Modern firewalls: from narrow specialization to universal protection

Kerio WinRoute Firewall

erio WinRoute Firewall (hereinafter WinRoute) is a network firewall designed to protect the perimeter of a local network from destructive and prying intrusions from the outside (for example, from the Internet), to provide access local users in the Internet, filtering traffic, as well as to provide all kinds of statistics. To assess the product's capabilities, management interface, and the logic of the program's operation, we will consider in more or less detail its main function - protection of the local network and traffic management. Then we will briefly list additional features of WinRoute.

The computer on which WinRoute is installed must have at least two network interfaces: one connected to a local network, and the other to a public one (for example, to the Internet). After installing and restarting the computer, you should launch the WinRoute management console, which immediately prompts you to launch the Network Rules Wizard. At this stage, starting the wizard is very important, especially for those who are installing WinRoute for the first time. The fact is that the wizard creates a basic set of packet rules (traffic policy rules), which in the future will allow you to better understand how they work, how to create and the essence of these rules. Packet rules are a key point for a network firewall, they determine which data streams (network packets) will freely pass to (from) the local network, and which will be prohibited for security reasons. Let's take a look at the most important steps of the wizard.

Step 3 - selection of a network interface connected to an external network, that is, to the Internet. WinRoute will determine the most suitable interface available on a given host based on its IP address and will offer it first. If the host has multiple interfaces with IP addresses in the outside range, then you may need to explicitly specify the required interface. (All interfaces WinRoute identifies and displays by the names that are assigned to them in the operating system.)

Step 4 - selection of services (protocols) that will be available to users of the local network when accessing the Internet. There are two options available here: allow all services (no restrictions) or set only certain ones. For the second case, WinRoute provides a list of the most requested services (for example, HTTP, FTP, SMTP, etc.). The required services must be ticked off. For further consideration, we note the first option - "no restrictions".

Step 6 - selection of servers located in the local network to which you want to open access from the Internet (for example, a Web server, mail server, etc.). Even if you do not have such servers, it is better to say that they are in order to review the corresponding rules later. Thus, we will give the master the opportunity to create them in order to then learn from him how to do it. To add a server, you must specify: 1) its local IP-address or the "Firewall" value (if the server is running on the same host where WinRoute is installed); 2) service (HTTP for Web server, SMTP for mail server, etc.).

Step 7 - Allow NAT (Network Address Translation Protocol). It must be enabled in order for local network users to use the Internet (this is our choice). Only in very rare cases does NAT need to be disabled - if WinRoute is used exclusively as a normal router between two or more networks (this is not our case).

Next, let the wizard complete his work. Since the wizard can be launched at any time (not just right after WinRoute is installed), all old rules are destroyed to avoid inconsistencies in packet rules. So, our firewall is already working (!) And fulfills its main function - protecting the local network (as a first approximation, of course). Now you can take your time to review and, most importantly, understand how packet rules work.

Packet rules in WinRoute are collected in one table (Fig. 1) and are strictly ordered (the top rule is the first rule). The order of the rules can be changed. Any package coming to the Firewall host (the term "Firewall" is used in WinRoute to refer to the host on which it is installed) is checked for compliance with any rule, starting from the first. If a packet does not meet the conditions of the current rule, then the following applies to it, and so on. In the event that a packet has reached the last rule, which says "deny all", it will be mercilessly removed (what is not allowed is prohibited). The last deny all rule cannot be deleted, moved, or edited (with minor exceptions). There is a check mark in front of the heading of each rule, if it is checked, the rule is active (works), otherwise the rule is not taken into account by the WinRoute processor, as if it were not there. This is very convenient if you need to carry out experiments or turn on / off a rule from time to time for some reason - you do not need to delete and recreate it. It should be noted that the principle of "on / off" is used almost everywhere in WinRoute - and this is the undoubted advantage of the program interface.

Each packet rule consists of several fields: packet source (where it came from), destination (where it wanted to go next), service (protocol), action, logging, address translation. Source and destination follow the same format - here's an impressive list of possible options:

host;
IP range;
group of IP addresses;
net / mask;
the network connected to the interface;
users;
Firewall host.

Service indicates the protocol within which the package operates. WinRoute has 79 predefined services for which the administrator does not even need to know the port numbers (do you remember the port number for the Windows terminal service - RDP - Remote Desktop Protocol?) - just select it by name from the table. But as a service, you can set the port number or define your own (new) protocol, add it to the services table, and then use it by name.

The action determines three options for the future fate of the packet: allow, deny (but notify the sender about it), discard (without notifying the sender - let him think that his packets disappear into a black hole). By the way, this is one of two parameters that can be changed in the last rule "deny all" - you can use "deny" or "reset". WinRoute developers recommend using “deny” for packets from the local network and “discard” for packets coming from outside.

Logging is quite developed in WinRoute, but we will not dwell on this. By the way, this is the second parameter that can be changed in the "deny all" rule.

Address translation can represent two options: NAT source (Internet sharing / IP masquerade) or NAT destination (port mapping). The first is used to substitute the local addresses of packets outgoing to the Internet to the external address of one of the network interfaces of the Firewall host. The local address is replaced with an external (routable) address so that you can get answers to your network requests. Port mapping is used so that external computers can access a server located inside the local network.

Now let's look at the rules shown in Fig. 1. Some of them were created by the WinRoute wizard, while others were added manually later.

A rule named "NAT" (created by the wizard). In this table, this is the only rule responsible for the passage of packets from the local network (interface "Local" 10.0.0.0) to the Internet (interface "M" 200.200.200.99). (We will consider the interface with the name "Z" later.) Since the value "Any" is specified in the "Service" field, packets of any protocols are allowed, that is, there are no restrictions for local users to access external services. NAT is used in the address translation field. If you need to prohibit access to any services, then duplicate (right mouse button) this rule and in the new rule specify a prohibited service or several at once. Move the new rule so that it sits above the old one - the goal is achieved. If, on the contrary, it is necessary to allow only some specific services, then by double-clicking on the word "Any" of this rule, a window will appear where you can select the allowed services. After that, you can assume that you have already learned how to manage the Internet access of local users (in relation to WinRoute).

The rule named "Firewall Traffic" (created by the wizard) differs from the "NAT" rule only by the absence of address translation, since the Firewall host has external IP addresses. Pay attention to the source - "Firewall", that is, the rule applies only to packets originating on the Firewall host itself.

The "Local Traffic" permissive rule (created by the wizard) describes all possible combinations of source and destination of packets within the local network, including the computer on which WinRoute is installed.

The Service FTP rule allows outside access to your FTP server, and the Service SMTP rule allows outside access to your mail server. Both rules are created by the wizard. The only difference between them is that the FTP server runs on the same computer as WinRoute, and the mail server is installed on a local machine with an IP address of 10.0.0.51. Please note that the "Service SMTP" rule does not have a checkmark on the left - it does not work, it is just a stub that we do not need yet. So, now you know how to provide access to your servers through WinRoute.

Let's turn to the rules that we had to create manually. We want to deny access to our network, and therefore to our servers, for some overly zealous fans of our own FTP server. For this, a rule with the name "Forbidden" has been created, and the name of the group of IP addresses is specified in the source field so as not to pile up many addresses into the rule itself. Addresses can be added to this group as needed, or you can temporarily cancel (check marks) the action of some address. Such a group is created in another place, but for us now the only important thing is the fact that it can be created, edited, and also applied in several rules. You can enter individual IP addresses, a network with a mask, or a range of IP addresses in an address group. Please note that this rule comes before other rules that allow access to the local network, and therefore, the owners of such addresses will not be able to access any of our servers (if any). If you need to block access only to the FTP server, in the "Service" field, instead of "Any", you should specify "FTP", and then just put this rule before the "Service FTP" rule - its location relative to other rules does not matter.

Three rules, titled "Web server ...", demonstrate granting access to a terminal server (RDP service) only from a specific IP address and access for Web developers from a specific network. The destination field does not contain the name of the interface, but a specific IP address, since the M interface is assigned multiple addresses, and using the name is equivalent to specifying only the primary address of the interface.

WinRoute provides connection redundancy. Suppose there are two external connections (one of them can be a telephone modem) and, accordingly, two interfaces (network cards) in the Firewall host. WinRoute uses only one of them at a time. But if this channel Is "cut off", then WinRoute switches all external traffic to another. The administrator determines which connection is primary and which is secondary. The primary connection is used whenever it is physically working. If it becomes necessary to switch to the secondary interface, then from this moment WinRoute constantly monitors the primary connection and, as soon as it returns to normal, switches all traffic back to the primary connection. In the rules in fig. 1 interface named "Z" provides the backup channel.

Let's take a quick look at traffic filtering. Traffic filtering in WinRoute is quite advanced and is applicable only to HTTP and FTP traffic. Traffic can be filtered by site names, by specifying a substring for the site name, by the presence of certain words in the transmitted data (word lists can be created and edited), etc. For FTP traffic, you can use FTP commands as a filtering criterion, for example, you can prohibit uploading files from the local network to external FTP servers. Users or groups of users can be used as a filtering criterion.

Anti-virus filtering applies to HTTP, FTP, SMTP, and POP3 protocols. The settings are pretty obvious. It should be noted that WinRoute can be supplied with McAfee antivirus scanner as standard, but it can be paired with other third-party scanners (there are seven scanners in the list).

The statistics in WinRoute are presented quite comprehensively. Traffic volume can be viewed in both directions (input and output) separately for network interfaces or for users. Since statistics are presented in tabular form, the data can be sorted by any column in ascending or descending order. And the columns offer the following options: per day, per week, per month, total (for the entire time after WinRoute installation). In addition, statistics on network interfaces can be presented graphically for the periods: 2 hours, 1 day, 1 week, 1 month; and statistics on users will show the distribution of traffic by protocol (1 day, 1 week, 1 month, total). Network interface statistics will help you monitor incoming traffic from your provider.

There are two special lines in the user list: "all users" and "unrecognized users". The point is that users are either obliged to log in to WinRoute or not. It depends on the WinRoute settings. In the first case, statistics are collected based on usernames, and in the second, based on IP addresses. If you do not require user authorization, you must specify in the WinRoute user database from which IP addresses each user is working (you can define several addresses for one user.). This is not as difficult as it might seem, even if the IP addresses are distributed by a DHCP server (a common situation). The line "unrecognized users" will include, for example, DNS server traffic, legal framework update traffic, etc. But in the WinRoute user database, you can add special "users", assign them the addresses of the corresponding servers, and then it will be possible to determine how much traffic is consumed by updating the legal framework or DNS server... WinRoute can operate with a mixed user base - in this case, some users will be imported from Active Directory, while others can be added as local WinRoute users.

Each user can be assigned a traffic quota. At the same time, depending on the settings, when the user reaches the limit of his quota, WinRoute will either terminate all connections, or prohibit the establishment of new ones, or only warn the user. In any case, WinRoute can notify the user (and / or administrator) when the quota is exceeded by e-mail. And each user can, in turn, monitor their traffic by accessing WinRoute via the Web interface.

Kerio Server Firewall (KSF)

SF is a server firewall, that is, a firewall that only protects the host on which it is installed. Unlike a network firewall (for example, from WinRoute), this product does not route packets between networks (between host interfaces), but it can protect several (up to 100) interfaces of its host. First of all, KSF is designed to protect servers installed at the provider's site (collocation service). Accordingly, KSF has remote control (like most firewalls) via a Web interface.

What is the difference between a server firewall and a network firewall? Their main difference is the provision of protection for applications (Application Hardening) running on the server. KSF monitors not only network traffic, but also the behavior of applications, primarily server applications, which by the nature of their activities are required to "listen" to ports and respond to network requests from clients.

On the "Network Status" page (Fig. 2), all launched in this moment server applications that "listen" to any ports, their operating protocols and the number of connections currently established. In addition, for each application, its full path is indicated in file system server, the date of the last modification of the exe-file, as well as brief background information on the purpose of this application and possible weak points of protection. In a separate panel there are three link-buttons that allow you to perform the following actions: create a network rule based on the selected process, show all network rules related to this process, display a list of connections for the selected process.

Let's consider the format of network rules (Fig. 3). The action provides two options: allow or reset. Direction describes inbound connections, outbound connections, and traffic in both directions. It should be noted that indicating both directions is usually meaningless and fraught with potential danger. As you can see from the figure, only the “Default rule” rule implements such an option to deny all connections that do not fall under the previous rules. This rule cannot be removed, but its action can be changed to "allow" for debugging purposes. Only one rule in the presented list allows outgoing connections - the server itself (in the sense of a computer) is allowed to go anywhere. All other rules describe access only to the inside of our host, naturally with all sorts of restrictions. For example, the topmost rule allows access to the inetinfo.exe process over HTTP (port 80).

The “Local” column indicates through which local (located on our host) interface the connection will be established. In this case, the server has two interfaces, one of them is called in the OS "Internet" and is connected to the external network, the second is connected to the local network. In the topmost rule, only one interface is explicitly specified - all other rules apply to connections from any local interface. The column "Remote" specifies the addresses of remote clients accessing the server. The options can be: IP address, IP address range, net / mask, address group name. An address group can contain any number of different address combinations listed above. Several address groups are predefined in KSF (use as an example). As you can see from the rule table, access to the Web server is possible from anywhere, the host itself is allowed to go anywhere, and, in addition, the last deny rule naturally takes into account any external addresses. In the rest of the rules, remote addresses are represented by the names of the address groups.

Now let's list the three building blocks of application protection in KSF.

2. A ban on changing the exe-file of the host's network process, including changing the startup path (that is, it is impossible to trick KSF by trying to start a process with the same name from a different directory, since this is already a substituted exe-file).

3. Prohibition of changing important system data (System tampering). For example, in Fig. 5 shows a list of such data.

In fig. 4 shows the rules for protecting applications. One of them (for srvfw.exe) is created automatically during the KSF installation and can be used as an example for training. Exceptions can be defined in rules, for example, by allowing some process to start others if necessary. It turns out to be very simple to define such exceptions. Create a rule that only logs the actions of the process you are interested in, and after a while, look at the log (Logs / Hardening) to determine whether this or that application in a normal (uninfected) state will still start something.

And another feature of KSF is the detection of possible intrusions. Actually, you do not need to configure anything here, but you need to regularly check the corresponding logging log. KSF provides descriptions of some of the most common types of intrusion, along with their severity. Viewing the list of connections for a particular process can also help an administrator notice a threat - too many connections from one IP address or a huge amount of data transferred within one connection. Unfortunately, it is not possible to sort data by remote IP address or by data volume in the connection list window.

Kerio Mail Server (KMS)

MS can be used either as a full-fledged mail server that stores user mailboxes and provides access to mail clients, or as an intermediate "post station" (in terms of Sendmail - Smart Host). In the latter case, it acts as an intermediate link between the mail server located inside the local network (for example, MS Exchange Server) and the outside world. A host with KMS installed can have two network interfaces, one of which is connected to the local network, and the other to the external one. Thus, KMS will act as a mail firewall. In this case, the reception of all external mail that comes to the organization is entrusted to KMS, and sending mail of local users to the outside can be performed both by the mail firewall and by the internal server directly. Since we are interested in firewall mode, we will briefly discuss only this KMS functionality. And in this case, it consists of three components: filtering out unwanted mail based on the so-called black lists (Black lists), spam filtering and anti-virus protection.

Blacklists contain a list of spam mail servers. Such servers most often operate in the Open relay mode, which allows you to send mail to any client without any authorization and regardless of the relative location of the client and server. For example, a spammer in Russia can use a mail server from South America to send thousands of letters. Sometimes normal servers also get blacklisted - due to careless sending of business letters or wrong setting mail server. Blacklist servers, or Open Relay Data Bases (ORDB), are implemented as DNS servers with a special type of record that store lists of harmful servers. Usually, ORDB servers are run by serious people, and the software on these servers scrutinizes candidates for blacklisting. But there are also such servers that collect their lists on the first complaint. It is for this reason that many normal mail servers (and most often entire ranges of IP addresses) are blacklisted. So when setting up your mail server, the main thing is not to overdo it, asking it as many ORDB servers as possible, otherwise almost all mail (and useful ones too) can be eliminated.

Actually, setting up blacklists in KMS is so simple that it could well be limited to stating the fact that this functionality is supported. However, we will make a few comments. The KMS delivery already includes five ORDB servers. The server named SORBS DNSBL (dnsbl.sorbs.net) differs in such "zealous" lists that all mail from aha.ru and mail.ru is rejected. Therefore, in our specific conditions, it is better to deselect the "block" option for this server... KMS also allows you to create your own blacklist. Unfortunately, KMS does not allow creating a so-called whitelist, which is the opposite of blacklists and should ideally be viewed before processing the blacklists.

Spam filtering refers to the process of limiting spam (in addition to blacklisting). KMS has a special processor, which, based on some rules (these rules cannot be edited), assigns to each incoming letter spam rating. For this or that specific feature, points are added to the letter, for another feature - more points. The sum of these points in KMS can be up to 10 for each letter. The administrator sets a threshold (by default equal to 5), above which a message is considered spam. Then KMS can do the following with spam: put a spam mark in the message header, or delete the message "without making a fuss", or return the message to the sender (a good idea). In any case, a copy of the letter can be sent to any local mailbox (just in case), which needs to be cleaned from time to time. If the message is still skipped further, then a label can be added to its subject (by default “** SPAM **” is offered). Using this label, the mail client can postpone letters to a separate folder.

The second spam filtering feature allows you to create filters based on several criteria (From, To, Subject, Sender fields, etc. and their values are "empty", "contains address", "contains domain", etc.). If the letter meets the criteria of a certain filter, then further options are possible: 1) treat the letter as unsam (cancel spam points); 2) treat the letter as spam and prohibit it; 3) add some more value to the spam scores (the value is set). And the further fate of prohibited letters is determined separately - either to be deleted without noise, or returned to the sender (a copy of the letter can be sent to any local mailbox).

Anti-virus protection in KMS is carried out according to the same principles and with the same capabilities as in WinRoute.

Separately, it is worth noting the ability of KMS to resist hacker attacks. Here are some possibilities: 1) set the maximum number of messages received from one IP address in 1 hour; 2) set the maximum number of simultaneous SMTP connections from one IP address; 3) set the maximum number of non-existent recipients; and 4) set the IP address exclusion list for the first three items. In addition, you can limit the maximum number of recipients in one letter, the maximum number of erroneous commands in an SMTP session.

Statistics and logging of KMS operation are implemented quite fully and conveniently.

In conclusion, I would like to note that all Kerio products are supplied with excellent documentation, trial versions (they have no restrictions, except for a 1-month period) can be downloaded from the website

Anyone who has ever thought about the question "which firewall to choose?" Gartner(a well-known analytical agency).

At the end of June 2017. the next report on the state of the market was released Unified Threat Management (UTM) - Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls) and in July 2017. Enterprise Firewalls - Magic Quadrant for Enterprise Network Firewalls... If you are interested to know who was among the leaders, how the situation has changed over the past year and what trends are observed, then welcome under the cat ...

UTM Market:

Let me remind you that by definition Gartner:

“Unified threat management (UTM) is a converged platform of point security products, particularly suited to small and midsize businesses (SMBs). Typical feature sets fall into three main subsets, all within the UTM: firewall / intrusion prevention system (IPS) / virtual private network, secure Web gateway security (URL filtering, Web antivirus) and messaging security (anti-spam, mail AV). "

That is, network security platforms targeted at small companies (Small) and slightly larger companies (Midsize) fall under this definition (under small companies (Small and Midsize Business), Gartner counts companies with 100 to 1000 employees). UTM solutions usually contain typical today functionality of a firewall, an intrusion prevention system (IPS), a VPN gateway, a web traffic filtering system (URL filtering, streaming antivirus system for web traffic), and a mail traffic filtering system (filtering spam messages and an anti-virus system for mail traffic), and of course we must not forget about basic system routing and support for various WAN technologies.

It is interesting that, judging by the predictions of Gartner, the market for firewalls until 2020. will remain in about the same condition as now. In 2022. according to the predictions of Gartner, class solutions will begin to enter into everyday life in SMB Firewall as a Service (FWaaS), i.e. cloud firewalls, where client traffic will be tunneled, and the share of new installations on the SMB market will be more than 50%, compared with the current share of 10%. In addition, 2022. 25% of SMB segment users will use their firewall as a monitoring tool and an intermediary broker to provide inventory and control of the use of SaaS resources, as a tool for managing mobile devices or enforcing security policies on end-user devices (currently, less than 2% of users use this functionality on firewalls). FWaaS solutions will be more popular for distributed branch structures, this decision will use 10% of new installations, up from less than 1% today.

Since UTM solutions are aimed at relatively small companies (by the standards of Gartner), it is clear that having received all the functionality out of one box, the end customer will somehow be content with compromises in terms of performance, network security efficiency and functionality, but for such customers it will also it is important that the solution is easy to manage (management via a browser as an example), the administrator of the solution can be trained faster due to the simplified management, so that the solution contains built-in tools for at least basic reporting, for some customers it is also important to have localized software and documentation.

Gartner believes that the needs of SMB customers and Enterprise customers are very different in terms of Enterprise needs for the ability to implement more sophisticated management policies, advanced network security capabilities. For example, Enterprise customers with a distributed branch structure often have branches that can be the same size as an entire SMB segment. However, the criteria for choosing equipment for a branch, as a rule, are dictated by the choice of equipment at the head office (usually the branches are selected equipment from the same vendor that is used in the head office, i.e. Low End equipment of Enterprise class), since the customer needs to have confidence in ensuring compatibility of equipment, and in addition, these customers often use a single management console to ensure the manageability of the branch network (where there may not be specialists of the appropriate profile) from the head office. In addition, the economic component is also important, a corporate customer can receive additional discounts for "volume" from manufacturers of internetwork solutions, including solutions for a branch network. For these reasons, Gartner considers solutions for distributed branch offices of Enterprise customers in squares of solutions for the Enterprise segment (NGFW / Enterprise Firewall, IPS, WAF, etc.).

Separately, Gartner singles out customers with a distributed network of highly autonomous offices (a typical example is a retail network, where the total number of employees can be more than 1000 people), who, like a typical SMB customer, have rather limited budgets, a very large number of remote sites, and usually small IT / cybersecurity staff. Some UTM vendors even specifically focus on solutions for these customers more than traditional SMB.

UTM as of June 2017:

But what happened a year ago, in August 2016:

The list of leaders in the UTM market still has the same familiar faces - Fortinet, Check Point, Sophos. Moreover, the situation is gradually heating up - the positions of the leaders are gradually being pulled up to each other. Juniper went from being a pursuer to being a niche player. SonicWall improved its position a little.
What does Gartner think about the leaders of the UTM-segment market separately:

It is a representative of the UTM market leaders, SMB solution is represented by an enterprise-class firewall (Enterprise), which is quite easy to manage and has an intuitive graphical interface (GUI).

The headquarters are located in Tel Aviv (Israel) and San Carlos (USA). Check Point is a network security vendor with over 1,300 R&D employees. The product portfolio includes SMB and Enterprise class firewalls (Security Gateway), a dedicated endpoint security solution (Sandblast Agent), a mobile device security solution (Sandblast Mobile), and virtual firewalls (vSEC for private and public clouds). The current line of SMB class firewalls includes families 700, 1400, 3100, 3200, 5100, 5200, 5400, 5600, all devices were introduced in 2016/2017.

3. Sophos:

He is a representative of the UTM market leaders. It continues to increase its market share due to its ease of use, good functionality of the Security component, and successful integration with its own endpoint protection solution. A frequent visitor to the shortlists of an SMB customer, as well as for distributed networks of autonomous offices.

It is headquartered in Abingdon (UK) and employs over 3,000 people worldwide. The product portfolio contains a mixture of network security solutions and endpoint protection solutions. The Sophos XG line of firewalls contains 19 models and was last updated in the 4th quarter of 2016, as well as the outdated Sophos SG line in the portfolio. Sophos UTM solutions are available as virtual applications with integration with IaaS platforms - AWS and Azure. Endpoint security solutions include Sophos Endpoint and Intercept X. The integration solution between Sophos UTM and Sophos Endpoint is called Sophos Synchronized Security. The vendor's portfolio also includes solutions for protecting mobile devices and ensuring data encryption.

Enterprise Firewall Market:

In 2011. Gartner has introduced a new definition to the Enterprise Firewall market - Next Generation Firewall (NGFW):

“Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port / protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or nonenterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated. "

Then it was an innovation, around which there was a lot of controversy. Several years have passed, a lot of water has flowed under the bridge, and now in 2017. Gartner no longer considers this to be any special advantage, but simply states the fact that all the leading players in this market have acquired this functionality for a long time, and now they differentiate themselves from other vendors in terms of functionality.

According to Gartner forecasts by 2020. Enterprise-class virtualized firewalls will occupy up to 10% of the market, up from 5% at the moment. By the end of 2020. 25% of firewalls sold will include integration by cloud security brokers to connect to cloud services (Cloud Access Security Broker, CASB), integrated by the corresponding API. By 2020 50% of new firewall installations will use outbound TLS inspection, up from less than 10% currently.

According to Gartner, the Enterprise Firewall market consists mainly of solutions for protecting corporate networks (Enterprise Networks). The products included in these solutions can be deployed as a single firewall, as well as in large and more complex scenarios, including branch networks, multi-layer demilitarized zones (Multitiered DMZs), in traditional deployment scenarios as a "large" firewall in the data center, and include the ability to use virtual firewalls in the data center. Customers must also be able to deploy solutions inside public cloud infrastructures Amazon Web Services (AWS), Microsoft Azure, and the vendor must have in their roadmap google support Cloud within the next 12 months. Products must be able to be managed with highly scalable (and granular) management tools, have a strong reporting system, and have a wide range of solutions for the network edge, data center, branch network and deployment in virtualization infrastructure and public cloud. All vendors in a given market segment must support fine-tuning and control of applications and users. The functionality of Next Generation Firewall is no longer an advantage, but a necessity. So Gartner crosses out the term she invented, since this functionality is considered quite common and absolutely necessary in the Enterprise Firewall market. In essence, Gartner considers NGFW and Enterprise Firewall synonymous. Manufacturers working in this market focus and build a sales strategy and technical support for large companies (Enterprises), and the functionality they develop is also focused on solving the problems of large companies (Enterprise).

Gartner says its research shows NGFWs are gradually continuing the trend of replacing standalone IPS devices at the network perimeter, although some customers say they will continue to use dedicated Next Generation IPS (NGIPS) devices in a Best of Breed strategy. Many enterprise customers are interested in cloud-based Malware detection solutions as a cheaper alternative to stand-alone sandbox solutions ( Sandboxing Solutions).

Unlike the UTM market, the corporate firewall market does not imply that NGFW solutions should contain all the functionality to protect the network. Instead, Gartner sees in enterprise firewalls the need to specialize specifically on NGFW functionality. For example, enterprise-class branch firewalls require support for a high degree of granularity for blocking network traffic, which must go in the product base, an integrated service approach to processing network traffic is required, product management must be highly integrated, and not look like a hastily compilation of different engines into one product. ... Enterprise-class firewalls for branch networks should be as secure and configurable as headquarters solutions.

In 2017. Gartner pays special attention to solutions for ensuring the termination of TLS sessions to ensure that outbound traffic is scanned for threats, such as downloading malicious code, controlling botnets. In some way, the ability to inspect outgoing TLS traffic brings NGFW closer to DLP solutions in a lightweight version, since decryption and subsequent inspection of outgoing TLS traffic allows you to make sure that sensitive data is not sent out. However, some customers using this feature may experience significant performance degradation when activating this feature due to the high cost of decrypting TLS.

Some progressive customers are planning and some are already taking advantage of the Software Defined Networking (SDN) paradigm and leveraging micro-segmentation capabilities in a virtualized data center. These customers are looking at vendors with support for various SDN solutions, as well as their plans for further development in the direction of SDN. Solution vendors are incorporating increasingly automated approaches to orchestrating firewall policies to provide the flexibility and business benefits that the SDN paradigm promises.

Now let's look at the current situation with the Gartner square in the market Enterprise Firewall as of July 2017:

But what happened a year ago, in May 2016:

The list of long-standing leaders of the Enterprise Firewall market is Palo Alto Networks, Check Point. This year, Gartner moved Fortinet from Challengers to the Leadership category as well. Passions are heating up - the positions of the leaders in this segment are also getting closer to each other. Cisco was unable to become a leader this year either, remaining in pursuit. But Huawei is surprising, which of the niche players was quite confidently placed in the section of the pursuers.

What does Gartner think about the leaders of the Enterprise Firewall market separately:

1. Palo Alto Networks:

It is one of the leaders in the Enterprise Firewall market, and is also a pure Security vendor, based in Santa Clara (USA, California), with over 4,000 employees. Produces firewalls since 2007, in 2016. revenues exceeded $ 1.4 billion.The solution portfolio includes enterprise-class firewalls in physical and virtualized executions, solutions for protecting end nodes (Traps and GlobalProtect), solutions for collecting, aggregating, correlating, real-time threat analytics to support defensive measures (Threat Intelligence , AutoFocus), SaaS security solutions (Aperture). The manufacturer is actively working on integrating solutions into a unified network security platform.

Palo Alto Networks recently released version 8 of the PAN-OS operating system with enhancements for WildFire and Panorama, new SaaS security functionality, and user credential protection. The PA-220 entry-level firewall, the PA-800 Series mid-range device was also released, and the PA 5000 Series firewall line (new models 5240, 5250, 5260), which has been released since 2011, has also been updated.

Representative of the Enterprise Firewall market leaders. The portfolio of products for the Enterprise market contains a large number of solutions, including NGFW firewalls and endpoint protection solutions, cloud and mobile network security solutions. Check Point's flagship products are Enterprise Security Gateways (Enterprise Network Security Gateways include the 5000, 15000, 23000, 44000, and 64000 families). Cloud security is provided through the vSEC solution for private and public clouds, there is also a SandBlast Cloud solution for SaaS applications. Endpoint security solutions include SandBlast Agent and mobile security solutions - Check Point Capsule and SandBlast Mobile. Also released SandBlast Cloud solution for scanning mail traffic in Microsoft Office 365. In 2016. models 15400 and 15600 became available for large enterprise customers, as well as 23500 and 23800 for data centers.

Recently, new Hi-End platforms 44000 and 64000 were presented, vSEC was released for Google Cloud, and a new version of R80.10 software was released with improvements for the management console, improved performance and SandBlast Anti-Ransomware, which provides protection against malicious software of the Ransomware class. Also introduced is the new Check Point Infinity network security architecture that integrates the security of networks, clouds and mobile users.

Check Point has also expanded its cloud-based Malware protection solution that can be integrated in front of SaaS email services. Check Point offers numerous software blades that extend firewall capabilities, including Advanced Mailware Protection (Threat Emulation and Threat Extraction), Threat Intelligence Services - ThreatCloud IntelliStore, and Anti-Bot. Check Point supports its firewalls in public clouds Amazon Web Services (AWS) and Microsoft Azure, solutions are available for integration with SDN solutions from VMWare NSX and Cisco Application Centric Infrastructure (ACI).

Check Point's solution should be shortlisted by an enterprise customer for whom price sensitivity is not as important as granularity of network security functionality, coupled with high-quality centralized management for complex networks. It is also a good candidate for customers using hybrid networks of on-premise hardware, virtualized data centers, and clouds.

Only registered users can participate in the survey. , please.

Even a small firm may have big secrets that it needs to protect from prying eyes... This means that there is a potential threat to lovers of other people's secrets. To protect against unauthorized access to computers of the local corporate network through access to the Network, a firewall is needed. If you are looking for a corporate firewall then take a look at Kerio's Kerio WinRoute Firewall. Quite a few people know the Kerio firewall for a private user; since the fall of 2006, Russian users have also a corporate product (in other countries it was sold before).

Kerio WinRoute Firewall by Kerio Technologies Inc. Is an integrated solution that includes firewall, VPN server, antivirus and content filtering designed to protect corporate networks of small and medium businesses.

The main features of this firewall are:

the actual firewall with very flexible configuration of access policies for each user;
built-in VPN server;
built-in anti-virus protection;
website access control;
content filtering;
support for all Internet access technologies: DSL, ISDN, cable, satellite, wireless and dialup connections;
VoIP and UPnP support;
the possibility of remote administration.

Making the rules is very simple and straightforward

The administrator can configure rules for the firewall either independently or using a wizard in eight steps. The latter is especially convenient for novice administrators: it simplifies the configuration process. All rules are displayed in a single tab, which also simplifies day-to-day work. The only potential difficulty for system administrators is the lack of a Russian-language interface and a help file. But, digging around on the Web, you can find a slightly outdated, but still up-to-date manual.

A feature of this firewall is the ability to monitor the protocols used, including specific protocols that are not directly related to IP traffic. This feature allows you to control and protect specific applications required for the business activities of companies.

Access control is possible even by channel bandwidth

The Internet channel itself can be controlled not only by criteria typical for firewalls (protocols, ports, users, and so on), but also by channel bandwidth. This opportunity is especially valuable for companies that actively use IP-telephony in their activities. This monitoring function is called Bandwidth Limiter and allows you to set specific parameters of the communication bandwidth for specific users.

Kerio WinRoute Firewall implements its own technology for working with VPN channels. The VPN and NAT compatibility issue was solved with the NAT Traversal feature, which ensures stable VPN operation with NAT, including multiple NAT gateways. Incompatibility issues have been addressed by allowing network applications to detect the presence of a NAT device, configure it, and map ports as needed. This makes setting up VPN connections a breeze.

Kerio WinRoute Firewall includes McAfee antivirus

Combining antivirus and firewall protection is not a new idea and has been implemented by many software developers. A feature of Kerio WinRoute Firewall is that the company did not produce its own anti-virus mechanisms, but integrated an excellent development from McAfee Security - McAfee antivirus into the firewall (as well as into its mail server). This integrated protection avoids conflicts antivirus software if other antiviruses are installed on other servers of the company. Moreover, the integration of the anti-virus engine into the protection mechanism made it possible to additionally use (in addition to the built-in McAfee) other anti-virus tools installed on the server with Kerio WinRoute Firewall. To do this, just select the required antivirus from the list. Note only that the list of supported secondary antivirus protections is not very large and is limited to only seven products.

It should be noted that this combination of firewall and antivirus adds flexibility when choosing products to serve a corporate network. You can purchase Kerio WinRoute Firewall with or without built-in antivirus protection if you already have a virus hunter that suits you.

Also an additional useful option can be considered an additional component ISS Orange Web Filter. This filter contains a detailed categorization of websites (about 60 categories in total - news, shopping, sports, travel, pornography, and so on). About 60 million websites and more than 4.4 million web pages in 15 languages were sorted. This function allows you to configure Kerio WinRoute Firewall for automatic blocking user access to sites of a particular category. Access can be restricted both at the user level and at the user group level.

Kerio WinRoute Firewall can deny access to peer-to-peer networks

With the growth of unrestricted high-speed Internet access, the likelihood of employees using corporate traffic to download files from file-sharing networks (KaZaA, eDonkey, eMule, or DC ++) increases. In order to facilitate the work of administrators to identify such facts, the Kerio WinRoute Firewall has a built-in function for blocking the work of P2P clients. You can also use statistical traffic analysis to identify and neutralize unknown file-sharing networks. Similar traffic control is also possible using the FTP protocol.

As for filtering HTTP traffic, it should be noted that it is possible to determine the order of processing ActiveX objects and Java scripts to prevent the delivery of potentially dangerous malicious codes through the firewall. You can also block pop-ups of any type, guaranteeing a comfortable web surfing for company employees.

An active search for information on the Internet regarding the discovered vulnerabilities in Kerio WinRoute Firewall gave only one mention. And then the identified vulnerability was easily eliminated by upgrading to the latest version.

Summary

Kerio WinRoute Firewall 6 from Kerio Technologies Inc. provides shared controlled Internet access and protection from external attacks and viruses. In addition, it provides restriction of access to sites of various subjects and restriction in the operation of peer-to-peer networks. Designed specifically for corporate networks of small and medium enterprises, this firewall is attractive in terms of price / performance ratio, providing a high level of protection.

System limitations
Kerio WinRoute Firewall:

processor: Pentium III;
RAM: 256 MB RAM;
free disk space: 20 MB (additional disk space is also required for report files and cache functions, depending on individual settings);
two network interfaces (including dialup);

Kerio VPN Client:

processor: Pentium III;
RAM: 128 MB RAM;
free disk space: 5 MB;
operating system Windows 2000 / XP / 2003.

Anyone who has ever thought about the question "which firewall to choose?" Gartner(a well-known analytical agency).

UTM Market:

Let me remind you that by definition Gartner:

That is, network security platforms targeted at small companies (Small) and slightly larger companies (Midsize) fall under this definition (under small companies (Small and Midsize Business), Gartner counts companies with 100 to 1000 employees). UTM solutions usually contain typical today functionality of a firewall, an intrusion prevention system (IPS), a VPN gateway, a web traffic filtering system (URL filtering, streaming antivirus system for web traffic), and a mail traffic filtering system (filtering spam messages and an anti-virus system for mail traffic), and of course we must not forget about the basic routing system and support for various WAN technologies.

It is interesting that, judging by the predictions of Gartner, the market for firewalls until 2020. will remain in about the same condition as now. In 2022. according to the predictions of Gartner, class solutions will begin to enter into everyday life in SMB Firewall as a Service (FWaaS), i.e. cloud firewalls, where client traffic will be tunneled, and the share of new installations on the SMB market will be more than 50%, compared with the current share of 10%. In addition, 2022. 25% of SMB segment users will use their firewall as a monitoring tool and an intermediary broker to provide inventory and control of the use of SaaS resources, as a tool for managing mobile devices or enforcing security policies on end-user devices (currently, less than 2% of users use this functionality on firewalls). FWaaS solutions will also be more popular for distributed branch offices, with 10% of new installations using this solution, up from less than 1% today.

UTM as of June 2017:

But what happened a year ago, in August 2016:

3. Sophos:

Enterprise Firewall Market:

In 2011. Gartner has introduced a new definition to the Enterprise Firewall market - Next Generation Firewall (NGFW):

According to Gartner forecasts by 2020. Enterprise-class virtualized firewalls will occupy up to 10% of the market, up from 5% at the moment. By the end of 2020. 25% of firewalls sold will include cloud integration security brokers to connect to cloud services ( Cloud Access Security Broker, CASB), integrated by the corresponding API. By 2020 50% of new firewall installations will use outbound TLS inspection, up from less than 10% currently.

According to Gartner, the Enterprise Firewall market consists mainly of solutions for protecting corporate networks (Enterprise Networks). The products included in these solutions can be deployed as a single firewall, as well as in large and more complex scenarios, including branch networks, multi-layer demilitarized zones (Multitiered DMZs), in traditional deployment scenarios as a "large" firewall in the data center, and include the ability to use virtual firewalls in the data center. Customers should also be able to deploy solutions inside public cloud infrastructures Amazon Web Services (AWS), Microsoft Azure, and the vendor should also have Google Cloud support in its roadmap for the next 12 months. Products must be able to be managed with highly scalable (and granular) management tools, have a strong reporting system, and have a wide range of solutions for the network edge, data center, branch network and deployment in virtualization infrastructure and public cloud. All vendors in a given market segment must support fine-tuning and control of applications and users. The functionality of Next Generation Firewall is no longer an advantage, but a necessity. So Gartner crosses out the term she invented, since this functionality is considered quite common and absolutely necessary in the Enterprise Firewall market. In essence, Gartner considers NGFW and Enterprise Firewall synonymous. Manufacturers working in this market focus and build a sales strategy and technical support for large companies (Enterprises), and the functionality they develop is also focused on solving the problems of large companies (Enterprise).

Now let's look at the current situation with the Gartner square in the market Enterprise Firewall as of July 2017:

But what happened a year ago, in May 2016:

What does Gartner think about the leaders of the Enterprise Firewall market separately:

1. Palo Alto Networks:

Only registered users can participate in the survey. , please.

Firewall serves for the safe operation of computers in the local network and the Internet. Firewall prevents unauthorized access to network resources. Correct firewall setup makes the computer invisible on the Internet. Firewall restricts or denies access to resources.

A little about firewall

Surge protector, security gateway, firewall, or firewall, this is how many names a program has that, like a wall of fire (fire - fire, wall - wall) stands in the way computer viruses and people seeking to gain unauthorized access to your PC.

A combination of software and hardware computer, firewall is part of its comprehensive security system, not the only irreplaceable component. Although the "fire wall" did not become a panacea for all threats, it is still capable of creating a barrier between the computer and the network, through which "intruders" cannot enter the territory of your PC.

Configuring personal and corporate firewalls

There are both software and hardware firewalls. The disadvantages of the former include the fact that they consume their own PC resources. But hardware devices, although completely independent and placed on the gateway between the local network and the Internet, are much more expensive in comparison with personal ones and are used by various companies to protect their local network.

Personal firewall is a program that is an element of the operating room Windows systems or it can be installed as part of the application software. Usually firewall setup is not so complicated, since the program has a user-friendly interface. With its help, it is easy to allow Internet connection to all programs that really relate to it (Skype, Torrent, Mail.Ru, Internet Explorer etc.). And also do not allow any notebook (which may contain passwords and personal information) to send or receive packet data to the network, for which such activity is not natural at all.

Corporate firewall protects local networks of various companies from "unexpected network requests". It blocks all such requests and asks the user for permission to create such a connection. If you do not have an enterprise with a local area network consisting of many computers, then you do not need to install it. The installation and configuration of corporate "walls" is performed by the system administrator.

Firewall configuration features

Good Firewall by default should have information about all system services and application software that needs Internet access and exchanges packet data. It shouldn't ask all the time about allowing such applications to connect. He should do it automatically. In general, the firewall should have a good Configuration Wizard that automates its process.

Firewall can have several levels of protection. If you rate the threat high, then you can set the most "manic" level, which will control all your traffic and memory. But such protection can significantly affect the performance of the system (if the computer configuration is below average). A low level of control will cut out the most obvious threats. Firewall is considered good only if it has a noticeable effect on the performance of the system, but at the same time gives it a higher than average protection level.

In order to check the performance of your firewall there are many utilities, for example Atelier Web Firewall Tester. it special programs that work on the principle of "Trojan horses" and similar programs. If they manage to send and receive information bypassing your "wall", then it means there is a gap in it, and its value is reduced to zero.