Why It’s Time to Upgrade to a Next-Generation Firewall
Eric Crutchlow
Senior Product Manager
Why It’s Time to Upgrade to a
Next-Generation Firewall
Eric Crutchlow
Senior Product Manager, Network Security
Can your firewall tell you …
Global Marketing
Can your firewall tell you …
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
Global Marketing
Can your firewall tell you …
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
“What are you allowing outbound from your network?
Global Marketing
Can your firewall tell you …
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
“What are you allowing outbound from your network?
… over SSL?
Global Marketing
Can your firewall tell you …
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
“What are you allowing outbound from your network?
… over SSL?
“What portion of your bandwidth is consumed by video?”
“Is anyone playing social or other browser games?
Global Marketing
Can your firewall tell you …
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
“What are you allowing outbound from your network?
… over SSL?
“What portion of your bandwidth is consumed by video?”
“Is anyone playing social or other browser games?
“Is there P2P traffic on your network?”
Global Marketing
What Are Your Employees Doing?
• Blogging
25% of office Internet traffic is
non-business related
• Facebook
• Twitter
• IM
• Streaming Video
• Streaming Music
50% of surveyed companies
said at least 30% of their
bandwidth is being consumed
by social networking traffic
• Browser Games
Global Marketing
What’s On Your Network?
Application Chaos
So many on Port 80
Application Chaos
SSL Traffic
Port 80/443
“Bad?”
“Good?”
Global Marketing
SECURITY: Malware Continues to Thrive
Financial Gain
Zeus Botnet
“Beyond financial” Goals
Duqu, Aurora, Stuxnet
Verizon Business RISK report 2011
Global Marketing
Small Networks, Large Targets
http://on.wsj.com/pSk2Nn
http://online.wsj.com/article/SB10001424052702304567604576454173706460768.html
Global Marketing
Small Malware, Large Networks
Lockheed Martin/RSA Breach 2011
Recruitment Plan 2011.xls
APT = Advanced Persistent Threat
http://blogs.rsa.com/rivner/anatomy-of-an-attack/
Global Marketing
Small Malware, Large Networks
Lockheed Martin/RSA Breach 2011
Recruitment Plan 2011.xls
Spear Phishing Email
Exploits Flash
Lockheed Martin Breach
Drops in an APT
Exfiltrates RSA Token data
APT = Advanced Persistent Threat
http://blogs.rsa.com/rivner/anatomy-of-an-attack/
Global Marketing
Can Your Firewall See the Threats?
Attack Vectors Through Seemingly Safe Applications
http://www.zdnet.com/blog/security/another-day-another-adobe-pdfreader-security-hole/7693
Global Marketing
Can Your Firewall See the Threats?
Attack Vectors Through Seemingly Safe Applications
http://www.zdnet.com/blog/security/another-day-another-adobe-pdfreader-security-hole/7693
http://glanceworld.com/the-worst-security-flaw-in-adobedownload-manager.html
Global Marketing
Why Do These Problems Persist?
Hidden traffic in SSL
Spear-Phishing
Browser
Vulnerability
Flash 0-Day
Vulnerability
Phishing
User Education
Excel Exploit
PDF Vulnerability
Threats over
uncommon ports
Hijacked Ad Servers
Global Marketing
Why Do These Problems Persist?
Hidden traffic in SSL
Spear-Phishing
Browser
Vulnerability
Flash 0-Day
Vulnerability
Phishing
User Education
Excel Exploit
PDF Vulnerability
Threats over
uncommon ports
Hijacked Ad Servers
Global Marketing
SECURITY
• INTRUSION PREVENTION
• SSL DECRYPTION
• SCAN ALL TRAFFIC
Global Marketing
SECURITY
APPLICATION AWARENESS
• FINGERPRINT APPLICATIONS
• IDENTIFY USERS
• VISUALIZE TRAFFIC
20
SonicWALL 2011 All Rights Reserved
Global Marketing
SECURITY
APPLICATION AWARENESS
PERFORMANCE
• HIGH THROUGHPUT
• NO LATENCY
• ANY SIZE NETWORK
21
SonicWALL 2011 All Rights Reserved
Global Marketing
What is a Next-Generation Firewall
NGFW FEATURES
•
•
•
•
Stateful Inspection
Intrusion Prevention
Application Control
SSL Decryption/Inspection
Global Marketing
What is a Next-Generation Firewall
NGFW FEATURES
•
•
•
•
Stateful Inspection
Intrusion Prevention
Application Control
SSL Decryption/Inspection
“By year-end 2014 [Next Generation Firewalls] will rise to 35% of
the installed base, with 60% of new purchases being NGFWs.”
- Gartner NGFW Research Note
Global Marketing
Application Traffic Visualization
Global Marketing
Network Analysis Tools
Do I have P2P on my Network?
Global Marketing
Network Analysis Tools
Do I have P2P on my Network? YES
Global Marketing
Immediate Application Control
Do I have P2P on my Network? YES
Global Marketing
Network Analysis Tools
“Who’s watching YouTube?”
Global Marketing
Network Analysis Tools
“Who’s watching YouTube?”
Global Marketing
User Identification
• Single Sign On (AD/LDAP Integration)
• Local Login
• Identify Top Bandwidth users
Global Marketing
Identify Top Bandwidth Users
Global Marketing
Connection Tracking by Country
Global Marketing
Trace & Identify Network Connections
Global Marketing
Control Your Network, Users & Traffic
Global Marketing
Control Your Network, Users & Traffic
Global Marketing
Control Your Network, Users & Traffic
Global Marketing
Control Your Network, Users & Traffic
Global Marketing
Control Your Network, Users & Traffic
Global Marketing
Off-box application traffic analytics
On-box reporting
Quick sample “right now”
Application control
For a single device
Off-box reporting
Historic advanced reporting
Trouble shooting, forensics
Schedule customer reports
Across multiple devices
Global Marketing
Architecture Makes a Difference
Traditional Firewalls
with Modules
NGFW Integrated
Engine
Stateful
Inspection
Engine
Decompression
buffering
IPS Module
buffering
AV Module
buffering
Global Marketing
The “RFDPI” Engine
Input Packet
Signature
Signature
Output Packet
Pattern Definition Language Interpreter
TCP Reassembly
Preprocessors
Postprocessors
Deep Packet Inspection Engine
Policy Decision
API
Massively Scalable Multi-Core Architecture
Global Marketing
Branch NGFW: NSA 220 & 250M
Multi-core Branch Office Next Generation Firewall
NSA 220/W
SECURITY & APPLICATION CONTROL
NSA 250M/W
Global Marketing
Branch NGFW: NSA 220 & 250M
NSA 220 Series




Equipment Consolidation



Centralized Management
Hardware Failover
ISP Failover
Load Balancing
Secure Remote Access
Clean 802.11n Wireless
NSA 250M Series
Global Marketing
SuperMassive E10000 Series
World’s First 10Gbps Threat Prevention Platform
First 30 Gbps Application Intelligence Platform
Global Marketing
SonicWALL Next-Generation Firewalls
SuperMassive™ E10000 Series
Data centers, ISPs
E10100
E10200
E10400
E10800
NSA E7500
NSA E6500
NSA E5500
NSA 2400MX
NSA 2400
E-Class NSA Series
Medium to large
organizations
NSA E8510
NSA E8500
NSA Series
Branch offices and
medium sized organizations
NSA 4500
NSA 3500
NSA 220/250M
TZ Series
Small and remote
offices
TZ 210 Series
Global Marketing
SonicGRID:
Security Protection at Scale
• 6,000,000+ CloudAV Threat Sgtrs.
• 25,000 Onboard Threat Family Sgtrs.
• 3500+ Application Signatures
•
•
•
World Renowned Expertise
Active industry research contributor
100% IP ownership of all signatures
Global Marketing
SonicWALL WAN Acceleration
WXA 500 Live CD
WXA 2000
WXA 4000
WXA 5000
Global Marketing
SonicWALL Clean Wireless
SonicPoint-Ni
SonicPoint-Ne
SonicPoint-N
Dual Radio
Global Marketing
Next Generation Firewall
SECURITY
APPLICATION AWARENESS
PERFORMANCE
Global Marketing
Take a Step Towards an NGFW
Secure Upgrade Program
Contact nearest Dell SonicWALL Reseller
http://www.sonicwall.com/us/howtobuy.html
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
57
Q&A