why it’s time to upgrade to a next-generation firewall eric crutchlow senior product manager
TRANSCRIPT
Why It’s Time to Upgrade to a Next-Generation Firewall
Eric CrutchlowSenior Product Manager
Why It’s Time to Upgrade to a Next-Generation Firewall
Eric CrutchlowSenior Product Manager, Network Security
Global Marketing
Can your firewall tell you …
Global Marketing
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
Can your firewall tell you …
Global Marketing
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
“What are you allowing outbound from your network?
Can your firewall tell you …
Global Marketing
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
“What are you allowing outbound from your network?… over SSL?
Can your firewall tell you …
Global Marketing
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
“What are you allowing outbound from your network?… over SSL?
“What portion of your bandwidth is consumed by video?”
Can your firewall tell you …
“Is anyone playing social or other browser games?
Global Marketing
“Something came in over port 80. Do you know what it is?”
“What is your social media presence/exposure?”
“What are you allowing outbound from your network?… over SSL?
“What portion of your bandwidth is consumed by video?”
“Is there P2P traffic on your network?”
Can your firewall tell you …
“Is anyone playing social or other browser games?
Global Marketing
What Are Your Employees Doing?
• Blogging
• IM
• Streaming Video
• Streaming Music
• Browser Games
25% of office Internet traffic is non-business related
50% of surveyed companies said at least 30% of their
bandwidth is being consumed by social networking traffic
BANDWIDTH COST PRODUCTIVITY
Global Marketing
“Bad?” “Good?”
Application ChaosSo many on Port 80
What’s On Your Network?
Application Chaos
Port 80/443
SSL Traffic
Global Marketing
SECURITY: Malware Continues to Thrive
Financial GainZeus Botnet
Verizon Business RISK report 2011
$$
“Beyond financial” GoalsDuqu, Aurora, Stuxnet
Global Marketing
Small Networks, Large Targets
http://online.wsj.com/article/SB10001424052702304567604576454173706460768.html
http://on.wsj.com/pSk2Nn
Global Marketing
Small Malware, Large Networks
Lockheed Martin/RSA Breach 2011
Recruitment Plan 2011.xls
http://blogs.rsa.com/rivner/anatomy-of-an-attack/APT = Advanced Persistent Threat
Global Marketing
Small Malware, Large Networks
Lockheed Martin/RSA Breach 2011
http://blogs.rsa.com/rivner/anatomy-of-an-attack/APT = Advanced Persistent Threat
Spear Phishing Email Exploits Flash Drops in an APT
Exfiltrates RSA Token data Lockheed Martin Breach
Recruitment Plan 2011.xls
Global Marketing
Can Your Firewall See the Threats?
http://www.zdnet.com/blog/security/another-day-another-adobe-pdf-reader-security-hole/7693
Attack Vectors Through Seemingly Safe Applications
Global Marketing
Can Your Firewall See the Threats?
http://www.zdnet.com/blog/security/another-day-another-adobe-pdf-reader-security-hole/7693
http://glanceworld.com/the-worst-security-flaw-in-adobe-download-manager.html
Attack Vectors Through Seemingly Safe Applications
Global Marketing
Why Do These Problems Persist?
Spear-Phishing
PhishingFlash 0-Day
Vulnerability
PDF Vulnerability
Threats over uncommon ports
User Education
Hijacked Ad Servers
Browser Vulnerability
Hidden traffic in SSL
Excel Exploit
Global Marketing
Why Do These Problems Persist?
Spear-Phishing
PhishingFlash 0-Day
Vulnerability
PDF Vulnerability
Threats over uncommon ports
User Education
Hijacked Ad Servers
Browser Vulnerability
Hidden traffic in SSL
Excel Exploit
Global Marketing
• INTRUSION PREVENTION• SSL DECRYPTION• SCAN ALL TRAFFIC
SECURITY
Global Marketing20
SECURITY
• FINGERPRINT APPLICATIONS• IDENTIFY USERS• VISUALIZE TRAFFIC
APPLICATION AWARENESS
SonicWALL 2011 All Rights Reserved
Global Marketing21
SECURITY
APPLICATION AWARENESS
• HIGH THROUGHPUT• NO LATENCY• ANY SIZE NETWORK
PERFORMANCE
SonicWALL 2011 All Rights Reserved
Global Marketing
What is a Next-Generation Firewall
• Stateful Inspection• Intrusion Prevention• Application Control• SSL Decryption/Inspection
NGFW FEATURES
Global Marketing
What is a Next-Generation Firewall
• Stateful Inspection• Intrusion Prevention• Application Control• SSL Decryption/Inspection
“By year-end 2014 [Next Generation Firewalls] will rise to 35% of the installed base, with 60% of new purchases being NGFWs.”
- Gartner NGFW Research Note
NGFW FEATURES
Global Marketing
Application Traffic Visualization
Global Marketing
Network Analysis Tools
Do I have P2P on my Network?
Global Marketing
Network Analysis Tools
Do I have P2P on my Network? YES
Global Marketing
Immediate Application Control
Do I have P2P on my Network? YES
Global Marketing
Network Analysis Tools
“Who’s watching YouTube?”
Global Marketing
Network Analysis Tools
“Who’s watching YouTube?”
Global Marketing
User Identification
• Single Sign On (AD/LDAP Integration)• Local Login• Identify Top Bandwidth users
Global Marketing
Identify Top Bandwidth Users
Global Marketing
Connection Tracking by Country
Global Marketing
Trace & Identify Network Connections
Global Marketing
Control Your Network, Users & Traffic
Global Marketing
Control Your Network, Users & Traffic
Applications
Categories
Global Marketing
Control Your Network, Users & Traffic
ApplicationsUsers
User Groups Categories
Global Marketing
Control Your Network, Users & Traffic
ApplicationsUsers
User Groups Categories
Allow/DenyBW Manage
Global Marketing
Control Your Network, Users & Traffic
ApplicationsUsers
User Groups Categories
Schedules
Allow/DenyBW Manage
Global Marketing
Off-box application traffic analytics
Off-box reportingHistoric advanced reportingTrouble shooting, forensicsSchedule customer reportsAcross multiple devices
On-box reportingQuick sample “right now”Application controlFor a single device
Global Marketing
Architecture Makes a Difference
DPI ENGINE
IPS
SSL Decryption
Threat Prevention
URL Filtering
App Visualizatio
n
Application Control
Stateful Inspection
Engine
Decompression
IPS Module
AV Module
Traditional Firewalls with Modules
NGFW Integrated Engine
buffering
buffering
buffering
Global Marketing
The “RFDPI” Engine
Preprocessors
Postprocessors
TCP Reassembly
Policy Decision API
Deep Packet Inspection Engine
Pattern Definition Language Interpreter
Signature
SignatureInput Packet
Output Packet
Massively Scalable Multi-Core Architecture
Global Marketing
Branch NGFW: NSA 220 & 250M
Multi-core Branch Office Next Generation Firewall
SECURITY & APPLICATION CONTROL
NSA 220/W
NSA 250M/W
Global Marketing
Branch NGFW: NSA 220 & 250M
NSA 220 Series
NSA 250M Series
Equipment Consolidation
Hardware Failover
ISP Failover
Load Balancing
Centralized Management
Secure Remote Access
Clean 802.11n Wireless
Global Marketing
World’s First 10Gbps Threat Prevention Platform
First 30 Gbps Application Intelligence Platform
SuperMassive E10000 Series
Global Marketing
SonicWALL Next-Generation Firewalls
SuperMassive™ E10000 Series
E-Class NSA Series
NSA Series
TZ Series
E10100 E10200 E10400 E10800
NSA E8500 NSA E7500 NSA E6500 NSA E5500
NSA 4500 NSA 3500 NSA 2400MX NSA 2400 NSA 220/250M
TZ 210 Series
NSA E8510
Data centers, ISPs
Medium to largeorganizations
Branch offices andmedium sized organizations
Small and remote offices
Global Marketing
SonicGRID: Security Protection at Scale
• 6,000,000+ CloudAV Threat Sgtrs.• 25,000 Onboard Threat Family
Sgtrs. • 3500+ Application Signatures
• World Renowned Expertise • Active industry research contributor• 100% IP ownership of all signatures
Global Marketing
SonicWALL WAN Acceleration
WXA 5000WXA 2000WXA 4000
WXA 500 Live CD
Global Marketing
SonicWALL Clean Wireless
SonicPoint-Ni SonicPoint-Ne SonicPoint-N Dual Radio
Global Marketing
Next Generation Firewall
SECURITY
APPLICATION AWARENESS
PERFORMANCE
Global Marketing
Take a Step Towards an NGFW
Secure Upgrade ProgramContact nearest Dell SonicWALL Resellerhttp://www.sonicwall.com/us/howtobuy.html
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Global Marketing
The Net Sec Challenge – Enterprise
Q&A
57