Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why It’s Time to Upgrade to a Next-Generation Firewall

Published byAnne Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Why It’s Time to Upgrade to a Next-Generation Firewall"— Presentation transcript:

1 Why It’s Time to Upgrade to a Next-Generation Firewall Eric Crutchlow Senior Product Manager

2 Why It’s Time to Upgrade to a Next-Generation Firewall
Eric Crutchlow Senior Product Manager, Network Security

3 Can your firewall tell you …
Other speakers on data – consistency with other speakers (Mike Mac/Yanchenson) -

4 Can your firewall tell you …
“Something came in over port 80. Do you know what it is?” “What is your social media presence/exposure?” Other speakers on data – consistency with other speakers (Mike Mac/Yanchenson) -

5 Can your firewall tell you …
“Something came in over port 80. Do you know what it is?” “What is your social media presence/exposure?” “What are you allowing outbound from your network? Other speakers on data – consistency with other speakers (Mike Mac/Yanchenson) -

6 Can your firewall tell you …
“Something came in over port 80. Do you know what it is?” “What is your social media presence/exposure?” “What are you allowing outbound from your network? … over SSL? Other speakers on data – consistency with other speakers (Mike Mac/Yanchenson) -

7 Can your firewall tell you …
“Something came in over port 80. Do you know what it is?” “What is your social media presence/exposure?” “What are you allowing outbound from your network? … over SSL? “What portion of your bandwidth is consumed by video?” Other speakers on data – consistency with other speakers (Mike Mac/Yanchenson) - “Is anyone playing social or other browser games?

8 Can your firewall tell you …
“Something came in over port 80. Do you know what it is?” “What is your social media presence/exposure?” “What are you allowing outbound from your network? … over SSL? “What portion of your bandwidth is consumed by video?” Other speakers on data – consistency with other speakers (Mike Mac/Yanchenson) - “Is anyone playing social or other browser games? “Is there P2P traffic on your network?”

9 What Are Your Employees Doing?
25% of office Internet traffic is non-business related 50% of surveyed companies said at least 30% of their bandwidth is being consumed by social networking traffic Blogging Facebook Twitter IM Streaming Video Streaming Music Browser Games During the day – employees are “just” downloading files… or surfing … or IM’ing Bandwidth Cost PRODUCTIVITY 9

10 What’s On Your Network? Application Chaos SSL Traffic Port 80/443
So many on Port 80 Application Chaos SSL Traffic Port 80/443 Of course the problem is that almost all of these applications look to the network like legitimate web applications, and what’s an important productivity tool to one user, may be a threat-laden time-sink for another. Traditional networking approaches haven’t really had the sophistication to sort this out, which has lead to all sorts of trouble when it comes to protecting your network. “Bad?” “Good?” 10

11 SECURITY: Malware Continues to Thrive
$$ Financial Gain Zeus Botnet “Beyond financial” Goals Duqu, Aurora, Stuxnet 49% of breaches incorporated malware 83% of victims were targets of opportunity Verizon Business RISK report 2011

12 Small Networks, Large Targets

13 Small Malware, Large Networks
Lockheed Martin/RSA Breach 2011 Recruitment Plan 2011.xls “Lockheed Martin said on May 27 that it detected a ‘significant and tenacious attack on its information systems network.’” – Info Security Magazine “In March RSA admitted that an “advanced persistent threat” attack had extracted information related to its Secure ID two-factor authentication products.” APT = Advanced Persistent Threat

14 Small Malware, Large Networks
Lockheed Martin/RSA Breach 2011 Recruitment Plan 2011.xls Spear Phishing Exploits Flash Drops in an APT “Lockheed Martin said on May 27 that it detected a ‘significant and tenacious attack on its information systems network.’” – Info Security Magazine “In March RSA admitted that an “advanced persistent threat” attack had extracted information related to its Secure ID two-factor authentication products.” Lockheed Martin Breach Exfiltrates RSA Token data APT = Advanced Persistent Threat

15 Can Your Firewall See the Threats?
Attack Vectors Through Seemingly Safe Applications

16 Can Your Firewall See the Threats?
Attack Vectors Through Seemingly Safe Applications

17 Why Do These Problems Persist?
Hidden traffic in SSL Spear-Phishing Browser Vulnerability Flash 0-Day Vulnerability Phishing User Education Excel Exploit PDF Vulnerability Threats over uncommon ports Hijacked Ad Servers

18 Why Do These Problems Persist?
Hidden traffic in SSL Spear-Phishing Browser Vulnerability Flash 0-Day Vulnerability Phishing User Education Excel Exploit PDF Vulnerability Threats over uncommon ports Hijacked Ad Servers

19 INTRUSION PREVENTION SSL DECRYPTION SCAN ALL TRAFFIC SECURITY

20 FINGERPRINT APPLICATIONS IDENTIFY USERS VISUALIZE TRAFFIC
SECURITY FINGERPRINT APPLICATIONS IDENTIFY USERS VISUALIZE TRAFFIC APPLICATION AWARENESS SonicWALL 2011 All Rights Reserved

21 APPLICATION AWARENESS
SECURITY APPLICATION AWARENESS HIGH THROUGHPUT NO LATENCY ANY SIZE NETWORK PERFORMANCE SonicWALL 2011 All Rights Reserved

22 What is a Next-Generation Firewall
NGFW FEATURES Stateful Inspection Intrusion Prevention Application Control SSL Decryption/Inspection By Gartner’s definition, a NGFW must include all of the following: Full Stateful Packet Inspection I.E., must have traditional Firewall capabilities Intrusion Prevention Fast, enterprise quality Deep Packet Inspection and prevention for Intrusions Application Control Ability to block/allow applications by identifying the specific applications, not relying on Port or Protocol SSL Decryption Ability to inspect encrypted traffic (man in the middle) and take policy action Beyond the Strict Definition of NGFW Gartner generally wants to exclude Gateway Anti-Virus from the definition Palo Alto, Fortinet, and SonicWALL accept that in the tight definition, but all three companies offer the ability to have more complete anti-malware scanning if the users desires for greater security Only SonicWALL can do so without dragging performance to unacceptable levels Only SonicWALL can inspect in real time any file size regardless of size of box (enterprise, mid-enterprise, small branch office) SonicWALL also goes beyond just Application Control by offering Application Control, Throttling, Analysis and Visualization

23 What is a Next-Generation Firewall
NGFW FEATURES Stateful Inspection Intrusion Prevention Application Control SSL Decryption/Inspection By Gartner’s definition, a NGFW must include all of the following: Full Stateful Packet Inspection I.E., must have traditional Firewall capabilities Intrusion Prevention Fast, enterprise quality Deep Packet Inspection and prevention for Intrusions Application Control Ability to block/allow applications by identifying the specific applications, not relying on Port or Protocol SSL Decryption Ability to inspect encrypted traffic (man in the middle) and take policy action Beyond the Strict Definition of NGFW Gartner generally wants to exclude Gateway Anti-Virus from the definition Palo Alto, Fortinet, and SonicWALL accept that in the tight definition, but all three companies offer the ability to have more complete anti-malware scanning if the users desires for greater security Only SonicWALL can do so without dragging performance to unacceptable levels Only SonicWALL can inspect in real time any file size regardless of size of box (enterprise, mid-enterprise, small branch office) SonicWALL also goes beyond just Application Control by offering Application Control, Throttling, Analysis and Visualization “By year-end 2014 [Next Generation Firewalls] will rise to 35% of the installed base, with 60% of new purchases being NGFWs.” - Gartner NGFW Research Note

24 Application Traffic Visualization

25 Network Analysis Tools
Do I have P2P on my Network?

26 Network Analysis Tools
Do I have P2P on my Network? YES

27 Immediate Application Control
Do I have P2P on my Network? YES

28 Network Analysis Tools
“Who’s watching YouTube?”

29 Network Analysis Tools
“Who’s watching YouTube?”

30 User Identification Single Sign On (AD/LDAP Integration) Local Login
Identify Top Bandwidth users

31 Identify Top Bandwidth Users

32 Connection Tracking by Country

33 Trace & Identify Network Connections

34 Control Your Network, Users & Traffic

35 Control Your Network, Users & Traffic
Applications Categories

36 Control Your Network, Users & Traffic
Applications User Groups Categories

37 Control Your Network, Users & Traffic
BW Manage Allow/Deny Users Applications User Groups Categories

38 Control Your Network, Users & Traffic
BW Manage Allow/Deny Users Applications User Groups Categories Schedules

39 Off-box application traffic analytics
On-box reporting Quick sample “right now” Application control For a single device Today SonicWALL offers: Reassembly Free Deep Packet Inspection Application Intelligence and Control Onboard Visualization Customers were asking us about integration with third party flow analytics tools such as Solarwinds, What’s Up Gold, Fluke Networks, Network Manage, Vineyard Networks, and also Plixer. We developed an IPFIX exporter for the firewall and started talking to these companies. What we found was that our templates 1) were very rich and 2) not many if any company had done this. If we did this on the firewall, these companies did not need to put an agent or appliance on the network. Onboard visualization is an ideal tool … To take a quick sample to determine what is currently being transmitted across the firewall. To not only analyze the traffic but also take action via the application control features. For customers who are only interested in the traffic through the SonicWALL firewall However, there’s also a need for off-box tool Historical advanced reporting, troubleshooting and forensics On archived data Across multiple devices Off-box reporting Historic advanced reporting Trouble shooting, forensics Schedule customer reports Across multiple devices

40 Architecture Makes a Difference
Traditional Firewalls with Modules NGFW Integrated Engine Stateful Inspection Engine Decompression IPS Module AV Module DPI ENGINE IPS SSL Decryption Threat Prevention URL Filtering App Visualization Application Control buffering buffering buffering

41 Pattern Definition Language Interpreter Deep Packet Inspection Engine
The “RFDPI” Engine Signature Signature Input Packet Output Packet Pattern Definition Language Interpreter TCP Reassembly Postprocessors Preprocessors Deep Packet Inspection Engine Policy Decision API Massively Scalable Multi-Core Architecture

42 Multi-core Branch Office Next Generation Firewall
Branch NGFW: NSA 220 & 250M Multi-core Branch Office Next Generation Firewall NSA 220/W SECURITY & APPLICATION CONTROL NSA 250M/W

43 Branch NGFW: NSA 220 & 250M NSA 220 Series Equipment Consolidation
Hardware Failover ISP Failover Load Balancing Centralized Management Secure Remote Access Clean n Wireless NSA 220 Series NSA 250M Series

44 SuperMassive E10000 Series World’s First 10Gbps Threat Prevention Platform First 30 Gbps Application Intelligence Platform

45 SonicWALL Next-Generation Firewalls
SuperMassive™ E10000 Series E-Class NSA Series NSA Series TZ Series Data centers, ISPs E10100 E10200 E10400 E10800 Medium to large organizations NSA E8510 NSA E8500 NSA E7500 NSA E6500 NSA E5500 Branch offices and medium sized organizations NSA 4500 NSA 3500 NSA 2400MX NSA 2400 NSA 220/250M Small and remote offices TZ 210 Series

46 SonicGRID: Security Protection at Scale
6,000,000+ CloudAV Threat Sgtrs. 25,000 Onboard Threat Family Sgtrs. Application Signatures World Renowned Expertise Active industry research contributor 100% IP ownership of all signatures 46

47 SonicWALL WAN Acceleration
WXA 500 Live CD WXA 2000 WXA 4000 WXA 5000

48 SonicWALL Clean Wireless
SonicPoint-Ni SonicPoint-Ne SonicPoint-N Dual Radio

49 Next Generation Firewall
SECURITY APPLICATION AWARENESS PERFORMANCE

50 Take a Step Towards an NGFW
Secure Upgrade Program Contact nearest Dell SonicWALL Reseller

51 The Net Sec Challenge – Enterprise
The SonicWALL Network Security Challenge works like this… Generally for deployments with more than 100 users… E5500 and above, the SME version will work differently mostly using existing mechanisms but pulled into a single offer, with a name that we promote the hell out of: Drop in an eval unit for 30 days, Generate the Audit report, describing what is getting through the old firewall Convert the prospect to a buyer using the Secure Upgrade Plus offer Consult on or manage their rules/policies conversion… or simply direct customer to the Converter Tool site Offer them Loyalty Bundle preferred pricing as a way of welcoming them to SonicWALL We’re working on vertically-focused versions of the audit report as we take the program forward And of course, we’ll replicate and promote this process against all competitors

52 The Net Sec Challenge – Enterprise
The SonicWALL Network Security Challenge works like this… Generally for deployments with more than 100 users… E5500 and above, the SME version will work differently mostly using existing mechanisms but pulled into a single offer, with a name that we promote the hell out of: Drop in an eval unit for 30 days, Generate the Audit report, describing what is getting through the old firewall Convert the prospect to a buyer using the Secure Upgrade Plus offer Consult on or manage their rules/policies conversion… or simply direct customer to the Converter Tool site Offer them Loyalty Bundle preferred pricing as a way of welcoming them to SonicWALL We’re working on vertically-focused versions of the audit report as we take the program forward And of course, we’ll replicate and promote this process against all competitors

53 The Net Sec Challenge – Enterprise
The SonicWALL Network Security Challenge works like this… Generally for deployments with more than 100 users… E5500 and above, the SME version will work differently mostly using existing mechanisms but pulled into a single offer, with a name that we promote the hell out of: Drop in an eval unit for 30 days, Generate the Audit report, describing what is getting through the old firewall Convert the prospect to a buyer using the Secure Upgrade Plus offer Consult on or manage their rules/policies conversion… or simply direct customer to the Converter Tool site Offer them Loyalty Bundle preferred pricing as a way of welcoming them to SonicWALL We’re working on vertically-focused versions of the audit report as we take the program forward And of course, we’ll replicate and promote this process against all competitors

54 The Net Sec Challenge – Enterprise
The SonicWALL Network Security Challenge works like this… Generally for deployments with more than 100 users… E5500 and above, the SME version will work differently mostly using existing mechanisms but pulled into a single offer, with a name that we promote the hell out of: Drop in an eval unit for 30 days, Generate the Audit report, describing what is getting through the old firewall Convert the prospect to a buyer using the Secure Upgrade Plus offer Consult on or manage their rules/policies conversion… or simply direct customer to the Converter Tool site Offer them Loyalty Bundle preferred pricing as a way of welcoming them to SonicWALL We’re working on vertically-focused versions of the audit report as we take the program forward And of course, we’ll replicate and promote this process against all competitors

55 The Net Sec Challenge – Enterprise
The SonicWALL Network Security Challenge works like this… Generally for deployments with more than 100 users… E5500 and above, the SME version will work differently mostly using existing mechanisms but pulled into a single offer, with a name that we promote the hell out of: Drop in an eval unit for 30 days, Generate the Audit report, describing what is getting through the old firewall Convert the prospect to a buyer using the Secure Upgrade Plus offer Consult on or manage their rules/policies conversion… or simply direct customer to the Converter Tool site Offer them Loyalty Bundle preferred pricing as a way of welcoming them to SonicWALL We’re working on vertically-focused versions of the audit report as we take the program forward And of course, we’ll replicate and promote this process against all competitors

56 The Net Sec Challenge – Enterprise
The SonicWALL Network Security Challenge works like this… Generally for deployments with more than 100 users… E5500 and above, the SME version will work differently mostly using existing mechanisms but pulled into a single offer, with a name that we promote the hell out of: Drop in an eval unit for 30 days, Generate the Audit report, describing what is getting through the old firewall Convert the prospect to a buyer using the Secure Upgrade Plus offer Consult on or manage their rules/policies conversion… or simply direct customer to the Converter Tool site Offer them Loyalty Bundle preferred pricing as a way of welcoming them to SonicWALL We’re working on vertically-focused versions of the audit report as we take the program forward And of course, we’ll replicate and promote this process against all competitors

57 Q&A

Download ppt "Why It’s Time to Upgrade to a Next-Generation Firewall"

Similar presentations

Intrusion Prevention anno 2012: Widening the IPS concept.

Intrusion Prevention anno 2012: Widening the IPS concept.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
© Blue Coat Systems, Inc. 2011. All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.

© Blue Coat Systems, Inc All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
RSA Media & Analyst Briefing March 2-4, 2010. The CxOs Balancing Act Changing World, Changing Priorities, Increasing Danger 2 Changing WorldBusiness Priorities.

RSA Media & Analyst Briefing March 2-4, The CxOs Balancing Act Changing World, Changing Priorities, Increasing Danger 2 Changing WorldBusiness Priorities.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Enterprise Data Solutions A Better Network. A Better ROI. Martin Matthews Technical Sales Engineer.

Enterprise Data Solutions A Better Network. A Better ROI. Martin Matthews Technical Sales Engineer.
“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.

“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.
Solutions Road Show 2014 March’ 2014 | India Protection from Next Gen Threats Pralobh Menon Sales Engineer DELL SonicWALL (South) Pralobh Menon Dell India.

Solutions Road Show 2014 March’ 2014 | India Protection from Next Gen Threats Pralobh Menon Sales Engineer DELL SonicWALL (South) Pralobh Menon Dell India.
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.

Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
Zscaler Web Security Services Your Name Contact Info August 2009 Zscaler Proprietary & Confidential.

Zscaler Web Security Services Your Name Contact Info August 2009 Zscaler Proprietary & Confidential.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
Cisco Confidential 1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Small Business RV320/RV325 Product Overview.

Cisco Confidential 1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Small Business RV320/RV325 Product Overview.
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.
Challenges in Network Security 2011 SonicWALL Inc.

Challenges in Network Security 2011 SonicWALL Inc.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

Similar presentations

Ads by Google