next generation firewall myth, legend & realitysfbay.issa.org/comm/presentations/2011/feb.pdfnetwork...
TRANSCRIPT
-
Fortinet Confidential
Next Generation Firewall Myth, Legend & Reality
Jared Hufferd (FortiJared)
Major Accounts
-
Why Next Generation Firewall?
• ―To meet the current and coming generation of network
security threats, Gartner believes firewalls need to evolve
yet again to what we have been calling ―next-generation
firewalls‖
* Gartner, Defining the Next-Generation Firewall , John Pescatore, Greg Young
-
Why Next Generation Firewall?
3
―As service-orientated
architectures grow in use, more
communication is going through
fewer ports (such as HTTP/S)
and via fewer protocols,
meaning port/protocol based
policy has become less
relevant and less effective.‖
* Gartner, Defining the Next-Generation Firewall , John Pescatore, Greg Young
-
• Real-time, integrated security intelligence
• Hardware-accelerated performance
• Lower total cost of ownership
• Easy to deploy / manage / use
4
• Stand-alone, non-integrated security
• Mix of off the shelf systems and applications
• Higher total cost of ownership
• Difficult to deploy / manage / use
NGFWTraditional Network Security Solutions
Why Next Generation Firewall?
NGFW
-
What is a Next Generation Firewall?
• NGFW — not quite a scientific term but more than just
pure marketing — remains unsettled.
By Ellen Messmer, Network World
December 01, 2010
5
http://www.networkworld.com/newsletters/sec/2010/072610sec1.html?page=1http://www.networkworld.com/Home/emessmer.htmlhttp://www.networkworld.com/Home/emessmer.html
-
6
Myth 1:
NGFW is nothing like existing
―First Generation Firewalls‖
-
What is a Next Generation Firewall?
• ―As a minimum, an NGFW will have the following
attributes:
• Support in-line bump-in-the-wire configuration…
• Act as a platform for network traffic inspection and network security
policy enforcement, with…
• Standard first-generation firewall capabilities.
• …Use packet filtering, networkaddress translation (NAT), stateful
protocol inspection, VPN capabilities and so on.
• Integrated rather than merely colocated network intrusion prevention
• Application awareness and full stack visibility
• Extrafirewall intelligence: e.g.: directory integration
* Gartner, Defining the Next-Generation Firewall , John Pescatore, Greg Young
-
Fortinet Confidential
• What NGFW is NOT…
8
-
What NGFW is not
• Stand alone Application Control solutions
• Network based data loss prevention (DLP) appliances
• Secure Web gateways (SWG)
• Messaging security gateways
• SMB multifuntion firewall / UTM …do not provide
application awareness…integrates single-engine
products.
-
Enterprise UTM?
• What about Enterprise class Unified Threat
Management appliances with application
awareness, multi-engines, tight integration?
-
11
Myth 2:
The analyst all agree on NGFW
-
12
Enterprise UTM – Covered by IDC
Antivirus/
Antispyware
Data Loss
Prevention
AntispamWAN
Optimization
Endpoint
Protection
Firewall
VPN
IPS
Web
Filtering
App
Control
Vulnerability
Mgmt
Wireless
LAN
IPv6,
Dynamic
Routing
SSL
Inspection
Endpoint
NAC
-
Fortinet Confidential13
Myth 3:
There is only one NGFW vendor
-
Fortinet Confidential
Who’s in the game
-
User Control
Content Control
Application Control
Common Abilities Above 1st Generation
DLP AV WCF
SSL Insp
-
Processing Power is Key
Page 16 |© 2009 Palo Alto Networks. Proprietary
and Confidential.
Up to 10Gbps, Low Latency
Offload
Processor
Multi-Core
CPU
-
17
Myth 4:
NGFW are widely adopted
-
"Today we believe that less than 1% of interconnections
secured today are using NGFW," says Gartner analyst
Greg Young. But he predicts that number will hit 35% by
2014.
18
-
Recommendation
Recommendations
• If you have not yet deployed network intrusion
prevention, require NGFW capabilities of all vendors
at your next firewall refresh point.
• If you have deployed both network firewalls and
network intrusion prevention, synchronize the
refresh cycle for both technologies and migrate to
NGFW capabilities.
• If you use managed perimeter security services, look
to move up to managed NGFW services at the next
contract renewal.
19
* Gartner, Defining the Next-Generation Firewall , John Pescatore, Greg Young