• Articles
  • Security
  • 2024
  • 12
  • Positive Technologies: «We invented it ourselves, paid for it ourselves, produce it ourselves, and suffer ourselves». How PT NGFW was created

Positive Technologies: «We invented it ourselves, paid for it ourselves, produce it ourselves, and suffer ourselves». How PT NGFW was created

I have already done material on domestic NGFW from one of the cyber security companies, so I decided to continue the practice and talk about other NGFWs. And in May 2024 at Positive Hack Days 2, I talked with the development and implementation team of Positive Technologies' NGFW, namely with the leaders of the PT NGFW product practice, Yuri Dyshlev and Anna Komsha. I hope it will be interesting. Enjoy reading!

For the development of NGFW, it seems logical to use open source as a base. But you refused such an approach. Did you regret it?

Our development is an effective combination of Open Source and our own proprietary mechanisms. For example, it would be foolish to create a custom SSH protocol to manage the firewall, as this would require significant time without substantial benefit. For high-quality traffic filtering and threat detection, using Open Source IPS engines is not always a good idea. Therefore, we are proud to develop the main and key productive parts of the firewall ourselves, although it takes a lot of time. However, this will bring significant benefits to our customers in the future.

And do you use your own expertise?

Yes, and this is very important for the entire Russian market in particular, and probably for the world community as well. Why? All mature Western solutions have dedicated teams that research threats on the Internet and other closed areas of cyberspace. For example, Cisco has a Cisco Talos division. At Positive Technologies, we have the PT ESC security expert center team. Colleagues not only create expertise for PT NGFW, but also for our other products. It is especially important that even within PT ESC there are people who are focused only on developing signatures. We have our own signature database of more than 8 thousand, which also allows us to detect attempts to exploit vulnerabilities in Russian applications, such as Bitrix. The number of recognizable applications exceeds 4.5 thousand (as of December 2024), including Russian applications.

We place significant emphasis on not using open-source signatures. Our engine is backward compatible with the open standards of Smart Suricata rule writing. We understand the profit that the customer can get from this. We conducted an experiment by taking a set of 40,000 signatures from GitHub and running them on our own IPS engine. And we got extremely poor results in terms of catch rate and threat detection quality, comparing it with our own.

What is included in your NGFW?

We already have an efficient traffic transfer mechanism. For integration into the current customer infrastructure, we use dynamic routing protocols and various interface operating modes, such as Layer 3 and sub-interfaces, for example, Layer 2 Transparent mode. This allows for quick deployment of the firewall into the data transmission network without changing or with minimal interference in its architecture, providing the widest possible range of integration tools into the network infrastructure. From a security point of view, many useful functions have been developed to date.

The packet filter is also an integral part of the firewall. However, the main feature of NGFW is the ability to detect applications by parsing them in sufficient detail. For example, a next-generation firewall can notify the administrator or the customer's SOC about the upload of a specific file to Yandex.Disk. In addition, we have integrated complex elements such as an Intrusion Prevention System and intrusion detection mechanisms. Plus, URL filtering is popular among customers, which allows for effective network protection against various threats.

Do you have user identification?

Of course, we have connectors for connecting to Active Directory and classic OpenLDAP. Clients may have questions related to the replacement of user directories. We monitor market trends and, as soon as the most popular Russian directory is determined, we will provide instructions, tools, and all the necessary components for effective integration with the selected directories.

Aren't these functions redundant because such things are usually on a proxy server?

Proxy server is already an outdated technology for providing secure internet access for users. Next-generation firewall is a more versatile tool as it can provide access not only for the user segment but also for segments with applications, services, and other resources. It is more economically efficient to have one device that solves the tasks of providing access to applications, services, and users on the internet. All this is done in one management domain.

Do I understand correctly that your NGFW is essentially two solutions? It is a PAC, namely a hardware and software complex, and purely software solutions. Or have you not thought about the software solution yet?

When we talk about the Russian market, NGFW is mostly considered only as a hardware and software complex. This is partly due to legislation that requires network-level firewalls to be implemented in the PAC format. The second part of the answer is that during Customer Development, customers stated that the next-generation firewall should be implemented as a hardware solution, which is familiar to the Russian consumer. However, we provide the possibility of using our software on KVM and ESXi.

It is worth emphasizing the importance of KVM. In the context of the trend towards import substitution of virtualization environments, our compatibility with KVM environments will allow clients who are already in the process of import substitution of the virtualization environment or plan to do so to use our product in such scenarios.

Do you have a methodology for testing NGFW? Will it be published or is it already published?

If necessary, we provide customers with a testing methodology. It allows you to check all operating modes of the firewall in various scenarios. In general, the methodology is available to everyone. It is also worth noting that our load tests are completely open and posted on our website. We do not hide anything.

And is your hardware supplier Russian?

Contract development is carried out at Russian factories. For junior platforms, we own working design documentation. Certificates have already been obtained confirming that the manufacturer of the platform and PACs is Positive Technologies. All platforms are developed specifically for PT NGFW and take into account the specifics of this class of products.

In case of problems with the PAC, the customer can always contact Positive Technologies technical support. We provide advance replacement and shipment from the warehouse the next calendar day, including weekends and holidays.

On which platform did you develop your NGFW?

When we started developing platforms based on Intel Scalable Gen4, there were no suitable offers in Russia. In addition to the Gen4 processor, DDR5, and the latest PCI, we had strict requirements for the form factor. The platform had to be installed in a standard 60 cm deep telecommunications rack.

Standard platforms are two-unit, but it's not about the units, it's about the depth. Classic general-purpose servers are deep, and telecommunications racks have limited space - 60 cm deep. And we needed a server in the Short Depth form factor, and now we have fully finished platforms 58 cm deep so that they fit perfectly into the racks.

There were also requirements for two power supplies on all platforms and for the location of all ports on the front panel with a high density of network cards. We didn't need a lot of disks, so the standard server didn't fit.

That's why we moved to contract development. Nothing ready was found. That is, we came up with it ourselves, paid for it ourselves, produce it ourselves, and suffer ourselves because the hardware path is always a difficult path ().

Have you had any tests of Russian processors for your NGFW?

We studied "Baikal" and "Elbrus". But ARM, in our opinion, is unpromising in the current paradigm because it is a technology licensed by Western countries. And "Elbrus" is difficult to produce, they are made in very small quantities, buying for tests and other purposes is quite a difficult task.

We are interested in the implementation of RISC-5 processors. But now we only see a processor designed for tablets. We will closely monitor the success of developers of RISC-5 based processors.

But the current branches, such as "Elbrus" and "Baikal", cannot be purchased in such a volume for the production of NGFW, and we did not even bother to spend time on it.

How difficult is it to configure your solution for an ordinary system administrator, an information security officer? For example, in the case of the same Cisco, you periodically have to go into the console.

Our pre-sale engineers have already conducted quite a few demonstrations of the next-generation firewall management interface, and I consider this our small but important victory. When a client at the beginning of the meeting says that he uses Fortinet or Palo Alto, and at the end: "Yes, I am familiar with all this and understand it, I saw the same thing on Fortinet and Palo Alto," it means that we have achieved our goal.

We have conducted many studies to make the NGFW management graphical interface understandable and obvious to those who already have experience operating such solutions. The second important point is that we abandoned the thick clients of firewall management so that the user does not have to install additional elements for management. All you need to do is open a browser and the web interface of the firewall.

We also abandoned the complex tuning of the firewall and maximized all the functions in the graphical management interface. This provides two ways to manage:

1. Click on the buttons in the firewall management interface.

2. Management via API. In development, we adhere to the API-first approach, in which a software interface for interacting with the management system is first developed, and then a graphical interface for the user is formed for it. If the administrator wants to automate his actions or massively administer objects, we offer an open API.

In addition, we discuss with clients possible integrations with existing developments, such as address space management systems and service desk. We already provide the most popular way of management through REST API with HTTPS transport and JSON payload, which allows us to present exactly the same user experience that administrators received from Western manufacturers. CLI will also be available. Administrators should not be deprived of CLI.

Can we expect any network solutions from Positive Technology in the future, or will you still focus on cybersecurity and further development of your NGFW?

After the release of NGFW to the market, we are exploring the possibility of entering the network equipment market. Two directions look attractive — switches and routers. Since the company has already created a hardware platform as a basis for building up network functions and a good foundation in the code, a potentially new niche becomes a feasible task.

Every time I discuss some specific "hardware", I want to test and touch it myself. But there is a problem — I am not competent in such matters. To become at least a little competent, I need to work and study for 5-7 years. Therefore, the desire disappears, but the desire to show the solution appears, and more competent people, based on my material, will decide whether to take the "hardware" for testing. Thank you for reading!

Comments