Network World and Robin Layland present
2014
The 2014 Next Generation
Firewall Challenge
Guide to Understanding and Choosing a Next
Generation Firewall to Combat Today's Threats
The 2014 Next Generation Firewall Challenge
2
Professional Opinions Disclaimer: All information presented and opinions expressed in this report represent the current opinions of the author(s) based on professional judgment and best available information at the time of the presentation. Consequently, the information is subject to change, and no liability for advice presented is assumed. Ultimate
responsibility for choice of appropriate solutions remains with the reader.
Contact:
Robin Layland
Layland Consulting
(860) 561 - 4425
[email protected]
Copyright © 2014 Robin Layland / Layland ConsultingAnalyst Introduction:
How Next Generation Firewalls
Can Stop the Latest Attacks
...
3
Balancing Business Needs and
Costs with the Exponential
Growth of Cyber Threats
...
6
Are Next-Generation Firewalls
Enough?
...
9
HP TippingPoint Next Generation
Firewall
...
12
Charting a New Dynamic
2014 Next Generation Firewall
3
Two recent security events have rocked enterprises. First, was the breach of Target. It wasn't the breach that was shocking, because unfortunately breaches have become common. The real shock was the major effect it had on Target's finances and bottom line. The second event was the recent Heartbleed exploit. Heartbleed exposed the majority of SSL code used by a website to a major attack. A bad problem was made worse because the good and bad guys learned about it at about the same time. This required a super-fast response from security vendors. These two events, along with the constant attacks by hackers, make having good enterprise security even more critical.
What Target and Heartbleed Taught Us
The most important lesson of the Target breach and the Heartbleed exploit is that enterprises need to invest in good and comprehensive security solutions. A top- tier Next Generation Firewall is a critical part of that solution.
Target's security breach points out several features we need in a security solution. First is that updates for malware and anti-virus are critical. A Next Generation Firewall needs to tap into a large variety of sources for malware, virus and attacks. It is not enough just to depend on others. The vendor needs to be aggressively searching out these threats for itself. It then must rely on its own capability to turn this information into the signatures and filters its equipment needs to stop the latest attack.
Next, a Next Generation Firewall needs to look at outbound traffic. The Target attack sent control information and data to its home. The Next Generation Firewall can't just be an expert at looking for threats as they head into the enterprise. It needs to be able to understand the
signatures of threats leaving the enterprise.
Target taught us that sandboxing can be important. The hope was that if the Target attack was placed in a sandbox, it would have been found; but the attack was a sophisticated attack. It waited to do its mischief, so maybe the sandbox would not have found it. But before such an attack gets to the sandbox, you need a good Next Generation Firewall (NGFW). An NGFW with the ability to handle Advanced Evasion Techniques (AET) will know enough to send it to a sandbox. Having a sandbox is no replacement for a super smart Next Generation Firewall.
Target also shows that security professionals are a key part of the equation. A Next Generation Firewall solution needs to help make their jobs easier. Complexity is on the side of the hackers.
2014 Next Generation Firewall
4
The solution should integrate with other security solutions to give a clear picture of what is happening. It should also limit the number of false positives, as they will quickly put your security staff asleep.
The Heartbleed exploit showed that a good Next Generation Firewall vendor needs to deploy countermeasures very quickly. Since good and bad guys found out about Heartbleed at the same time, there was a race to stop the attacks before the attacker had a chance to exploit them. Enterprises could not wait on application fixes because they took too long, and took even longer to deploy the fixes.
These breaches and exploits are going to continue, so enterprises need to understand how fast and effectively their security vendor can respond. The best security vendors will have their own internal group performing the research needed to figure out how to stop the exploit. It doesn't stop at just having a top-notch group that can quickly develop the signature or filter to stop the attack. The vendor 's solution needs to get it out to your security equipment quickly. You need the vendor to show you they have a top-notch research organization along, and you need toask them to explain how they can automatically get the fix out and how quickly it can be deployed.
Stopping Advanced Evasion Techniques
Heartbleed and Target contain important lessons, but a Next Generation Firewall needs to address more than these issues. It needs to be the focal point in stopping AETs. Hacker AETs are always advancing, getting better. They can take their attacks and break them up into pieces and spread them over the
packets in a flow. The trouble lies not just in the network or transport layer, but can also be in the application data. The Next Generation Firewalls need to reassemble the packet flow and apply advanced techniques to find the attacks. Additionally, the attack
shouldn't be able to hide
behind encryption. The solution needs to be able to examine all the traffic, whether it is clear text or encrypted, without affecting latency.
AET can also mutate causing AETs to present hundreds or thousands of different looks, requiring a separate signature for each mutated version. The best vendor will have a research group that understands the exploit and creates a solution that looks for the exploit, rather than creating thousands of signatures for one AET.
What is a Next Generation Firewall?
A Next Generation Firewall is a purpose-built solution that can support complex deployments that include the data center, the network's edge and branch offices. They have absorbed many independent security solutions to become the key part of any enterprise’s security strategy.
2014 Next Generation Firewall
5
The diagram above shows all the functions that have come together to make up a modern Next Generation Firewall. The big improvement over older versions is that the firewall has the ability to inspect all the layers and the application data. This allows it to find attacks no matter where the hacker has hidden them. The IPS function is more powerful because it can find signatures that AETs have broken up, a technique that older solutions struggle with. One of the most important advantages of a Next Generation Firewall is that it combines all these security functions in one solution, allowing it get a more complete picture of what is going on.
The Challenge to the Industry
It is clear enterprises need to upgrade to the next generation in security. But the question is “Which Next Generation Firewall solution?” All of them have the same goal of stopping the bad guy, but that doesn’t mean they are all the same. I have outlined a few of the important
capabilities and features of a Next Generation Firewall. There are differences in their emphasis and solutions. You need to understand these differences, and then find the one that best fits into your existing security architecture.
I have brought together four leading enterprise-class vendors to help you understand how they approach providing the security you need from your Next Generation Firewall:
Dell HP
Juniper McAfee
All of the vendors included the challenge provide top-notch solutions and would be a good choice for your enterprise. To help you decide between them and know what to ask competitors, I asked them to explain their primary competitive differentiators. If each of them tried to address all the important issues and features, they would need many more pages than I have given them. So, instead, I requested that they concentrate on where they excel and are different compared with their competition. Your next step is to read and listen to what they have to say, so you can understand how they can help you build the right next-generation security
infrastructure for your enterprise. Later, you should contact the vendors directly to answer your longer list of questions.
This document is just one part of The 2014 Next Generation Firewall Challenge. There are also two webcasts. In these webcasts, I bring together two experts to explore the topics in depth. Each one will help you gain a better understanding of what a Next Generation Firewall can do for you. The two webcast topics are:
Stopping Advanced Evasion Techniques; Learn how Next Generation Firewalls stop
AETs, along with the role of sandboxing and how to select the right solution for your enterprise
Role of Research in Stopping Security Threats: What to look for when shopping for a Next Generation Firewall
The webcasts address many of the issues I mentioned in more detail and provide greater insight into these issues.
2014 Next Generation Firewall Challenge
6
Only one thing can happen when you start a war – escalation of resources on both sides. As criminal organizations increase their attacks, business and government entities must respond in kind. The challenge is knowing how to balance the increasing costs for security against desired business results. Of course, stopping a breach is the number one objective, but network security teams know there are many more operational functions that go along with a comprehensive defensive strategy. Policy management, updates and upgrades, compliance and reporting all consume staff time. Our next generation firewall can deliver both a smart return on investment while protecting against the most advanced threats.
Central Management Solves Complexity, Saves Man Hours
Protecting your enterprise requires an appropriate level of investment to lower risk to an acceptable level while providing the maximum possible resiliency,
efficiency, and threat protection.
At the core of the McAfee Next Generation Firewall (NGFW) is its central management system called the McAfee Security
Management Center (SMC). By bringing the information and control to a single-pane-of-glass interface, the McAfee NGFW provides the ability for your security staff to intelligently balance security risk and effort.
The McAfee NGFW was built specifically from
requirements outlined by those responsible for managing enterprise network security infrastructure. As a result, the system is designed to give time- and cost-saving capabilities to your security team that improve both resiliency in the face of attacks and efficiency handling day-to-day activities.
Reduced downtime and staff efficiency lead to significant return on investment for next generation firewall
deployments – IDC NGFW TCO White Paper (forthcoming)
2014 Next Generation Firewall Challenge
7
Features You Need in Your Next Next Generation Firewall
Central Management. One, easy-to-use, central interface to manage all McAfee NGFW network security functions from a single pane of glass
Advanced Evasion Protection. Finds malware that is delivered to a target by using stealthy advanced evasion techniques (AETs) that are otherwise invisible for network security devices
All-In-One Architecture Maximize your total cost of ownership (TCO) by reconfiguring the product as needed, allowing rapid response to business needs.
Application and User Awareness Full user and application
identification
High Availability. Active-Active clustering giving you the ability to have multiple nodes running at the same time, providing
resiliency, in-service maintenance ability and reduce downtime
Augmented VPN. Aggregate all ISP links into a common communications channel to optimize bandwidth, quality of service and high availability at a lower cost than MPLS
For instance, extensive situational analysis visualizations and easy-to-access drill downs give immediate answers for problem resolution and reporting. And the system remains available through updates and upgrades as a result of active-active clustering, integrated load balancing, and augmented VPN connectivity.
At the same time, staff efficiency is improved through automated routines and hierarchical policies. Add to this plug-and-play deployment and you have greatly reduced human error, maintenance down time, and the cost and time required for travel.
A forthcoming white paper by IDC shows that the McAfee NGFW can reduce total cost of ownership (TCO) per end user by as much as 35 percent, including a reduction of 26 percent in required staff time. The bottom line is that in order to defend and deliver the optimal network resources, you need a NGFW that can deliver a powerful management functionality to support the core, perimeter and remote locations. And give you a holistic view of the entire enterprise.
Here is what the experts at Enterprise Strategy Group (ESG) said in a Lab Validation Report released in March 2014:
“The McAfee Security Management Center provided an excellent interface, making it easy for ESG Lab to understand the current health of the security
infrastructure at a glance as well as the security of the network as a whole. The console enabled rapid and painless drill-down from overall status and alerts to the underlying configuration and logs. Policies and
configuration changes were easy to create and edit with a single action and applied to all nodes in the
environment with a single click. This can represent a significant reduction in time and effort for organizations with dozens of globally distributed networks and
hundreds of firewalls to manage.”
Relying on a software-based architecture (unified software core), the McAfee NGFW gives an extensive set of features and capabilities in one offering, allowing deployment and re-use in new configurations as needed (NGFW, FW, VPN, Layer 2 FW, IDS/IPS). These
capabilities are available in any form – hardware, software or in a virtual context. Customers tell us this aids in overall cost of ownership as they can redeploy equipment as their business needs change.
2014 Next Generation Firewall Challenge
8
Advanced Evasion Techniques Are a Serious Problem.
Networking communication protocols make it possible for the internet to work. Unfortunately, criminals can use those trusted systems to obfuscate malicious data and penetrate your network defenses undetected. An advanced evasion technique (AET) is a method of delivering an exploit or malicious content into a vulnerable target so that the traffic looks normal and security devices will allow it to pass through. By combining attacks using several protocol layers, these advanced evasions bypass most existing security solutions undetected.
McAfee NGFW applies sophisticated analysis techniques specifically to detect this type of attack. After years of research and development, the McAfee NGFW is the only network security equipment that reconstructs the data stream, normalizing it to detect attempts at evasions. Signature and behavioral defenses are unable to keep up with the myriad attack modes of an evasion technique.
While other NGFW products have promoted their ability to successfully identify and defend against a few hundred AET varieties, the McAfee NGFW has been successfully tested against more than 800 million AET variants. Be sure to verify exactly the level of protection against AETs before you make your purchase. You can evaluate how secure your network defenses are against AETs by using our free testing tool available for download at evader.mcafee.com.
McAfee, A dvision of Intel Security, is Your Strategic Partner for a Comprehensive Security Architecture
The global threat landscape is increasing exponentially and you need a partner you can trust that can help you defend your enterprise. With Intel Security your have access to a comprehensive ecosystem of security solutions from the endpoint to the data center, using the McAfee NGFW as the core.
McAfee recently announced an all-encompassing information security strategy for commercial and government enterprises under the Intel Security banner. Intel acquired McAfee in 2011 and next generation firewall provider Stonesoft in 2013. A key component of the acquisitions is to integrate the products in order to create a unified framework for hundreds of products, services, and partners. The goal is to improve the security posture of any organization and minimize operational costs through the platform’s innovative concepts, optimized processes, and practical savings.
McAfee is delivering on that promise and has announced the completion of the integration of additional McAfee technologies for antivirus, application control and security information and event management (SIEM) into the McAfee NGFW product line. Now, no other competitor can match the expanding capability of the McAfee NGFW to meet the return on investment and security posture demanded of its customers.
For more information about McAfee NGFW from Intel Security, please visit:
2014 Next Generation Firewall Challenge
9
A year ago, this Challenge underscored how attackers continue to become more sophisticated in their efforts to compromise your security. Today, attackers continue to up their game,
requiring the leading firewall players to do the same. A successful approach to security involves a multi-layered system that relies on security providers who go beyond being this year’s leader to consistently deliver leadership year in and year out.
We have been busy. Busy protecting people just like you from the most sophisticated attacks. In The Dell SonicWALL Threat Report issued earlier this year, a couple of things jump out.
We detected and prevented over 1 trillion IPS attacks
We blocked over 1.7 billion malware attacks
We received over 16 million unique samples
These are the shoulders we stand on as we look forward to 2014. One thing is for certain, attacks will continue to get more sophisticated and organizations who do not keep up will pay the price in both financial and reputation terms.
Attacks will continue to come from all directions and to effectively stay ahead organizations need to partner with a thoroughly-vetted security company that has global threat visibility to continually develop countermeasures and provide advance notification to customers. This is the Dell approach to security.
We are different
There continues to be an urgent need for better security. The key to prevailing over the bad guys starts with meeting a basic firewall requirement: look at every port and protocol,
decompress and decrypt every packet, and examine every bit of every file in every packet of every flow.
Dell’s Reassembly-Free Deep Packet Inspection (RFDPI) engine does exactly that to deliver top shelf security effectiveness in all our products giving you a “no compromise” approach to
security whether you are a big data center or a small corner store. Dell™ SonicWALL™ is different because we inspect traffic as it streams into the network. The competition has documented that doing flow-based inspection is difficult and they proceed to take an easier approach. The easy way is to continue to use a sandbox and make excuses; Dell’s RFDPI
2014 Next Generation Firewall Challenge
10
engine tackles the hard problem with a patented process1 that inspects streaming traffic in order to detect and block threats appearing in Layers 3 through 7.
We scan everything. We have no limits on file sizes or formats. If your firewall uses a sandbox to look at traffic, what happens to a file that exceeds the size of the sandbox? The answer is, you either drop what could be a legitimate file or you allow it to pass through your network without inspecting it for malware. Obviously neither option is optimal. At Dell SonicWALL, we inspect a broad range of protocols, allowing us to normalize the traffic and then to detect and neutralize malicious code before it can do any harm. With the rise of legitimate communication the problem moves from file size to file encryption and attackers that many vendors say “don’t scan those files” because the additional horsepower required will slow down the network. Our advanced anti-evasion technology is designed to decrypt and analyze SSL data without slowing down network performance because, what value is effectiveness without performance?
We are better
We are also nimble. Dell’s Global Response Intelligent Defense (GRID) network has over a million sensors continuously processing information, in real time, 365 days a year. More eyes means we can see threats happening sooner, and react to them before they become a problem. For nearly a decade, we’ve helped our customers keep their firewalls up to date with the latest protection against emerging threats. Drawing from real world samples, we gather data, monitor anomalous behavior, and share intelligence with internal partners and external partners such as Microsoft. Our proprietary tools quickly analyze data to determine if it is malicious or benign. We do not rely on third parties to create countermeasures, we do it ourselves, identifying unique data patterns that allow us to quickly single out and block malicious files and traffic. Then, we continuously update our database of countermeasures and deploy it to the firewall sitting in your office. We go further by leveraging the cloud to provide you with real-time access to over 15 million countermeasures. This nimble activity results in our customers being ahead of the threats.
We respond faster. It- is not just us saying we are fast to respond to threats. Microsoft’s Active Protections Program (MAPP) shows that Dell is one of the first to respond. When Microsoft issues a security advisory they indicate which partners have released protections within 48 hours of the release of the Microsoft Security Advisory. Dell is consistently responding within 48 hours. Fast response means earlier protection, where showing up early can mean the
difference between compromise and defense.
Beyond what Microsoft implies, a great way to know who is keeping up is to look to the
recognized evaluating bodies and see who maintaining consistently high ratings. Whether it is NSS Labs, ICSA, or the agencies that establish security standards, you can see who the consistent leaders are. Dell SonicWALL has earned NSS recommendations for both firewall and IPS two years running. In the IPS evaluation, our integrated solution went head to head against dedicated IPS devices and earned a “Recommended” rating. We also are certified in Anti-Virus and Firewalls by ICSA, another recognized evaluation organization. If you work with government agencies, items such as Common Criteria and FIPS-140 are important indicators of your security effectiveness. It is important to us; we strive to meet these requirements on every firewall.
We give you more options. Take bandwidth management for example. Any next-generation firewall can give you 'block and allow' capability. Going further is the option to prioritize
1
2014 Next Generation Firewall Challenge
11
important applications and deprioritize those that are less critical. With bandwidth management, you can identify which groups should have broad access to Facebook as a critical marketing application and which groups should have limited access to the same application that they use to keep up with friends. The breadth of the product line gives you options to choose the product that meets the budget of any size organization.
Your Next-Generation Firewall needs to go deeper to give you better security
In addition to hiding their attacks using SSL encryption, cybercriminals often try to circumvent the Intrusion Prevention System by obfuscating advanced attacks using complex algorithms designed to evade detection. Some network security vendors’ products may not perform adequate data normalization to decode threats before the IPS has a chance to examine them. This enables encoded threats to compromise corporate networks without being noticed. Going deeper with a next-generation firewall involves being able to see through the evasion and detect code that looks to avoid detection. The secure networking delivered by Dell offers cutting-edge IPS threat protection that is capable of reverse-engineering these advanced evasion
techniques. All Dell SonicWALL next-generation firewalls feature a tightly integrated Intrusion Prevention System with sophisticated anti-evasion capabilities such as full stack inspection of inbound and outbound application traffic and context-aware monitoring to provide secure networking to organizations of any size.
Conclusion
Not all generation firewalls deliver the same level of security. Dell SonicWALL next-generation firewalls are the only firewalls capable of providing organizations of any size with a deeper level of network security. Our industry-leading firewalls are designed using
Reassembly-Free Deep Packet Inspection® (RFDPI) engine to scan all traffic, regardless of port or protocol. In addition to advanced SSL decryption and IPS capabilities, Dell SonicWALL next-generation firewalls also have access to a cloud database that is updated continually with more than 15 million countermeasures. This is all in a solution that is easy to manage and delivering a low total cost of ownership.
Getting it right some of the time is not enough; the stakes are too high. Getting it right is insisting on a no compromise approach to security. This is the Dell SonicWALL approach to meet the Next-Generation Firewall Challenge.
For more information about the Dell SonicWALL approach to no
compromise security described here, please visit
2014 Next Generation Firewall Challenge
1 2
Bring-your-own-device (BYOD) programs and cloud computing have turned up the heat on security and prompted a new wave of security technology. But the best technology in the world is useless if you cannot easily implement and maintain it. And it is worse than useless if it keeps an already-stretched security team busy managing configurations and updates and chasing false positives. The HP TippingPoint Next-Generation Firewall (NGFW) combines a stateful packet-inspection firewall with an industry-leading intrusion prevention system (IPS) to provide application control, user-based policy control and improved security at the edge of the network. While others needed to acquire an IPS vendor to build an NGFW, we built the HP TippingPoint NGFW on the extremely effective and reliable HP TippingPoint Next-Generation Intrusion Prevention System (NGIPS)—a solution Gartner Group has placed in the leaders quadrant for NGIPS nine years in a row.
We summarize our approach with the HP TippingPoint NGFW in three words:
Simple.
Effective.
Reliable.
We suspect you already know something about network security, so we’ll skip the NGFW overview and just tell you what makes the HP TippingPoint NGFW different and what we are doing to deliver on the three promises mentioned above.
Keep it simple
Two things make HP TippingPoint NGFW easy to deploy and use. First, our Security
Management Solution (SMS) is a central administration point that provides a view across all your HP TippingPoint NGFW and NGIPS devices. It lets you configure, deploy and manage these systems based on the role each plays in your security strategy. (You might treat an NGFW for a branch office and an NGFW at a manufacturing site differently, for example.) The SMS also lets you push Digital Vaccine (DV) and Reputation Digital Vaccine (RepDV) updates to all devices automatically or according to a schedule you establish. (More on the power of DV and RepDV below.)
2014 Next Generation Firewall Challenge
1 3
Some NGFW solutions require ongoing tweaking of security settings, rules and filters to dial in the optimal security. We know you don’t have time for that, so we preconfigure our security appliances to provide the best protection out of the box. These are not the “lowest common denominator,” they are viable security parameters designed by experts to provide optimum protection while minimizing false positives. In fact, 60% of our customers use the factory settings in production.
Make it effective
Just as a computer is only as capable as the software that drives it, security is only as effective as the threat research behind it. The HP TippingPoint NGFW is powered by security intelligence from HP Security Research and HP TippingPoint DVLabs. We have received the Frost &
Sullivan Market Share Leadership Award for Vulnerability Research four years in a row. In addition to the HP internal security research team, our Zero-Day Initiative pays independent researchers to find and report vulnerabilities. More than 3,000 researchers are working to keep HP TippingPoint customers updated with the latest security protection from known and unknown threats.
Once we identify a vulnerability, we create a vulnerability filter—a virtual patch—and notify the application vendor so they can write a permanent patch. There are currently more than 8,700 vulnerability filters available to HP TippingPoint customers right out of the box, and we push new filters to TippingPoint customers weekly.
But the number of filters developed and distributed doesn’t tell the whole story. HP TippingPoint blocks attacks in a fundamentally different way. When hackers discover vulnerabilities in
software, they develop “exploits” that attack via the vulnerability. Most security vendors develop filters that detect and block individual exploits. However, the hacker can easily develop
mutations that exploit the same vulnerability but look different, so they are not caught by the exploit filter. The Zotob worm, for example, automatically mutated to create 382 variants. Trying to block them by conventional exploit filters means security vendors must create and deploy 382 exploit patches to their customers. The hacker is always ahead. And this method can result in increased false positives which take security responders away from the real threat.
2014 Next Generation Firewall Challenge
1 4
HP TippingPoint, on the other hand, develops a virtual patch keyed to the vulnerability rather than individual exploits. Rather than playing catchup with the exploit, we shut the door to all exploits no matter how they mutate. The fact that we find more vulnerabilities than other vendors is critical, because when we find a vulnerability, we develop and distribute digital vaccine for it quicker—usually before exploits are even seen—so you’re protected sooner. And we block new exploits targeting the same vulnerability, even before they are seen. Filtering at the vulnerability level rather than individual exploits also reduces the number of false positives.
In addition to virtual patches, HP TippingPoint RepDV provides up-to-date reputation data to HP TippingPoint customers, so HP TippingPoint NGFW can automatically block traffic coming from or destined to known bad or suspicious IP addresses. We maintain a database of more than 2 million IPv4 and IPv6 addresses and DNS names. RepDV assigns each IP address a reputation grade from 0 to 100. We update HP TippingPoint devices every two hours, and you establish the threshold at which traffic is blocked. One of our financial services customers turned on reputation filtering and experienced a 75% reduction in malware incidents over 15 months of operation—with no false positives. That let their security team focus on what really mattered.
Make sure it is reliable
With HP TippingPoint NGFW, IPS is not a bolt on. We built the NGFW leveraging the HP TippingPoint NGIPS, which has 12 years of proven performance and reliability in more than 7,000 customer installations.
Individual TippingPoint NGFW appliances maintain a throughput of up to 10 Gbps—5 Gbps with IPS enabled. IPS is a critical part of an NGFW and can cripple performance on some. When IPS is enabled on the HP TippingPoint NGFW, it is up to 40% faster than comparable competitive models.
Part of a comprehensive security solution
HP TippingPoint NGFW is deployable as a standalone NGFW solution, but it also snaps into a more complete security solution that includes HP TippingPoint NGIPS and is managed by the HP TippingPoint Security Management System (SMS) console. It even has out-of-the-box integrations with HP ArcSight Security Information and Event Management—a SIEM solution that doesn’t require you to become a network security expert.
So why choose HP TippingPoint NGFW: twelve years of NGIPS experience, industry-leading threat research and proven reliability. We’re working to make HP TippingPoint NGFW as simple, effective and reliable as possible, so your security team can focus on the strategic issues that keep your company safe.
For more information about HP TippingPoint security solutions described
here, please visit:
www.hp.com/go/NGFW
or call 1-877-686-9637.
2014 Next Generation Firewall Challenge
1 5
How do you differentiate between different next generation firewalls? Today’s next generation firewalls are fairly standardized. They typically perform deep packet inspection, application identification and policy enforcement, integrate intrusion
prevention, apply unified threat management and can leverage some information from outside the firewall. The ability to leverage external information has a lot of potential but today is still relatively limited or application specific in nature. In most cases it is limited to active directory integration for user policy matching, the ability to consume signatures for IPS and UTM functions, and some static whitelist/blacklist functionality.
However, when your firewall can dynamically tap into and truly analyze and take automatic action based on a broad range of external intelligence feeds then you get to the next evolution for firewall capabilities –this is what you will find in Juniper’s SRX Series Services Gateway and security intelligence system.
Juniper’s Firewall Approach – Leveraging a Dynamic Intelligence System
Wouldn’t it be great if your firewall could deliver a faster response against threats with less work? If you think about it, it’s a little crazy that you have to manually step in to update your firewall policies based on static data or data from inflexible sources in order to respond to threats, especially considering the fast changing threat landscape and the availability of useful intelligence. It would be faster and less prone to human error to manually set policy structures that contain dynamic groups and then leverage dynamic data feeds to provide content for the dynamic groups for policy matching and
enforcement. This kind of dynamic system enables your firewall to be much more responsive to quickly changing threats. Add threat intelligence to this dynamic capability and you get the next evolution for firewall capabilities – the ‘dynamic, intelligent firewall.’ Juniper SRX Security Gateways are leading this evolution from the still mostly static, next-gen firewalls of today to the dynamic, intelligent firewalls of tomorrow. The key to this shift is in using dynamic objects populated with external threat intelligence to instantly respond to threats. This unique dynamic intelligence system increases the level of threat information upon which the firewall can act because it allows that information to be fed into the firewall via the dynamic groups without requiring manual policy updates from live security personnel.
2014 Next Generation Firewall Challenge
1 6
Expose and Block Threats through Dynamic Intelligence-based Policy
Enforcement
Block known attackers at the firewall
The SRX Series will block attacker devices as soon as they are identified by the Spotlight community by leveraging a dynamic intelligence data feed from WebApp Secure and Spotlight Secure. Unlike the standard industry method of blocking traffic by IP address, WebApp Secure can identify and block attackers at the device level. It shares attacker device IDs with the Spotlight Secure global attacker intelligence service so these IDs can be leveraged by the entire Juniper Spotlight community.
Block traffic to and from malicious servers and identify compromised end points
The SRX Series will block network traffic to known malicious command & control servers, traffic that both IPS and traditional AV could miss. It will also recognize the source of the traffic to identify infected end points. The SRX Series will catch the traffic because it can operate from a dynamic intelligence feed of known malicious command & control points. The challenge with command & control intelligence lies in the quality of the information. There are many sources for this information and the quality varies greatly. Some sources are not comprehensive while other sources are rife with false positives. Juniper’s dynamic intelligence system mitigates these problems because it will aggregate and analyze multiple sources of security data to create an optimized intelligence feed on which the SRX Series can act.
Apply Dynamic Policy Matching for More Responsive Control
You will no longer be limited to static IP address lists, signatures or directory entries to match security policies. The SRX Series will act on address feeds from any source that can plug into the dynamic intelligence system. These sources could be GeoIP addresses or other custom address data feeds such as those provided by government or other third-parties. These could come from an on-premise source and/or from the cloud.
High-speed incident response flexibility
Updating firewall policies is a careful process that takes time. This update process is why it is so difficult to use the firewall to inspect “unusual behavior” on the fly. However, with dynamic address groups and custom address data feeds, you could create special incident response policies for the firewall that rely on policy matching groups that simply sit empty when there is no incident in process. When an incident response is needed all you do is feed applicable addresses into the dynamic policy matching group and then the SRX immediately enforces it. This way the policy itself does not need to be updated, which would require a maintenance window, instead the dynamic address feed that goes into the address group for that policy updates, making it possible to use your firewall for fast incident response policy enforcement.
The Whole Dynamic Intelligent Package
Juniper Networks SRX Series Services Gateways integrate a full suite of next generation firewall security features, plus unique dynamic intelligence-based capabilities:
Network layer (3 and 4) protection
VPN access
Application visibility & control via Juniper AppSecure
User role-based control - based on user, group, role, device, application, and application type
2014 Next Generation Firewall Challenge
1 7
IPS
UTM (anti-virus, Web filtering, and anti-spam) leveraging best-of-breed security technologies
Get all the benefits of a next generation firewall and more by using a dynamic, intelligent solution – Juniper’s SRX Series Services Gateway.
Moving forward, Juniper will continue to deliver innovative solutions including advanced anti-malware solutions and additional security intelligence, building the Dynamic
Intelligent Firewall to create the next generation after next-generation firewall.
