Barracuda CloudGen FirewallProtection and Performance for the Cloud Era

Florian Vojtech, Sales Engineer

Transportation Financial Retail Manufacturing Industry

Broadcasting Government NGO Healthcare

Legal

Food

CloudGen? Facebook is no longer the challenge

Technological and Digital Transformation

Cloud Service Utilization Connected ThingsPublic Cloud Computing

There are new requirements, environments and operators.

Additional attack surface, new vulnerabilities and threats

NextGen + SD-WAN + Cloud Ready

Cloud Generation Firewall

Speed of deployment ?

Initial Configuration ?

Cost of Deployment ?

Cost of small units ?

Virtual ?

Cloud ?

Mgmt. of hundreds of boxes?

Multiple Admins ?

Audit & traceability ?

Ongoing OPEX ?

Compliance ?

Reporting ?

Cost ?

Control ?

Security ?

Availability ?

Multi-Provider Mgmt. ?

Performance / Bandwidth ?

Data Theft

Spyware/Botnets

APT / Ransomware

Employee Productivity

Network Security / Hacking

Internet Access compliance

Operations

Security

Deployment

Connectivity &

Secure SD-WAN

Challenges Barracuda CloudGen Firewalls Solve

Zero Touch Deployment

Pool Licensing

Disaster Recovery

Multi-Tenancy

Native Cloud

Hardware

Virtual

Central Management & Lifecycle

Granular Admin Concept

Revision Control

Troubleshooting

GTI & Live Status

OPEX expenses

Reporting

Multi- ISP

WAN compr.

VPN + SSL-VPN

Traffic Intelligence

Traffic Shaping / QoS

Virtual WAN Balancing

Application-Based Link Selection

IPS/IDS

SSL Interception

User Awareness

Antivirus / Web Filter

Stateful FW + AppDetect

Advanced Threat Protection

(ATP)

+ Botnet & Spyware Detection

Operations

Security

Deployment

Challenges Barracuda CloudGen Firewalls Solve

Connectivity &

Secure SD-WAN

Security

10.) Malware Protection & Anti-

Virus

1.) Geo IP Control

2.) DoS / DDoS

8.) Web Filtering + Mail Security

4.) SSL Inspection

9.) File Content Filter

5.) Botnet & Spyware Protection

6.) Intrusion Prevention System

(IPS)

Advanced Threat Protection

On-box

Cloud Service

Barracuda

Global Threat

Intelligence Network

sing

le p

ass

in

spect

ion

continuous updates

upload for inspection

Threat Intelligence Push

7.) Application Control

3.) User Identity Awareness

1.) Advanced Signatures Analysis

2.) Behavioral & Heuristics

Analysis

4.) Sandboxing (Detonation)

3.) Static Code Analysis

Full Next-Generation Security

Advanced Threat Protection (ATP)

Supported Protocols• HTTP/S

• SMTP/S

• POP3/S

• FTP

Block file

Allow file

on-box malware protection

on-box IPS

on-box hash database Filetype Policies

• First Scan, Then Deliver

• First Deliver, Then Scan

Layered Defense-in-Depth• CPU Emulation based Sandbox

• Analysis and detonation of advanced threats

• Scans 900+ attributes in seconds

• Examination of commands in code / scripts for common viral

activities such as:

• File over-writes, replication, registry access, obfuscation

techniques etc.

• Analysis of suspicious coding such as:

• Excessively long timers and loops, that run for days etc.

• Signatures collection from and shared with over 250,000

endpoints

• Multi-opined A/V engines

• Blocks spam, viruses, phishing, and other traditional malware

Signatures Analysis

Static Analysis

Sandboxing

(CPU emulation)

Behavioral Analysis

Machine Learning

• Examines executable file without actually executing it

• De-obfuscates code constructs

• Rapid pre-filtering of malware prior to sandboxing

>95%

Eff

icie

ncy

4

3

2

1

ATP: Botnet & Spyware Protection

DNS Sinkhole using hostname reputation DB (needs ATP)

Malware Host

Command & Control Server

Bots

DNS Sinkhole

ATP - Threat

Intelligence

bad.com

1.2.3.4

bad.com?

1.2.3.4

bad.com

1.1.1.1

App Detection - Protect the Business

• Control and throttle acceptable traffic

• Preserve bandwidth and speed-up business critical applications

User Awareness

NTLM

LDAP/S

RSA SecurID x.509 TACACS

+

SMS Passcode

(VPN)

Local authentication database

Microsoft TSCitrix

TS

Active

DirectoryDC Agent

TS Agent

Wi-Fi Controllers

RADIUS

URL Filtering

• URL filter service with 96 categories

• Customizable response pages

• Allow / Block / Alert / Warn & Continue / Override

• White & Blacklists

File Content & User Agent Control

Connectivity &

Secure SD-WAN

Application-Based Provider Selection

Custom

App

General

Games

General Games

Custom

App

use X use Y use Zuse Y or Z

Application Control

ISP X

ISP Y

ISP Z

Application Usage & Risk Report.pdf

Traffic Intelligence / WAN Virtualization

xDSL

MPLS

xDSL

MPLS

Traffic Intelligence / WAN Virtualization

xDSL

MPLS

xDSL

MPLS

Surfing: 50% Class2

Email: 50% Class1

VoIP 50%: NoDelay

Business 50%: Class1

Traffic Intelligence / WAN Virtualization

xDSL

MPLS

xDSL

MPLSVoIP: 70% NoDelay

Business: 70% Class1

Email: 20% Class2

Surfing: 10% Class3

Traffic Intelligence / WAN Virtualization

xDSL

MPLS

xDSL

MPLS

LTE LTEVoIP: 90% NoDelay

Business: 90% Class1

Email: 10% Class2

No surfingOnly important applications

No surfing

Traffic Intelligence / WAN Virtualization

xDSL

MPLS

xDSL

MPLS

LTE LTE

VoIP: 70% NoDelay

Business: 70% Class1

Email: 20% Class2

Surfing: 10% Class3

Traffic Intelligence / WAN Virtualization

xDSL

MPLS

xDSL

MPLS

LTE LTE

Surfing: 50% Class2

Email: 50% Class1

VoIP 50%: NoDelay

Business 50%: Class1

Virtual WAN Balancing

Up to 24 Transports for one Tunnel

Session BalancingPacket Balancing

WAN Optimization

• De-Duplication & Data Caching

• Multiple Transport modes (Encapsulation)

• Compression (Stream/Packet)

• Application Acceleration

De-Duplication

Compression

Application Accel.

Caching

De-Duplication

CompressionTCP encapsulation

UDP encapsulation

HYBRID encapsulation

Dynamic Bandwidth/Latency Detection

• Initial Active Probing and Monitoring

• Passive Probing every 15mins

• Active Re-Probing every 60mins

Performance-based Traffic Selection

• Selection based on „Connection Object“

• Configuration per access/application rule

Adaptive Bandwidth Protection

• NoDelay (VoIP) QoS band is always prioritized over standard traffic

• Reserves 30% for NoDelay traffic

• Reserves 70% for standard traffic

• Traffic Duplication for VoIP

Dynamic Meshed VPN

Classic Hub&Spoke setup

Branch 1

Branch 6

Branch 5

Branch 2

Branch 3

Branch 4

HQ

Dynamic Meshed VPN

Hub detects traffic between branches

Branch 1

Branch 6

Branch 5

Branch 2

Branch 3

Branch 4

HQ

Dynamic Meshed VPN

Hub triggers automatic configuration update

Branch 1

Branch 6

Branch 5

Branch 2

Branch 3

Branch 4

HQ

Dynamic Meshed VPN

Branches create temporary tunnels

Branch 1

Branch 6

Branch 5

Branch 2

Branch 3

Branch 4

HQ

Effective Operations

VPN is hard to setup, to maintain, to troubleshoot?

User VPN access

Public Cloud

Private Cloud

Internal Apps

Hosted in Public Cloud

Hosted on-premises

CudaLaunch app

Browser-based

SSL VPN

VPN & NAC Client

Road

Warrior

Ad

Hoc

Home

Office

Barracuda’s Industry and IoT Solutions

Security Connectivity

Security

From Individualism to Patterns

From Individualism to Patterns

Connectivity

The Barracuda Approach

Zusammenspiel zwischen IT und OT

Rollout mit ZTD

SC SC SC SCSC

MASB

Konzeption einer smart Factory 4.0

Blueprint für Industrie 4.0 (IoT/ICS)

Blueprint für Industrie 4.0 (IoT/ICS)

Blueprint für Industrie 4.0 (IoT/ICS)

Blueprint für Industrie 4.0 (IoT/ICS)

Blueprint für Industrie 4.0 (IoT/ICS))

Blueprint für Industrie 4.0 (IoT/ICS)

Supporting Industrial Protocols

S7 Sub-Protocols:

S7 UserData - Mode Transition S7 Alarm Lock Indication S7 Forces

S7 Stop S7 Alarm Query S7 UserData - Other Functions

S7 Warm Restart S7 Message Service S7 PLC Password

S7 Run S7 Notify-8 Indication S7 PBC BSend/BRecv

S7 UserData - Cyclic Data S7 Diagnostic Message S7 Request/Response

S7 Cyclic Data Unsubscribe S7 Alarm-8 Lock S7 PLC Stop

S7 Cyclic Data Memory S7 Scan Indication S7 Write

S7 Cyclic Data DB S7 Alarm Unlock Indication S7 Download

S7 UserData - Block Functions S7 Alarm-SQ Indication S7 CPU Services

S7 List Blocks S7 Alarm-S Indication S7 Upload

S7 List Blocks of Given Type S7 UserData - Time Functions S7 PLC Control

S7 Get Block Info S7 Read Clock S7 Setup Communication

S7 UserData - CPU Functions S7 Set Clock S7 Read

S7 Read SZL S7 UserData - Programmer Commands S7 Other

S7 Notify Indication S7 Remove Diagnostic Data S7 Ack

S7 Alarm-8 Indication S7 Erase S7 Server Control

S7 Alarm-8 Unlock S7 Request Diagnostic Data S7 User Data

S7 Alarm Ack S7 Variable Table S7Comm (legacy)

S7 Alarm Ack Indication S7 Read Diagnostic Data

IEC 60870-5-104 Sub-Protocols

IEC 60870-5-104 Process Information in Monitoring Direction

IEC 60870-5-104 Integrated Totals with Time Tag IEC 60870-5-104 Single Command

IEC 60870-5-104 Measured Value - Short Floating Point Number

IEC 60870-5-104 Packed Start Events of Protection Equipment with Time Tag

IEC 60870-5-104 Set Point Command - Normalized Value

IEC 60870-5-104 Packed Single-Point Information with Status Change Detection

IEC 60870-5-104 System Information in Monitoring Direction

IEC 60870-5-104 Set Point Command - Scaled Value

IEC 60870-5-104 Measured Value - Normalized Value without Quality Descriptor

IEC 60870-5-104 End of Initialization IEC 60870-5-104 Set Point Command - Normalized Value with Time Tag

IEC 60870-5-104 Single-Point Information with Time Tag IEC 60870-5-104 System Information in Control Direction IEC 60870-5-104 Regulating Step Command

IEC 60870-5-104 Measured Value - Short Floating Point Number with Time Tag

IEC 60870-5-104 Counter Interrogation Command IEC 60870-5-104 Bitstring of 32 Bits

IEC 60870-5-104 Packed Output Circuit Information of Protection Equipment with Time Tag

IEC 60870-5-104 Read Command IEC 60870-5-104 Single Command with Time Tag

IEC 60870-5-104 Double-Point Information IEC 60870-5-104 Interrogation Command IEC 60870-5-104 Set Point Command - Short Floating - Point Number with Time Tag

IEC 60870-5-104 Step Position Information IEC 60870-5-104 Reset Process Command IEC 60870-5-104 Bitstring of 32 Bits with Time TagIEC 60870-5-104 Measured Value - Scaled IEC 60870-5-104 Delay Acquisition Command IEC 60870-5-104 Double CommandIEC 60870-5-104 Integrated Totals IEC 60870-5-104 Test Command with Time Tag IEC 60870-5-104 Set Point Command - Short Floating Point

NumberIEC 60870-5-104 Double-Point Information with Time Tag IEC 60870-5-104 File Transfer IEC 60870-5-104 Double Command with Time Tag

IEC 60870-5-104 Step Position Information with Time Tag IEC 60870-5-104 File Ready IEC 60870-5-104 Regulating Step Command with Time Tag

IEC 60870-5-104 Bitstring of 32 Bits with Time Tag IEC 60870-5-104 Section Ready IEC 60870-5-104 Set Point Command - Scaled Value with Time Tag

IEC 60870-5-104 Event of Protection Equipment with Time Tag

IEC 60870-5-104 Directory IEC 60870-5-104 Parameter in Control Direction

IEC 60870-5-104 Single-Point Information IEC 60870-5-104 Call Directory, Select File, Call File, Call Section

IEC 60870-5-104 Parameter of Measured Value -Normalized Value

IEC 60870-5-104 Bitstring of 32 Bit IEC 60870-5-104 ACK File - ACK Section IEC 60870-5-104 Parameter of Measured Value - Scaled Value

IEC 61850 Sub-ProtocolsIEC 61850 Goose IEC 61850 SMV

IEC 61850 MMS IEC 61850 General

MODBUS Sub-ProtocolsMODBUS Data Access MODBUS Mask Write Register MODBUS Report Server IDMODBUS Read Coils MODBUS Read FIFO Queue MODBUS Diagnostic Check

MODBUS Read Discrete Inputs MODBUS Read Input Register MODBUS Get Communication Event CounterMODBUS Read Holding Registers MODBUS File Access MODBUS Encapsulated Interface Transport

MODBUS Write Single Register MODBUS Read File Record MODBUS Read Device IdentificationMODBUS Read/Write Multiple Registers MODBUS Write File Record MODBUS CAN-Open General ReferenceMODBUS Write Single Coil MODBUS Diagnostics Modbus (legacy)MODBUS Write Multiple Coils MODBUS Read Exception StatusMODBUS Write Multiple Registers MODBUS Get Communication Event Log

DNP3 Sub-Protocols

DNP3 Control Functions DNP3 Start Application DNP3 Authentication ErrorDNP3 Operate DNP3 Stop Application DNP3 Freeze FunctionsDNP3 Select DNP3 Warm Restart DNP3 Freeze and ClearDNP3 Direct Operate DNP3 Initialize Data DNP3 Freeze with TimeDNP3 Direct Operate no ACK DNP3 Configuration DNP3 Immediate FreezeDNP3 Time Synchronization DNP3 Save Configuration DNP3 Freeze and Clear no ACK

DNP3 Delay Measurement DNP3 Enable Spontaneous Messages DNP3 Immediate Freeze no ACKDNP3 Record Current Time DNP3 Assign Class DNP3 Freeze with Time no ACKDNP3 Transfer Functions DNP3 Disable Spontaneous Messages DNP3 File Access

DNP3 Read DNP3 Activate Configuration DNP3 Open FileDNP3 Write DNP3 Response Messages DNP3 Delete File

DNP3 Confirm DNP3 Unsolicited Response DNP3 Abort FileDNP3 Application Control DNP3 Authentication Response DNP3 Authenticate File

DNP3 Cold Restart DNP3 Response DNP3 Close FileDNP3 Initialize Application DNP3 Other DNP3 Get File Info

DNP3 Authentication Request

FSC2 Family

FSC2.0

Deployment

Hardware – Entry Level / Branch OfficesF12 F18 F80 F82.DSLA F82.DSLB F180 F183 F183R F280

Firewall Throughput 1.2 Gbps 1.0 Gbps 1.5 Gbps 1.5 Gbps 1.5 Gbps 1.7 Gbps 2.0 Gbps 2.1 Gbps 3.7 Gbps

VPN Throughput 220 Mbps 190 Mbps 240 Mbps 240 Mbps 240 Mbps 300 Mbps 300 Mbps 320 Mbps 1.1 Gbps

IPS Throughput 400 Mbps400

Mbps400 Mbps 400 Mbps 400 Mbps 500 Mbps 580 Mbps 790 Mbps 1.2 Gbps

NGFW Throughput 250 Mbps340

Mbps400 Mbps 400 Mbps 400 Mbps 550 Mbps 700 Mbps 800 Mbps 1.0 Gbps

Threat Prot. Throughput 230 Mbps320

Mbps380 Mbps 380 Mbps 380 Mbps 480 Mbps 600 Mbps 700 Mbps 900 Mbps

Concurrent Sessions 80,000 80,000 80,000 80,000 80,000 100,000 100,000 100,000 250,000

New Sessions per Sec. 8,000 8,000 8,000 8,000 8,000 9,000 9,000 9,000 10,000

Form Factor Desktop Desktop Desktop Desktop Desktop Desktop Desktop Compact Desktop

1 GbE Copper 5x 4x 4x 4x 4x 6x 6x 5x 6x

1 GbE Fibre SFP - - - 1x 1x - 2x 2x -

10 GbE Fibre SFP+ - - - - - - - - -

Integrated Switch - - - - - 8-port - - 8-port

Integrated Modem - - - A, RJ11 B, RJ45 - - - -

Hardware – Mid LevelF400 F600

F380 .STD .F20 .C10 .C20 .F10 .F20 .E20

Firewall Throughput 5.2 Gbps 7.1 Gbps 9.0 Gbps 11 Gbps 11 Gbps 11 Gbps 11 Gbps 20 Gbps

VPN Throughput 1.4 Gbps 2.3 Gbps 2.3 Gbps 3.1 Gbps 3.1 Gbps 3.1 Gbps 3.1 Gbps 5.6 Gbps

IPS Throughput 2.0 Gbps 2.8 Gbps 3.0 Gbps 4,6 Gbps 4,6 Gbps 4,6 Gbps 4,6 Gbps 8.0 Gbps

NGFW Throughput 1.4 Gbps 2.2 Gbps 3.0 Gbps 4.2 Gbps 4.2 Gbps 4.2 Gbps 4.2 Gbps 6.4 Gbps

Threat Protection Throughput 1.2 Gbps 2.0 Gbps 2.7 Gbps 4,0 Gbps 4,0 Gbps 4,0 Gbps 4,0 Gbps 5.8 Gbps

Concurrent Sessions 400,000 500,000 500,000 2,100,000 2,100,000 2,100,000 2,100,000 2,100,000

New Sessions per Sec. 15,000 20,000 20,000 115,000 115,000 115,000 115,000 115,000

Form Factor 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack

1 GbE Copper 8x 8x 8x 12x 12x 8x 8x 8x

1 GbE Fibre SFP - - 4x - - 4x 4x -

10 GbE Fibre SFP+ - - - - - - - 2x

Power Supply Single Single Dual Single Dual Single Dual Dual

Hardware – High LevelF800 F900 F1000

.CCC .CCF .CCE .CCC .CCE .CFE .CFEQ .CE0 .CE2 .CFE .CFEQ

Firewall Throughput 30 Gbps 30 Gbps 30 Gbps 35 Gbps 35 Gbps 35 Gbps45

Gbps40 Gbps 40 Gbps 40 Gbps 46 Gbps

VPN Throughput7.5

Gbps

7.5

Gbps

7.5

Gbps

9.3

Gbps

9.3

Gbps

9.3

Gbps13.5 Gbps 10 Gbps 10 Gbps 10 Gbps 10.3 Gbps

IPS Throughput8.3

Gbps

8.3

Gbps

8.3

Gbps11.3 Gbps 11.3 Gbps 11.3 Gbps 13 Gbps 13 Gbps 13 Gbps 13 Gbps 14 Gbps

NGFW Throughput7.7

Gbps

7.0

Gbps

7.0

Gbps

8.0

Gbps

8.0

Gbps

8.0

Gbps12 Gbps 10.2 Gbps 10.2 Gbps 10.2 Gbps 13 Gbps

Threat Prot.

Throughput

7.6

Gbps

7.6

Gbps

7.6

Gbps11.5 Gbps 11.5 Gbps 11.5 Gbps 11.5 Gbps

4.0

Gbps

4.0

Gbps

4.0

Gbps12 Gbps

Concurrent Sessions 2,500,000 2,500,000 2,500,000 4,000,000 4,000,000 4,000,000 4,000,000 10,000,000 10,000,000 10,000,000 10,000,000

New Sessions per Sec. 180,000 180,000 180,000 190,000 190,000 190,000 190,000 250,000 250,000 250,000 250,000

Form Factor 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 2U Rack 2U Rack 2U Rack 2U Rack

1 GbE Copper 24x 16x 16x 32x 16x 8x 8x 16x 32x 16x 16x

1 GbE Fibre SFP - 8x - - - 8x 8x - - 16x 16x

10 GbE Fibre SFP+ - - 4x - 8x 8x 4x 4x 8x 8x 6x

Virtual DeploymentVF10 VF25 VF50 VF100 VF250 VF500 VF1000 VF2000 VF4000 VF8000

# of protected IPs 10 25 50 100 250 500 unlimited unlimited unlimited unlimited

Allowed Cores 1 2 2 2 2 2 2 4 8 16

Available Subs

Malware Protection - Yes Yes Yes Yes Yes Yes Yes Yes Yes

Adv. Threat

Protection- Yes Yes Yes Yes Yes Yes Yes Yes Yes

Adv. Remote Access - Yes Yes Yes Yes Yes Yes Yes Yes Yes

Public Cloud DeploymentLevel 1 Level 2 Level 4 Level 6 Level 8

Virtual Cores 1 1 2 4 8

Protected IP

Addresses10 Unlimited Unlimited Unlimited Unlimited

Available Subs

Malware ProtectionOptiona

l

Optiona

l

Optiona

l

Optiona

l

Optiona

l

Adv. Threat

Protection

Optiona

l

Optiona

l

Optiona

l

Optiona

l

Optiona

l

Adv. Remote AccessOptiona

l

Optiona

l

Optiona

l

Optiona

l

Optiona

l

Premium SupportOptiona

l

Optiona

l

Optiona

l

Optiona

l

Optiona

l

Rollout Process = Disaster Recovery

Zero Touch Deployment

Deliver – Plug in – Play (manage)

Zero Touch Deployment

Lean IT • Zero-touch self-provisioning hardware for rapid deployment

• No on-site IT needed• Order the NGF appliance

• Configure NGF remotely

• Appliance arrives at location

• Plug in the NGF appliance

• Appliance self-provisioning

ZTD

Portal

1 NGF contacts ZTD Service

3 ZTD send basic config to NGF

Thank You