Home » Firewall Architecture: Next-Gen, UTM, Micro-Segmentation, Policy Design และ Zero Trust Integration
Firewall Architecture: Next-Gen, UTM, Micro-Segmentation, Policy Design และ Zero Trust Integration
Firewall Architecture: Next-Gen, UTM, Micro-Segmentation, Policy Design และ Zero Trust Integration
Firewall Architecture เป็นแนวป้องกันหลักของ network security Next-Gen Firewalls (NGFW) ให้ application-aware inspection, UTM รวมหลาย security functions ใน appliance เดียว, Micro-Segmentation แบ่ง network เป็น segments เล็กๆ เพื่อ limit lateral movement, Policy Design วางกฎ firewall อย่างเป็นระบบ และ Zero Trust Integration ยกเลิกแนวคิด “trusted network” ด้วยการ verify ทุก request
Traditional firewalls ดูแค่ IP address กับ port: applications ทุกวันนี้ใช้ port 80/443 เหมือนกันหมด → traditional firewall แยกไม่ออกว่าเป็น web browsing, YouTube, หรือ malware NGFW inspect ถึง application layer → เห็นว่า traffic เป็นอะไร ไม่ใช่แค่ไปที่ไหน และ Zero Trust ยกเลิกแนวคิด perimeter → verify ทุก request ไม่ว่ามาจากไหน
Firewall Evolution
| Generation |
Capability |
Limitation |
| Packet Filter (Gen 1) |
Filter by IP, port, protocol (ACL-based) |
ไม่เห็น application, ไม่มี state |
| Stateful Inspection (Gen 2) |
Track connection state (SYN, ESTABLISHED) |
ไม่เห็น application content |
| UTM (Gen 3) |
Firewall + IPS + AV + URL Filter + VPN ใน box เดียว |
Performance ลดเมื่อเปิดหลาย features |
| NGFW (Gen 4) |
Application-aware + user identity + SSL decrypt + threat intelligence |
Expensive, complex management |
| Cloud Firewall / SASE (Gen 5) |
Firewall-as-a-Service + ZTNA + CASB + SWG |
Latency from cloud inspection, vendor lock-in |
NGFW Features
| Feature |
Description |
Benefit |
| Application Control |
Identify applications regardless of port (Layer 7 DPI) |
Block Facebook on port 443, allow Zoom |
| User Identity |
Map traffic to Active Directory users (not just IP) |
Policy per user/group (Marketing can access social media, IT only) |
| SSL/TLS Decryption |
Decrypt HTTPS → inspect → re-encrypt |
See inside encrypted traffic (80%+ of traffic is encrypted) |
| IPS (Intrusion Prevention) |
Detect and block exploits, vulnerabilities |
Block CVE exploits, buffer overflows, RCE attempts |
| Threat Intelligence |
Cloud-based threat feeds (malicious IPs, domains, files) |
Block known C2 servers, malware domains in real-time |
| Sandboxing |
Execute unknown files in sandbox → analyze behavior |
Detect zero-day malware that signature-based AV misses |
| URL Filtering |
Block/allow web categories (gambling, malware, adult) |
Enforce acceptable use policy |
NGFW Vendors
| Vendor |
Product |
Strength |
| Palo Alto Networks |
PA-Series, Prisma |
App-ID, best threat prevention, Prisma SASE |
| Fortinet |
FortiGate |
Best price/performance (custom ASIC), FortiOS ecosystem |
| Cisco |
Firepower / Secure Firewall |
Integration with Cisco ecosystem, Talos threat intel |
| Check Point |
Quantum |
Strong security, unified management (SmartConsole) |
| Juniper |
SRX Series |
Junos OS, strong in SP environments |
| Zscaler |
ZIA, ZPA |
Cloud-native (no hardware), ZTNA leader |
Micro-Segmentation
| Feature |
รายละเอียด |
| คืออะไร |
แบ่ง network เป็น segments เล็กๆ ที่แต่ละ workload มี policy ของตัวเอง |
| Why |
Traditional firewall ป้องกัน North-South (in/out) แต่ไม่ East-West (lateral movement inside) |
| Benefit |
ถ้า attacker compromise 1 server → ไม่สามารถ move laterally ไป servers อื่น |
| Implementation |
Host-based firewall (per workload), NSX, Illumio, Guardicore, cloud security groups |
| Policy |
Allow only necessary communication (web → app → db, not web → db directly) |
| Visibility |
ต้อง map application flows ก่อน → understand dependencies → then enforce |
Firewall Policy Design
| Principle |
Detail |
| Least Privilege |
Allow only what’s needed, deny everything else (default deny) |
| Zone-Based |
Define security zones (Internet, DMZ, Internal, Management) → policy between zones |
| Application-Based |
Policy by application name (not just port) → “allow Zoom” not “allow UDP 8801” |
| User/Group-Based |
Policy per AD group: Marketing → social media OK, Finance → banking apps only |
| Rule Order |
Most specific first → general last → implicit deny at bottom |
| Logging |
Log all denied traffic + security events → SIEM correlation |
| Review |
Quarterly rule review → remove unused rules, tighten overly broad rules |
| Change Control |
All changes through change management process → approve → implement → verify |
Zero Trust + Firewall
| Zero Trust Principle |
Firewall Implementation |
| Never Trust, Always Verify |
Authenticate every session (user identity + device posture + context) |
| Least Privilege Access |
Micro-segmentation + application-level policies (not just network-level) |
| Assume Breach |
East-West inspection (not just North-South), monitor internal traffic |
| Continuous Verification |
Re-evaluate trust throughout session (not just at connection start) |
| ZTNA (Zero Trust Network Access) |
Replace VPN with per-application access (no network-level access) |
Firewall Deployment Patterns
| Pattern |
Use Case |
| Perimeter (North-South) |
Internet edge → traditional (still needed but not sufficient alone) |
| Internal Segmentation |
Between internal zones (DMZ ↔ Internal, Dev ↔ Prod) |
| Micro-Segmentation |
Per-workload enforcement (VM, container, bare-metal) |
| Cloud Firewall |
Security groups, NVA (Network Virtual Appliance) in cloud VPC |
| FWaaS (Firewall-as-a-Service) |
Cloud-delivered firewall (Zscaler, Prisma Access, Netskope) |
| Distributed Firewall |
Firewall at every switch port (VMware NSX, Cisco ACI) |
ทิ้งท้าย: Firewall = Evolve or Be Bypassed
Firewall Architecture Evolution: packet filter → stateful → UTM → NGFW → cloud/SASE NGFW: application-aware, user identity, SSL decrypt, IPS, threat intel, sandboxing Vendors: Palo Alto (best security), Fortinet (best price/perf), Cisco (ecosystem), Zscaler (cloud) Micro-Segmentation: per-workload policy → stop lateral movement (NSX, Illumio, cloud SGs) Policy Design: least privilege, zone-based, app-based, user/group, rule order, quarterly review Zero Trust: never trust → verify always, least privilege, assume breach, ZTNA replaces VPN Key: modern firewall = application-aware + identity-aware + zero trust → not just IP/port filtering
อ่านเพิ่มเติมเกี่ยวกับ DDoS Protection Attack Types Mitigation และ Network Segmentation VLANs VRF Microsegmentation ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
