ngfw overview

Dell SonicWALL Next Generation FirewallWorkshop

2 Sonic WALLC onfidential

Dell SonicWALL’s legacy

1991 1996 2005 2007 2010 2011 2012

Founded

Became leading

provider of subscription services on optimized appliances

Became the leader in unit

share for Unified Threat Management

Firewall appliances

Shipped one million

appliances worldwideNamed to Visionaries Quadrant,

Gartner Magic Quadrant for

SSL VPN

Thoma Bravo and SonicWall entered into a partnership

Positioned as “Leader” in

Gartner UTM Magic Quadrant

Positioned as “Visionary” in

Gartner SSL VPN Magic Quadrant

Announced SuperMassive™

E10000 Series

SNWL Earns NNS Labs

Recommended Rating for

NGFW SVMShipped two

million appliances worldwide

5/9: Joined the Dell family


Magic Quadrant Unified Threat ManagementDell SonicWALL in Leaders QuadrantBy J ohn Pescatore, Greg Young

challengers leaders

niche players visionaries

abili

ty t

o e

xecu

te

completeness of vision

as of March 5, 20 12

Dell SonicWALL

Fortinet

C hec k Point Software Tec hnologies

Watc hG uard

Sophos (Astaro)

C yberoam

Netasq

C isc o

J uniper Networks

Netgear

Trustwave

gateProtec tC lavister

Kerio Tec hnologies

Dell Vendor Profile Excerpted from MQ:Strengths•Dell has strong global partner and MSSP support.•Dell SonicWALL is well- known in the UTM space and appears frequent ly on Gartner client short lists.•The graphical elements of SonicWALL's management interface are consistently highly rated.•SonicWALL's release of new features has kept up with midmarket needs, and has been matched by usability enhancements.

Cautions•SonicWALL's push into the high end with SuperMassive may divert resources and focus from the UTM market.•SonicWALL does not offer a virtual appliance for the UTM space.


2013 The NSS Security Value Map


Dell Connected Security

38B security events analyzed

daily

1m devices WW reporting on 40m

users

638B intrusions prevented in 2011

$14 trillion in assets protected

daily

40,000 new malware samples

analyzed every day

4.2B malware attacks blocked in

2011

Data encrypted and protected on

7m devices

Dell SonicWALL

Dell Dell Secureworks

Dell Credant

Dell KaceDell Quest

Dell is firmly committed to providing end- to- end IT solutions that enable customers to grow and thrive. This includes cont inuous protect ion of customers data, applicat ions, systems and networks.

Secure remote access

Email security

Policy & management

Hosted

Network security

Dell SonicWALL product portfolio

Clean wireless – SonicPoint- N Series

WAN acceleration

ApplicationIntelligence and Control

GAV/ Anti- SpywareIntrusion

PreventionComprehensive

Anti- Spam Service

Enforced Client

Anti- Virus

Content FilteringService

GlobalVPN

ClientSSL VPN

For Network Security

SecureVirtual Assist

Mobile Connect

End Point Control

ConnectMobile

Spike LicensePack

Advanced Reporting

Native Access Module

Secure Virtual Assist

SecureVirtual Access

SecureVirtual Meeting

Mobile Connect

Web Application Firewall

Email Protection

EmailAnti- Virus

EmailCompliance

Global Management System

Analyzer Scrutinizer


Dell SonicWALL Next-Gen FirewallsSuperMassiveE10000 & 9000 Series

Data centers, ISPs

E- Class NSA Series

Medium to large organizations

NSA Series

Branch offices and medium sized organizations

TZ Series

Small and remote offices

E10200E10400E10800

NSA E8500 NSA E6500 NSA E5500NSA E8510

NSA 4600 NSA 3600 NSA 2400 NSA 250M NSA 220

TZ 205 TZ 105TZ 215

9600 9400 9200

NSA 5600 NSA 6600

Dell SonicWALL Next Generat ion Firewalls

SuperMassive E10800SuperMassive E10400

SMB/Campus/Branch

Enterprise, Data CenterSuperMassive Series

TZ 215/WTZ 20 5/WTZ 10 5/W

SuperMassive 960 0SuperMassive 940 0SuperMassive 920 0

TZ Series

NSA 460 0NSA 3600NSA 260 0

NSA 220 /250 M

NSA 660 0NSA 5600

NSA Series


E-Class Series Cert ificat ions

FIPS 140-2Common Criteria EAL4+

ICSA Firewall ICSA Enterprise Firewall(IPv6, High Availability, VoIP)

IPv6 Phase 1

IPv6 Phase 2

NSS Recommended NGFW (E10800 based on the same security engine)


Dell SonicWALL Next Generation Firewall ArchitectureScan Everything – Every bit, every protocol, every user & application


NGFW Orientation – SPI vs. DPI

Stateful Packet Inspection


NGFW Orientation – SPI vs. DPI

Deep Packet Inspection


Next Generation Firewall Technology

1. Stateful Packet Inspect ion

2. Intrusion Prevent ion– The front- line network defense against application attacks

3. Applicat ion Ident ificat ion & Visualizat ion– C an’t control what you can’t see

4. User Ident ificat ion through Single Sign On (SSO)– C orrelate network traffic with users

5. Applicat ion Control– G ranular control (Allow Facebook, Block Social G aming)

6. SSL Decrypt ion– Don’t allow threats to tunnel through encrypted channels

7. Threat Prevent ion– Anti- X (Virus/Trojan/Malware)

Dee

p Pa

cket

Insp

ectio

n


Application Intelligence, Control and Visualization

Applicat ion ChaosSo many on Port 80

Crit ical Apps Priorit ized Bandwidth

Acceptable Apps Managed Bandwidth

Unacceptable Apps Blocked

IdentifyBy Application - Not by Port & ProtocolBy User/Group-Not by IPBy Content Inspection-Not by Filename

CategorizeBy ApplicationBy Application CategoryBy DestinationBy ContentBy User/Group

Users/Groups

Ingress

ControlPrioritize Apps by PolicyManage Apps by PolicyBlock Apps by PolicyDetect and Block MalwareDetect & Prevent Intrusion Attempts

Policy

Visualize &Manage Policy

Cloud-BasedExtra-FirewallIntell igence

Egress

Malware Blocked

Massively ScalableNext-Generat ionSecurity Plat form

High Performance Multi-CoreRe-Assembly Free

DPI

Visualizat ion

Policy

Application intelligence, control and visualization

Identify Categorize Control

????

???Process Visualization


Network Traffic Visualization

Real-time Traffic BreakdownUser Traffic Consumption Identify P2P Traffic

Bandwidth BreakdownApp Traffic Drilldown


Identify and Control Applications

Application Library with over

3800 unique Application Uses

Granular Control

Allow Facebook, Block FarmvilleAllow C hat, Block File Transfer- G roup/User Based- Schedule Based- Exceptions


Dashboard->Real-Time monitor


(SonicOS5.9)Enhaned Logging

New to view, categorize and filter


Application Control


NGFW Features -DPI-SSL


RFDPI Engine with DPI-SSL

RFDPI Engine

Incoming SSL Session Handling

Ultra-Scalable TCP Stack

Decryption

Re-Encryption

Outgoing SSL Session Handling

SSL Stream out

SSL Stream in


SSL Decryption (DPI SSL) Details

• Does not rely on a proxy configurat ion• Can inspect all SSL sessions on all ports independent ly of the

protocol (HTTPS, IM SSL, POP3 over SSL, etc…)• Scans both SSL encrypted and decrypted data• Can inject content such as block pages• Client Side DPI-SSL Security Services

– Gateway Anti- Virus, Gateway Anti- Spyware, Intrusion Prevention, Application Firewall, Content Filtering

• Server Side DPI-SSL Security Services– Gateway Anti- Virus, Gateway Anti- Spyware, Intrusion Prevention,

Application Firewall

• Optional: decrypted traffic can be sent directly to the server after DPI inspection. Benefit : SSL Offloading


NGFW Features -SSO

24


Single Sign-On Overview• SSO is a t ransparent user authent icat ion that provides access to

network resources with a single login.

User Workstation

Authorized

passwrd123

No need for additional authentication!

Access Rules

Security Services


SonicWALL SSO Agent


Security Services

27


SonicWALL On-Board DPI Security Services

Intrusion PreventionGateway Anti-VirusGateway Anti-SpywareCloud-AVContent/URL FilteringDPI SSL (SSL Inspection)Application Intelligence & ControlApplication VisualizationComprehensive Anti-Spam


RFDPI based Gateway Anti-Virus

HTTP

SMTP

TCP Stream

Reassembly-free Base64 decoding

Reassembly- free deflate

decompression

Reassembly- free ZIP

decompression

Reassembly- free GZIP

decompression

Reassembly-free Gateway

Ant i-Virus scanning based on

Deep Packet Inspect ion technology

Ant i-Virus Prevent ion Response

POP3

IMAP

FTP

Packet

Start stage

Protocol State

Machine

E-Mail Format

DecodingDecompression Scanning Prevent ion

Copyright 2010 SonicWALL Inc. All Rights Reserved29


Content Filtering Service Overview

• Database in the cloud (millions of URLs rated)• Hardware- and OS- independent• Simple implementat ion• Granular control: 64 categories• GMS and Analyzer integrat ion (report ing)


VPN

31


Route Based IPSec VPN

• Tunnel Interface: A Tunnel Interface can be defined between the two end- points of the tunnel. Static routes will be used to route traffic through the tunnel interface.

• Note: The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.


SSL VPN


Using All The coresIncrease SSL-VPN Sessions

Model Old NewNSA E8510 n/a 1,500/5000*

NSA E8500 50 1,500/5000*

NSA E7500 50 1,000/5000*

NSA E6500 50 750

NSA E5500 50 500

NSA 5000 30 350

NSA 4500 30 350

NSA 3500 30 250

NSA 2400 25 125

NSA 250 15 50

NSA 220 15 50

T Z 215 10 25

T Z 210 / 210W 10 25

T Z 200 / 200W 10 10

T Z 100 / 100W 5 5


Mobile Connect for iOS/ Android

Dell Aventail E- Class SRA Appliances

Dell SonicWALL SRA Appliances

Dell SonicWALL Next-Generation Firewalls

Step 1: Download

Mobile Connect

Step 2:Install Mobile Connect

Step 3: Configure SSL VPN Connect ion

http://en.wikipedia.org/wiki/File:Google_Play_logo.png

http://en.wikipedia.org/wiki/File:Google_Play_logo.png


Deployment Scenarios

36


Top Deployments1. Tradit ional NAT Gateway with Security & Remote Access

2. High Availability Modes– Active/Passive with State Synchronization– Active/Active DPI with State Synchronization– Active/Active C lustering

3. In-Line Deployments: Wire mode or Layer 2 Bridge Mode, Tap Mode– Easy Network Insertion, no network re- numbering

4. “Clean Wireless” Deployment– Firewall as a wireless controller– DPI on all wireless traffic

5. “CleanVPN” Deployment– Firewall as a VPN C oncentrator– DPI on all incoming VPN traffic

6. VPN Concentrator for Distributed Enterprise– G lobal Management System (GMS) to provision and manage branch offices– C onnectivity through central SuperMassive or E- C lass NSA firewall– All security done at the central site

7. Network Segmentat ion (Security Zones)– Network Segmentation via VLAN & Security Zones– Different Security polic ies for each Security Zone


Medium/Large Network Deployment with DPI Security

• Requirements– Layered security– Levels of trust created via defining

zones.– G ateway Firewalls between zones. – C ontext- aware security

– Enforce global Policy based on context (user, location, access method, Device, etc)

– Application- aware Security– Mitigate Advance persistent threats– O rchestrated Security management – Workload Virtualization introduces

Virtual Access Layer– Need security functions like physical

layer

• Security Funct ions– AC Ls, Firewalls, IDS/IPS– host- based security (HIPS,

Vulnerability Scanning)– Email Security– Anti- Spyware– Secure Remote Access– SIEM/Log Monitoring

Virtual Access

Core

WAN

Aggregat ion

Access

Firewall, IDS/IPS, G ateway

services, …

• Security required at each layer to achieve global protection• Virtual Access layer requires security enforcement within virtual environment

NSA Series

38


NGFW Wire & L2 Bridge Mode DeploymentNGFW insert ion into a network with an exist ing gateway firewall

Layer 2 Bridge or Wire Mode Deployment

Discover application usage & threats leaking through the traditional firewall

Before After


Flexible Wire Mode Deployment

Bypass Inspect Secure

Allows for the quick and relatively non interruptive introduction of SuperMassive into a network (ie: between a core switch and a perimeter firewall, in front of a VM server farm, at a transition point between data c lassification domains).

Inspect Mode provides full visibility & low- risk, zero- latency packet path.

Secure Mode is the progression of Inspect Mode, actively interposing active control into the packet processing path.


Application Visualization Report

Detailed application report for offline report generation

Visualization database uploaded to www.mysonicwall.com

Report provides risk assessment, applications, bandwidth, vulnerabilities, URLs, etc

http://www.mysonicwall.com

ngfw overview

Technology

tz series nsa

strengths dell

dell family

w supermassive

isps eclass nsa series

series data centers

application attacks

user application