ngfw for education the education it environment with ngfw narongveth yutithammanurak business...
TRANSCRIPT
Hardening the Education
IT Environment IT Environment
with NGFW
Narongveth Yutithammanurak
Business Development Manager 23 Feb 2012
Technology Trends
� Security
� Performance
Security-as-a-ServicePage 2
� Bandwidth
� Efficiency
� Manageability
What are Students and Staffs doing?
� Web surfing
� Twitter, Facebook
� Downloading files
� Instant messaging
Security-as-a-ServicePage 3
� Instant messaging
� Streaming video
� Streaming audio
� Playing game online
� Personal email
These things we know?
User Port Protocol Application
� Port 80 is much more than Web browsing– 203.12.145.34 80 HTTP Web Browsing?
– Anna Stand 80 IM Yahoo-IM
� Port 443 is an encrypted mystery
Security-as-a-ServicePage 4
� Port 443 is an encrypted mystery– 124.50.13.45 443 HTTPS Secure banking?
– Paul Donson 443 Email Google Gmail
� Other ports are being exploited– 224.100.30.6 5060 SIP VoIP?
– John Buly 20129 P2P Orbit downloader
Beyond Threats
� Most traffic is not a threat-based but is
application and data
� Application can be good, bad or in-between
– Good: saleforce.com
– Bad: badworm.exe
Security-as-a-ServicePage 5
– Bad: badworm.exe
– In-between: P2P, Streaming video & audio
Common Question… to Admin
� Where is this TRAFFIC coming from?
� What APPLICATIONS are really on network?
� Where is ALL my BANDWIDTH going?
� What are the THREATS?
Security-as-a-ServicePage 6
� What are the THREATS?
?
Device Expectation
� Application Awareness and visibility
� Integrated full IPS with out compromising
performance
� Intelligent to identify Users
Security-as-a-ServicePage 7
� Standard Firewall capabilities
� Multiple option deployments
NGFW Definition
� Stateful Inspection
� Intrusion Prevention
� Application Control
� SSL Decryption/Inspection
Security-as-a-ServicePage 9
� SSL Decryption/Inspection
“By year-end 2014 [Next-Generation Firewall]
will rise to 35% of the installed base, with 60%
of new purchases being NGFWs.”
Source : Gartner NGFW Research note
What NGFW should do…
� Identify application/users regardless
– Ports =/ Applications
– IP Addresses =/ Users
– Packets =/ Content
� Protect in real-time against threats
Security-as-a-ServicePage 10
� Protect in real-time against threats
� Granular visibility and policy control
– Application access / Functionality
� Multi-gigabit with no performance Degraded
Control Network, Users & Traffic
� Bandwidth Manage OR Block
� By User or Group with Exception
� By Schedule
� By App (Category, App, Function)
Security-as-a-ServicePage 11
� By App (Category, App, Function)
NGFW Technology
Solution Features
� Consolidated & Integrated Security Technology
� Application Visibility - Inspection of Real-time & Latency Sensitive
Multi-Tiered Protection Technology
Next Generation Requirements
Security-as-a-ServicePage 14
of Real-time & Latency Sensitive Applications/Traffic
� Scalable & High Performing Enough to Protect Against Perimeter and Internal Network Challenges
Patented Re-Assembly Free DPI (RFDPI)
Multi-Core High Perf. Architecture
Dynamic Security Architecture
Security-as-a-ServicePage 16
1. DPI protect against network risks
2. Multi core scan in real-time
3. Dynamic network protections
NGFW Features
� Application intelligent control
� Gateway Security
– Intrusion Protection Service (IPS)
– Anti-Virus and Anti-Spyware
� URL Filtering Service
Security-as-a-ServicePage 18
� URL Filtering Service
� Bandwidth Management (QoS)
� User Authentication
Powerful Application Policy Creation
� “Allow IM, but block File Transfer”
� “Allow Facebook, but block Farmville”
� “Allow Facebook, but block all Facebookapplications”
Security-as-a-ServicePage 21
Application Use Enforcement
� Policy: need all staffs use IE 9.0
� Mission: Ensure all PCs are using IE 9.0
� Solution:
– Create a policy to looks for User Agent = MSIE 9.0
Security-as-a-ServicePage 22
– Create a policy to looks for User Agent = MSIE 9.0
in HTTP
– Allows IE 9.0 traffic and block other browsers
Deny FTP Upload
� Need to make sure the authorized staff can
upload file and on one can upload
� Create a policy to allow only certain people
FTP PUT
Security-as-a-ServicePage 23
Block Forbidden Files and Notify
� An EXE file
– from being downloaded
– as an email attachment
– from being transferred via FTP
� Create a policy to block forbidden file
Security-as-a-ServicePage 24
� Create a policy to block forbidden file
extension
Keep P2P Under Control
� P2P applications steal bandwidth and bring with malicious file
� P2P application simple changes a version number
� Create a policy to detect P2P application
Security-as-a-ServicePage 25
Intrusion Protection Service (IPS)
� Application vulnerabilities, Buffer overflows
� Scanning (worms, Trojans, software
vulnerabilities, backdoor exploits, and other
types of malicious attacks)
� Utilizing a comprehensive signature database
Security-as-a-ServicePage 31
� Utilizing a comprehensive signature database
� Focusing on
– known malicious traffic
– decreases false positives
– increasing network reliability and performance.
Gateway Anti-Virus and Anti-Spyware
� High-performance engine scans
– viruses, spyware, worms, Trojans
and application exploits
� Continually updated database
threat signatures
Security-as-a-ServicePage 32
threat signatures
� Inter-zone scanning delivers
protection also between internal
network zones
Content Filtering Service
� Granular content filtering
� Dynamically updated rating architecture
� Application traffic analytics
� Easy-to-use web-based management
Security-as-a-ServicePage 35
� Easy-to-use web-based management
� High-performance web caching and rating
architecture
� IP-based HTTPS content filtering
� Scalable, cost-effective solution
Managing Streaming Video
� The site such as “Youtube”
– block the site might work but the best answer
could be to limit the bandwidth
� Create a policy to limit streaming video
Security-as-a-ServicePage 37
Directory Integration
� Users no longer defined solely by IP address
� Manage and enforce policy based on user
and/or AD group
� Understand user application and threat
behavior based on AD, LDAP
Security-as-a-ServicePage 40
behavior based on AD, LDAP
Topology#1: Many-to-One Datacenter
Security-as-a-ServicePage 43
� Protect servers from outside
� IPS feature performed
� Focusing on known malicious traffic
Topology#2: Many-to-Many External
Security-as-a-ServicePage 44
� Protect users from surfing internet
� Outbound Protection
� Control application usages
� Shape user bandwidth
Topology#3: Many-to-Many Internal LAN
Security-as-a-ServicePage 45
� Concept for Internal protection
� Users to Datacenter / Server Farms
� Protect malware infect to servers
� Restrict user access
Best Practices
� First, identify and block all “bad” applications
� Second, safely enable all “good” applications
� Solid research and support – fast deployment
of new protections
Security-as-a-ServicePage 47
� Sustained high performance firewall + IPS
platform
System Integrator
� Hardware Ownership
– CPE
� One-Time Implement
� MA provided
MSSP
� Low cost of Ownership
– As-a-Service
� One-Time Implement
� Device Management
Difference
Security-as-a-ServicePage 50
� MA provided
� Admin Maintenance
� Device Management
� Security Monitoring
� Security Analyst
� Proactive Maintenance
� Align with SLA
Summary Benefits of NGFW
� All-in-one functionality
� Greater visibility and control
� Simplified management
� Better security
Security-as-a-ServicePage 51
� Better security
� Lower total cost of ownership