2.2 Identify the types of data provided by these technologies
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
A Next-Generation Firewall (NGFW) is an advanced type of firewall that goes beyond traditional firewalls. Traditional firewalls mainly filter traffic based on IP addresses, ports, and protocols, but NGFWs provide deeper inspection and more intelligence about network traffic.
Key Capabilities of NGFWs
- Stateful Inspection (like traditional firewalls)
- NGFWs still track the state of network connections.
- This means they know if a connection is new, established, or related to a previous session.
- Helps block unauthorized access while allowing legitimate traffic.
- Application Awareness
- NGFWs can identify and control specific applications, not just ports.
- Example: Blocking access to social media apps or messaging apps, even if they use standard ports like 80 (HTTP) or 443 (HTTPS).
- User Identity Awareness
- NGFWs can tie traffic to specific users or groups instead of just IP addresses.
- This is often done using Active Directory integration.
- Helps enforce policies per user or department.
- Integrated Intrusion Prevention System (IPS)
- NGFWs can detect and block attacks in real time.
- Example attacks:
- SQL injection
- Cross-site scripting (XSS)
- Buffer overflow attacks
- IPS can be signature-based or behavior-based.
- Malware and Threat Protection
- Some NGFWs integrate antivirus and anti-malware scanning.
- They can detect malicious files before they enter the network.
- Decryption of Encrypted Traffic
- NGFWs can inspect HTTPS traffic by decrypting and analyzing it.
- Ensures encrypted traffic does not hide attacks.
- Advanced Logging and Reporting
- NGFWs generate rich logs about network activity.
- Logs can include:
- User actions
- Applications used
- Threats detected
- Blocked/allowed connections
- These logs are essential for security monitoring and incident response.
Types of Data Provided by NGFWs
For the CBROPS exam, it’s important to know what kind of data you can get from NGFWs for monitoring and security purposes:
- Traffic Flow Data
- Which applications, services, or users are using the network.
- Examples:
- “User John downloaded a file from Google Drive using HTTPS.”
- “Sales team accessed a VoIP application.”
- Security Event Data
- Alerts about blocked traffic or attacks.
- Examples:
- Attempted malware download blocked.
- SQL injection detected and prevented.
- User Activity Data
- Tracks which users are doing what on the network.
- Example:
- “Alice uploaded 500 MB to an external cloud storage service.”
- Application Usage Data
- Shows which applications are allowed or blocked.
- Example:
- Facebook Messenger blocked during office hours.
- Threat Intelligence Data
- Correlates with known malicious IPs, URLs, or file hashes.
- NGFWs often integrate with external threat intelligence feeds.
- Encrypted Traffic Insights
- Shows threats hidden in SSL/TLS traffic.
- Helps identify malware or phishing attempts in encrypted channels.
Why NGFWs Are Important in CyberOps
- NGFWs provide visibility and control over modern network traffic.
- Traditional firewalls cannot inspect applications or threats embedded in encrypted traffic.
- NGFW logs are a key source of data for Security Operations Centers (SOC):
- Incident detection
- Investigation of security alerts
- Compliance reporting
Summary Table for Exam
| Feature / Capability | Description |
|---|---|
| Stateful Inspection | Tracks connection state (new, established, related) |
| Application Awareness | Identify & control apps regardless of port |
| User Identity Awareness | Apply policies per user or group |
| Integrated IPS | Detect/block attacks like SQL injection, XSS |
| Malware/Threat Protection | Block malicious files and traffic |
| Encrypted Traffic Inspection | Decrypt & inspect HTTPS/SSL traffic |
| Logging & Reporting | Detailed logs on users, apps, threats |
| Data Type from NGFW | Purpose |
|---|---|
| Traffic Flow | Know what applications/users are doing |
| Security Events | Detect and respond to attacks |
| User Activity | Monitor behavior and policy compliance |
| Application Usage | Control and report app usage |
| Threat Intelligence | Correlate with known malicious activity |
| Encrypted Traffic Insights | Detect hidden threats in encrypted traffic |
✅ Exam Tip:
- Remember NGFW = traditional firewall + application control + user awareness + IPS + malware protection + SSL inspection.
- Know the types of data NGFW provides for SOC monitoring and incident response.
