

A proxy server (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets. A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user

Application-layer firewalls

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender).

On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.

Next Generation Firewalls & IPS

Palo Alto NGFW
Fortinet FortiGate
Juniper SRX Series
Barracuda NGFW
Forcepoint NGFW
Trend Micro IPS (Tipping Point)

Palo Alto Networks, Inc. has pioneered the next generation of network security with an innovative platform that allows you to secure your network and safely enable an increasingly complex and rapidly growing number of applications. At the core of this platform is the next-generation firewall, which delivers visibility and control over applications, users, and content within the firewall using a highly optimised hardware and software architecture.

Palo Alto Networks® next-generation firewalls detect known and unknown threats, including in encrypted traffic, using intelligence generated across many thousands of customer deployments. That means they reduce risks and prevent a broad range of attacks. For example, they enable users to access data and applications based on business requirements as well as stop credential theft and an attacker’s ability to use stolen credentials.

As security architects consider how to provide comprehensive threat protection for their enterprises, including intrusion prevention, web filtering, anti-malware and application control, they face a major complexity hurdle managing these point products with no integration and lack of visibility. Gartner estimates that by 2019 80% of enterprise traffic will be encrypted and 50% of attacks targeting enterprise will be hidden in encrypted traffic.

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance including encrypted traffic. FortiGate reduces complexity with automated visibility into applications, users and network and provides security ratings to adopt security best practices. 

FortiGate enterprise firewalls offer flexible deployments from the network edge to the core, data center, internal segment, and the Cloud. FortiGate enterprise firewalls leverages purpose-built security processors (SPUs) that delivers scalable performance of advanced security services like Threat Protection, SSL inspection, and ultra-low latency for protecting internal segments and mission critical environments.

FortiGate NGFW provides automated visibility into cloud applications, IoT devices and automatically discovers end to end topology view of the enterprise network. FortiGate is a core part of security fabric and validated security protect the enterprise network from known and unknown attacks. 

Juniper Networks ISG Series Integrated Security Gateways are purpose-built security solutions that are ideally suited for securing enterprise, carrier, and data center environments where consistent, scalable performance is required.

Juniper SRX Series offers:

  • Predictable performance: ASIC-based architecture provides linear performance for all packet sizes at multi-gigabit speeds.
  • System and network resiliency: Hardware component redundancy, multiple high availability options and route based VPNs offer reliability and resiliency.
  • Network security: The SRX Series provides embedded Web filtering, anti-spam, IPS, ICAP antivirus redirect, and optionally integrated IDP.
  • Network segmentation: Security zones, virtual systems, virtual LANS and virtual routers allow administrators to deploy security policies to isolate guests and regional servers or databases.
  • Certifications: The SRXSeries fulfills the requirement for FIPS, common criteria, ICSA, and others.

 

The Barracuda NG Firewall is an enterprise-grade next-generation firewall that was purpose-built for efficient deployment and operation within dispersed, highly dynamic, and security-critical network environments.

Modern cyber threats such as ransomware and advanced persistent threats, targeted attacks, and zero-day threats, require progressively sophisticated defense techniques that balance accurate threat detection with fast response times. Barracuda CloudGen Firewall offers a comprehensive set of next-generation firewall technologies to ensure real-time network protection against a broad range of network threats, vulnerabilities, and exploits, including SQL injections, cross-site scripting, denial of service attacks, trojans, viruses, worms, spyware, and many more.

Barracuda’s firewalls can be deployed across multiple physical locations as well as in Microsoft Azure, AWS, and Google Cloud Platform.

 

Forcepoint Next Generation Firewall (NGFW) combines fast, flexible networking (SD-WAN and LAN) with industry-leading security to connect and protect people and the data they use throughout diverse, evolving enterprise networks. Forcepoint NGFW provides consistent security, performance and operations across physical, virtual and cloud systems. It’s designed from the ground up for high availability and scalability, as well as centralized management with full 360° visibility.

 

 

Trend Micro IPS goes beyond next-gen IPS to address the evolving requirements of the most demanding data centers and enterprise networks without sacrificing security or performance. With purpose-built hardware, centralized management, and industry-leading threat intelligence, we provide a smart, optimized, and connected network security solution that integrates across all types of environments.

 
 

Network Detection and Response

Vectra NDR
Fidelis Network
ExtraHop Reveal(x)
Lastline Defender
Palo Alto Cortex XDR
Trendmicro Vision One XDR
Kaspersky XDR

Vectra Cognito is a threat detection and response platform that uses artificial intelligence to detect attacker behavior and protect both hosts and users from being compromised. Vectra Cognito provides high fidelity alerts and does not decrypt data so you can be secure and maintain privacy whether that’s in the cloud, data center, enterprise networks, or IoT devices. 

Fidelis Network® provides visibility across all ports and protocols and digs deeper into the traffic to analyze connections, flows, packets and metadata in real-time, while also enabling retrospective analysis. With Fidelis you can automatically pivot to an integrated Endpoint Detection and Response solution, which is critical to containing and minimizing resolution time of a detected threat.

 

ExtraHop Reveal(x) Enterprise is the industry leader in network detection and response (NDR), providing complete east-west visibility, real-time threat detection inside the perimeter, and intelligent response at scale. Learn how Reveal(x) outperforms Darktrace, Vectra, and others.

ExtraHop Reveal(x) network detection and response automatically discovers and classifies every transaction, session, device, and asset in your enterprise at up to 100Gbps, decoding over 70 enterprise protocols and extracting over 5,000 features to keep our machine learning accurate and precise.

FortiGate enterprise firewalls offer flexible deployments from the network edge to the core, data center, internal segment, and the Cloud. FortiGate enterprise firewalls leverages purpose-built security processors (SPUs) that delivers scalable performance of advanced security services like Threat Protection, SSL inspection, and ultra-low latency for protecting internal segments and mission critical environments.

FortiGate NGFW provides automated visibility into cloud applications, IoT devices and automatically discovers end to end topology view of the enterprise network. FortiGate is a core part of security fabric and validated security protect the enterprise network from known and unknown attacks. 

Lastline Defender™, a Network Detection and Response (NDR) platform, detects and contains sophisticated threats before they disrupt your business.

Our network security software delivers the cybersecurity industry’s highest fidelity insights into advanced threats entering or operating in your on-premises and cloud network, enabling your security team to respond faster and more effectively to threats.

Cortex XDR is the world’s first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks. It unifies prevention, detection, investigation, and response in one platform for unrivaled security and operational efficiency. Cortex XDR accurately detects threats with behavioral analytics and reveals the root cause to speed up investigations.

Tight integration with enforcement points accelerates containment, enabling you to stop attacks before the damage is done. Combined with our Managed Threat Hunting service, our XDR solution gives you round-the-clock protection and industry-leading coverage of MITRE ATT&CK techniques.

The Trend Micro Vision One platform includes advanced XDR capabilities that collect and correlate deep activity data across multiple vectors – email, endpoints, servers, cloud workloads, and networks – enabling a level of detection and investigation that is difficult or impossible to achieve with SIEM, EDR, or other individual point solutions.

With a combined context, events that seem benign on their own suddenly become meaningful indicators of compromise, and you can quickly contain the impact, minimizing the severity and scope.

The XDR functionality of Trend Micro Vision One provides a SIEM connector to forward alerts. By correlating events from Trend Micro products, fewer, higher-confidence alerts are sent, reducing the triage effort required by security analysts. Upon clicking on a SIEM alert, an analyst can access the XDR investigation workbench to get further visibility, conduct deeper analysis, and take necessary action.

 

Kaspersky EDR is a cybersecurity solution for the protection of corporate IT systems. It adds endpoint detection and response (EDR) capacities to IT security:

  • Extract patterns of elaborate attacks, automatically and manually, from events on many hosts.
  • Respond to attacks by blocking their progress.
  • Prevent future attacks.

Kaspersky EDR adds protection power to an existing EPP solution. EPP specializes on simpler mass attacks (viruses, Trojans etc), while the EDR concentrates on advanced attacks. With this solution, analytics view malware activity as well as events with legit software in the context of an attack, uncovering the whole kill chain.

Kaspersky EDR is fully integrated with Kaspersky Enterprise Security EPP, and it can work with EPP solutions of other vendors. The EDR adds the following:

  • Multi-host event visibility: aggregation of attack traces scattered around the IT system
  • Detection with “heavy” methods, which require much computation power unavailable for regular user endpoints due to possible effect on regular user workflow: advanced pre-processing, sandbox, heavy machine learning models, including deep learning, and others. Heavy methods provide better-quality detection
  • Expert tools for incident investigation, proactive threat hunting and attack response

Security Automation

Splunk SOAR
Cortex XSoar

Splunk SOAR combines security infrastructure orchestration, playbook automation, case management capabilities and integrated threat intelligence to streamline your team, processes and tools.

Splunk SOAR’s flexible app model supports hundreds of tools and thousands of unique APIs, enabling you to connect and coordinate complex workflows across your team and tools. Powerful abstraction allows you to focus on what you want to accomplish, while the platform translates that into tool-specific actions.

Splunk SOAR enables you to work smarter by executing a series of actions — from detonating files to quarantining devices — across your security infrastructure in seconds, versus hours or more if performed manually. Codify your workflows into automated playbooks using our visual editor (no coding required) or the integrated Python development environment.

 

Cortex™ XSOAR is a comprehensive security orchestration, automation and response (SOAR) platform that unifies case management, automation, real-time collaboration and threat intel management to serve security teams across the incident lifecycle.

VPNs

Ivanti Pulse Connect Secure

Pulse Clients securely connect users to networks, both data center and cloud. Wrapped in an extremely user-friendly package, Pulse Clients dynamically enable the appropriate network and security services on users’ endpoints. Users are not distracted from their work activities to figure out what network they are on or what service to enable. With Pulse Secure, the connection just works, helping to deliver the productivity promised by mobile devices. Pulse Client delivers dynamic access control, seamlessly switching between remote (SSL VPN) and local (NAC) access control services on Microsoft Windows devices. Pulse Client also enables comprehensive endpoint security posture assessment for mobile and desktop computing devices, and quarantine and remediate, if necessary.

The digital world continues to create workforce productivity beyond BYOD. More enterprises are combining apps and across data center and cloud resources to meet growing demand and productivity. The result is a hybrid approach blending private and public IT architectures. Learn how to embrace Hybrid IT with Pulse Cloud Secure and have the capabilities to blend cloud and datacenter access into a seamless user experience for your next generation workforce. Learn more.

Packet Brokers

Gigamon

Gigamon Next-Generation Network Packet Broker ensures that the right traffic is sent to the right inline and out-of-band prevention tools. Whether a network setup is on-premises, virtual or in the cloud, an intelligent network packet broker provides the perfect visibility foundation. Next-generation network packet brokers support:

IP Address Management

Infoblocks IPAM

 

With Infoblox IPAM (IP address management) and DHCP, you can automate and centralize all aspects of IP address provisioning and DHCP server management in conjunction with DNS. Our integrated platform enables you to confidently handle your most challenging IPAM and DHCP requirements in every type of network environment, data center and hybrid cloud environment.

Identity Detection & Response

Attivo IDR

 

Attivo Networks has leveraged its deep experience in privilege escalation and lateral movement detection to become a significant player in the IDR space. In the last year, the company has secured its leadership position based on its broad portfolio of IDR solutions, which include:

  • ThreatStrike for protection against credential theft and misuse
  • ThreatPath for attack path visibility and attack surface reduction
  • ADSecure for detection of unauthorized activity and attacks on Active Directory
  • ADAssessor for continuous visibility to exposures with Active Directory and activities that would indicate an attack
  • IDEntitleX for end-to-end visibility to cloud entitlement (CIEM) exposures

Learn more about Attivo’s identity solutions here.

 

Security Information & Event Management

Splunk SIEM
IBM QRadar
ArcSight ESM
Exabeam Fusion SIEM

Splunk is a real-time analytics-driven SIEM application that collects, analyses, and correlates large amounts of network and machine data. Splunk, which is managed through a web browser, gives security teams the relevant and actionable intelligence they need to more effectively respond to threats and maintain an airtight security posture at scale. Learn More.

IBM Security™ QRadar® Security Information and Event Management (SIEM) helps security teams detect, prioritize and respond to threats across the enterprise. It automatically analyzes and aggregates log and flow data from thousands of devices, endpoints and apps across your network, providing single alerts to speed incident analysis and remediation. QRadar SIEM is available for on-prem and cloud environments. Learn More.

Empower your security operations team with ArcSight Enterprise Security Manager (ESM), a powerful, adaptable SIEM that delivers real-time threat detection and native SOAR technology to your SOC.

Ingestion and interpretation of logs, connection to threat intelligence feeds, real-time correlation and analytics, security alerting, data display through user interface dashboards and reporting, compliance reporting and assistance are all included in ArcSight Enterprise Security Manager (ESM).  Establishing a baseline and outlier mechanism alerts are also possible with ESM. This is accomplished by integrating it with other analytics tools like ArcSight User Behavior Analytics (UBA). Asset and network modelling, prioritisation, geo-location, vulnerability modelling, and user modelling are some of the data enrichment capabilities.

Exabeam Fusion SIEM offers best-in-class security analytics and automation with enterprise-scale logging and search. Cloud-delivered, Fusion SIEM leverages machine learning and automation to detect the threats other tools miss, boost analyst productivity, and provide unmatched Threat Detection, Investigation, and Response (TDIR). Fusion SIEM compliance packages include PCI-DSS, HIPAA, SOX, and GDPR. Learn More.