watch guard solution

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved

WatchGuard Solutions

Daniel Phuan

Senior Principal Consultant, SEA

1


Next Generation Firewall

Based on Gartner definition:

Next-generation firewalls (NGFWs) are

deep-packet inspection firewalls that move

beyond port/protocol inspection and blocking

to add application-level inspection, intrusion

prevention, and bringing intelligence from

outside the firewall.

2


UTM

First used by IDC:

Unified Threat Management (UTM) is a

category of security appliances which

integrates a range of security features into a

single appliance. UTM appliances combine

firewall, gateway anti-virus, and intrusion

detection and prevention capabilities into a

single platform

3


WatchGuard Technologies

UTM vs. NGFW

4


5

FEATURES

Myth: NGFW has more security features than UTM

UTM is always NGFW

UTM

SpamBlocker

WebBlocker

Packet Filtering

Gateway AVReputation

Enabled Defense

NGFW

Application

ControlIntrusion

Prevention

Service

(IPS)


6

SECURITY EFFICACY

Myth: NGFW blocks more threats than UTM

Threat NGFW UTM

Spam Attack X

Inappropriate Content X

Virus Attack X

Reputation Blocking X

Application Traffic

Intrusion Attack


7

MARKET SEGMENT

Myth: UTM is SMB only, NGFW is Enterprise

SMB Enterprise


8

WHAT IS REALLY IMPORTANT?

Deployable – Can I get the right technology implemented in time?

Usability – Can my team actually use the tools?

Visibility (Reportability) – Can I see what's going on?

Performance – Can I use this without negative impacts on the

business?

Efficacy – Will the technology protect the network?


Defense in Depth Vs. the Cyber KillChain

9

Objectives/Exfiltration

Lateral Movement / Pivoting

Command and Control (C&C)

Infection/Installation

Compromise/Exploit

Delivery

Reconnaissance

Firewall

Intrusion Prevention System

AntiVirus

AntiSpam

Reputation Services

APT Protection

The more layers of security you

have, the higher chance an

additional protection might catch

an advanced threat that other

layers might miss.


WatchGuard Breaks the KillChain

10

Objectives/Exfiltration

Lateral Movement / Pivoting

Command and Control (C&C)

Infection/Installation

Compromise/Exploit

Delivery

ReconnaissancePacket

Filtering

Proxies

IPS APT

Blocker

Gateway

AntiVirus

APT

Blocker

Gateway

AntiVirus

IPSWeb

Blocker

Packet

Filtering

IPS APT

Blocker

Gateway

AntiVirusDLPApplication

ControlReputation

Enabled

Defense

Application

Control

Packet

FilteringWeb

BlockerIPS APT

Blocker

Gateway

AntiVirus

Reputatio

n Enabled

Defense

Packet

FilteringDLP


Core UTM - Use Cases

11

Keep the bad guys out

Secure Internet Communication

(VPN)

Monitor and enforce acceptable

usage policy

Easy, securewireless with firewall

Enterprise Deployment

Compliance


The Rise of Ransomware

12

Ransomware is a form of computer

malware that restricts access to your

computer and/or its information, while

demanding you pay a ransom to regain

access.

Ransomware’s rise started 2013

Cryptolocker

CTB-Locker

CryptoWall

Source: McAfee 2015


Ransomware plagues small business

Cryptowall 4.0 is delivered by fake e-mail

13


Which of the following help to stop Ransomware?

14

A. APT Blocker

B. Webblocker

C. spamBlocker

D. Gateway AntiVirus

E. Application Control


Stop Ransomware?

• Malware categories keep users from dangerous sites

Webblocker & RED

• Sometimes prevents exploits that push ransomware

Intrusion Prevention Service (IPS)

• Sometimes detects and blocks ransomware (often misses new variants)

Gateway Antivirus (GAV)

• C&C categories may block or detect infected systems

WebBlocker (C&C)

• Best way to catch new, ever-evolving ransomware

APT Blocker

15


An Application Proxy checks Source IP, Destination IP, Port, Protocol

If a matching rule (or service) is found:

The proxy then performs deep inspection on the content of the

packet, including application layer data.

The Application Proxy

16

Packet Reassembly – since 1996

This is the key to finding threats that OTHER FIREWALLS MISS!


Things you can do with a proxy

17

Enforce SafeSearch in all major search engines

Enforce YouTube for Schools

Prohibit the use of older, insecure protocols SSLv2, SSLv3

Prevent the download of .exe files

Restrict e-mail message sizes, URL path lengths

Prevent BotNets from using DNS to communicate

Security inspection of VoIP Traffic


IPS

18

2000+ Signatures

Buffer Overflow

SQL Injection

CrossSite Scripting

Dos / DDos


How good is our IPS?

19

Enterprise Class

Security for Small

and Medium

Business


Webblocker

20

Screenshot from Dimension Demo

130 Categories

20 for Security


Application Control

21

Block insecure

applications and

categories

Examples:

• Tor

• Bittorrent

• eMule

• Crypto adminx


APT Blocker

22

#MD5

HASH

Inspect File 1

GAV Scan 2

Check MD5 locally 3

Check MD5 in cloud 4

Full System

Emulation in sandbox5

Alert if malware is

identified. 6


APT Blocker

23

Industry leader in

NSS Labs Breach

Detection report


What % of people check their social media profiles

from their work computers?

24

A. 36%

B. 52%

C. 77%

D. 93%


25


Application Control

26

1800 Applications

18 Categories


Traffic Management

27

Quality of Service

Traffic Shaping

Quotas

– Users or Groups

– Mb per day

– Minutes per day


Webblocker

28


Virtual Private Network (VPN)

29

WatchGuard is the go to solution for always on, always

available VPN connections.”

- Kelly Keeton, Sr. Network Engineer, NCA

Branch Office (BOVPN)

(Site to Site)

IPSec VPN Connections

Connecting Offices

Mobile VPN

SSL; IPSec, L2TP, PPTP

Windows, Mac, Android, iOS

Remote Users


How Can WatchGuard Block Malvertising?

• Malware categories keep users from malvertising sites

Webblocker & RED

• Can prevents exploits pushing drive-by downloads

Intrustion Prevention Service (IPS)

• Sometimes detects and blocks malware from malvertising sites

Gateway Antivirus (GAV)

• Can catch the latest malvertising payloads

APT Blocker

• Finds threats in encrypted web traffic

HTTPS Deep Inspection

30


How Does WatchGuard Help with IoT?

• Network security tools are device agnostic

UTM Defense

• Our APs bring UTM defenses to the wireless network.

Secure APs

31


How Does WatchGuard Mitigate Data Breachs?

• Different security layers prevent different threats

UTM Defense

• DLP helps recognize and block attackers exfiltrating data

DLP

• Visibility tools help you recognize unusual activity in your network

Dimension

32


DLP

Over 200 predefined rules for sensitive and personally

identifiable information

– Government ID numbers (e.g. SSN);

– Bank account numbers

– Health care records

– Confidential document markers;

Predefined sensors for PCI and HIPAA compliance

Personal Identifiable Data (PII) detection for 20

countries

33


DLP

34


DLP in Dimension

35


The Value of UTM

36

URL

Filtering

Application

Control

Data Loss

Prevention

(DLP)

Advanced

Malware

Protection

Gateway

AntiVirus

Packet

Filtering SPAM

Protection

Intrusion

Prevention

Services (IPS)

Firewall

Unified Threat Management (UTM) solutions combine a variety of must-have

network security solutions into one easy to deploy and manage solution.

Fewer appliances. Configure Once. Manage Centrally.


The Value of UTM

37

Unified Threat Management (UTM) solutions combine a variety of must-have

network security solutions into one easy to deploy and manage solution.

URL

Filtering

Application

Control

Data Loss

Prevention

(DLP)

Advanced

Malware

Protection

Gateway

AntiVirus

Packet

Filtering SPAM

Protection

Intrusion

Prevention

Services (IPS)

Firewall

Centralized Management. Complete Network Visibility.


Dimension Threat Visibility

38


39

What is Visibility?


40

490million475

million

320million

185million

95million70

million

390,000NEW

MALICIOUS

PROGRAMS

EVERY DAY

The total

number of

malicious

programs found

in the wild will

surpass the

half-billion

milestone this

year, according

to AV-TEST.2011 2012 2013 2014 2015 2016

https://www.av-test.org/en/statistics/malware/

Global Threat Landscape:

Incidents Rising


41

Global Threat Landscape:

Detection Slowing

2013

Avg. 80 days to detection.

The Year of the Mega Breach, 2014

Avg. 6 months to detection.

Cost of Data Breach Study, 2015

Avg. 8.5 months to detection.


Why the Delay in Detection?

42


How do you identify key incidents in

millions of lines of logs?

• Variety of logs to filter through

• Neiman Marcus - ~60k security alerts

IT and security staff cannot get their

job done

• Little understanding of normal network

traffic (baseline)

• Inability to make proper

policy decisions

• Can’t find big or small trends

• Resourcing constraints

We’re Drowning in Oceans of Logs


Collect logs Review logs regularly

Confident in finding security trends

Security Events Lost in Logs

97%

14%

44%

https://www.sans.org/reading-room/whitepapers/analyst/ninth-log-management-survey-report-35497

https://www.sans.org/reading-room/whitepapers/analyst/ninth-log-management-survey-report-35497


It Doesn’t Have to Be This Way!

45


Business leaders are using new tools to analyze data and run their companies…

You need the same for security!

Find Patterns, Make Better Decisions


Find Patterns,

Make Better Decisions

WatchGuard offers an array of tools,

providing:

Deep Visibility: Don’t think. Know!

Rich Reporting: C-Level CliffsNotes.

Granular Control: Surgical policy precision.

Ease of Use: Brilliantly simple management.

47


48

Dimension provides full-scope threat visibilityIdentify and distill key network security threats and anomalies in real-time in

order to track, manage, and report on the security of your network.


Not just visibility, but also control

49

Translate visibility into immediate action, right from the dashboard, with

integrated, granular security configuration features.

HUB AND SPOKE VPNCreating and managing secure

connections to your branch offices has

never been easier.

ADD TO BLOCK LISTBlock clients or domains instantly without

leaving the dashboard.

RESTORE TO PREVIOUS

CONFIGURATIONSEasily jump back to previous versions

of the firewall configuration.


“We saw a denial of service attack hit the firewall before we could even get through to our

ISP to find out what they were going to do about it.” Stephen Coombes,Technical Director,

Lytchett Minster

It is easier to find faults, to do reports on what users demand …That is a massive

improvement for us." -Matt Pollard, Senior Analyst, Abertay University

“We now have the visibility to pinpoint very quickly where there is excessive traffic, by AP,

Wi-Fi user, wired user, by protocol or port.” Fahyaz Khan, IT Manager, Kensington Close

Hotel

“I look at the dashboards every day. It is up on my screen and it gives me real-time visibility

to the bandwidth usage at each one of our 43 sites." -Jeff Crossley, Systems Engineer,

Anthem College

50

Customer Success


51

WatchGuard provides enterprise-grade visibility solutions enabling businesses to fully leverage

the effectiveness and value provided by our enterprise-grade devices.

Firebox T-series Firebox M-series Wireless APs

Dimension

WatchGuard Solutions

Fireware Web UI WSM


The WatchGuard Difference

52

Best-in-class

security

services

without the cost

or complexity.

Enterprise-

GradeSimplicity

Top UTM

Performance

Threat

VisibilityFuture-Proof

Easy and

straight-forward

to configure,

deploy, and

centrally

manage.

Fastest UTM

performance at

all price points.

Full network

visibility with the

power to take

action

immediately.

The quickest

access to new

and improved

security

services.


Firebox® M200 & M300:

Small and Mid-sized

businesses

WatchGuard’s Suite of UTM & NGFW Solutions

Firebox® M5600: Large

enterprises and corporate

data centers

Virtual Firewall

Four virtual software license versions

with full UTM features

Software Scalability:

Single version of WatchGuard Fireware® OS

runs on all solutions, including virtualFirebox® M4600:

Distributed enterprises

The strongest UTM performance at all prices points – delivering a

solution for organizations of all sizes.

Firebox® T10:

Small office/home office and

small retail environments

Firebox® M440:

Multi port option

Firebox® M400 & M500:

Mid-sized businesses and

distributed enterprises

Instant Visibility:

WatchGuard’s award-winning threat visibility platform,

Dimension, comes standard on every appliance.

Scalable Wi-Fi:

WatchGuard tabletop appliances offer build-in Wi-Fi

capabilities, however, every WatchGuard appliance

has a built-in wireless gateway controller – making Wi-Fi

expansion and centralized management a breeze.

Centralized Management:

Every appliance comes with built-in features

to expedite deployment and simplify ongoing

network and appliance management. .

Firebox® T30 & T50:

Small offices, branch offices

and wireless hotspots


THANK YOU

watch guard solution

Technology