McAfee Next Generation Firewall
Optimize your defense, resilience, and efficiency.
Table of Contents
Need Stronger Network Defense?
Network Concerns Security Concerns Cost of Ownership Manageability
Application and User Awareness High Availability
Augmented VPN
All-in-One Security Architecture Deep Packet Inspection
Plug-and-Play Deployment Multitenancy
Security Connected
What Is an Advanced Evasion Technique (AET)?
Confusion in the Market The Costs of Keeping a Secret AETS Are Misunderstood McAfee Evader
Certifications
Contact and Resources
Need Stronger Network Defense?
As a result of extensive research and development into the latest attacks, McAfee Next Generation Firewall can identify and stop advanced evasion techniques (AETs) beyond the capability of any other solution currently available. For maximum return on investment and an extended lifecycle, McAfee Next Generation Firewall includes a comprehensive range of capabilities in one configurable hardware, software, or virtual appliance.
And best of all, it’s the foundation of the Security Connected strategy that extends your defenses from perimeter to core.
McAfee® Next Generation Firewall empowers customers to defend their enterprises with the most advanced technologies for delivering highly secure data networks.
It gives them the tools necessary for stopping advanced threats, managing complex policies for users and applications, and achieving high availability of network resources and the highest possible security posture.
The wait is over. Next-generation network security is here now.
Network Concerns
Ensuring that your security systems are not creating a bottleneck in your network can be an overwhelming task. McAfee Next Generation Firewall was built specifically from requirements outlined by those responsible for managing enterprise network security infrastructure. To defend and deliver the optimal network resources, we give network administrators high availability through native clustering. The McAfee Multi-Link feature provides performance and scalability while removing any single point of failure. McAfee Next Generation Firewall also assures service availability and reduces downtime with augmented VPN connectivity.
Centralized management empowers your team with extensive situational analysis and detailed drill downs for immediate answers and problem resolution. In addition, remote plug-and-play deployment and management capability reduce travel requirements and create operational efficiencies.
McAfee Next Generation Firewall offers high availability,
performance, and scalability.
Security Concerns
Information security professionals need access to a comprehensive ecosystem of security solutions, from the endpoint to the data center. Now they have it in one unified solution—McAfee Next Generation Firewall, with defenses that include sandboxing, a global threat database, and up-to-the-minute threat signature updates. And no other product available today provides better defense against AETs, as proven by McAfee Evader, our free AET testing tool.
Get the latest defensive technologies and policy control.
Cost of Ownership
Next-generation firewalls bring efficiency to an organization by integrating point security solutions into a single system. McAfee built its next-generation firewall solution from the ground up, keeping in mind the ever-increasing workload of the security and network team. The result is a significant improvement in
operational efficiency.
“Reduced downtime and staff efficiency lead to significant return on investment for next-generation firewall deployments”
–IDC NGFW TCO Report 2014
User productivity is becoming a more accepted cost factor.
Manageability
Centralized management helps lower operational costs by unifying control of network security devices in the data center, at remote sites, and throughout the corporate infrastructure. Now you can manage up to 2,000 nodes with a single management server.
Customers buy McAfee Next Generation Firewalls to gain extensive management capability. The McAfee Security Management Center provides complete visualizations of network activity and intuitive tools for proactive network management. Automated routines and hierarchical policies improve efficiency and eliminate the need for travel, as well as minimizing human error and downtime.
Manage more with less.
Application and User Awareness
When a user opens an application that is trying to access the Internet, McAfee Next Generation Firewall uses application control to examine it and ensure that each application’s activities are
accurate, complete, and functioning at an optimal level. McAfee Next Generation Firewall leverages full user and application identification and security, enhanced with additional controls, including domain names, location, transport layer security (TLS) matches, URL categories, and zones.
Employees are increasingly demanding access to web- or cloud- based applications that help them do their jobs better. In an effort to satisfy users and maintain a secure infrastructure, IT organizations need to find a way to strike a balance between productivity and risk.
The overall goal of application control on McAfee Next Generation Firewall is to ensure that each aspect of a given application is complete, accurate, and valid, so data traveling through the network and between applications remains protected, private, and secure.
Gain ultimate control for enforcing policies.
• Identify applications port independently.
• Manage application bandwidth.
• Enforce application on defined port and user.
POLICY
App-ID User ID Content ID
Internet
High Availability
High availability is at the core of McAfee Next Generation Firewall.
Through active-active clustering of up to 16 nodes, it offers greater flexibility in situations where process-intensive security applications, such as deep packet inspection or VPNs, require better performance.
Transparent session failovers and support for running different software versions in the same cluster allow administrators to upgrade software and services on firewalls with no downtime.
Native clustering means no extra load-balancing systems that add complexity. And through McAfee Multi-Link, high availability is also extended to cover network and IPsec VPN connections.
Businesses today require 24/7/365 availability, allowing access to applications, data, and resources. Not only is the workload increased on the security devices as they analyze traffic and defend users from malicious attacks, but this increased workload also strains network connectivity. The next generation of security solutions must build in high availability that can scale as the business changes.
Downtime is not an option for today’s enterprise.
Node 1
Node 6
…16 Node 2 Node 3
Node 5 Node 4
Mix of hardware and software versions
Internet
Upgrade at any time of the day
No service impact
ConsistencyUpdate a firewall cluster without dropping a single packet
99
Augmented VPN
Try our savings calculator tool at tools.mcafee.com/avpn-calculator.
McAfee Augmented VPN provides a simple, cost-effective way to create fast, secure, high-capacity connections between sites to ensure uninterrupted Internet connectivity. Designed for ease of use, the implementation requires no special equipment, software, or Internet Service Provider (ISP) peering agreements.
Organizations’ infrastructures are extending every day, with more and more teams and offices spreading to different locations all over the world. These organizations require reliable, fast connections between their production sites and business offices. McAfee Next Generation Firewall can help to reduce costs associated with expensive multiprotocol label switching (MPLS) circuits, while providing reliability and secure connections using McAfee Augmented VPNs.
Stop MPLS budget burn with augmented VPNs.
Web
Low Priority
High Priority
Latency Critical
All-in-One Security Architecture
Relying on a software-based architecture, McAfee Next Generation Firewall delivers an extensive set of features and capabilities in one offering. Administrators can deploy the McAfee Next Generation Firewall in multiple configurations as needed (NGFW, FW, VPN, Layer 2 FW, IDS/IPS), while ensuring the same network high availability, performance, scalability, and improvement in overall TCO.
Be prepared for changes in network security requirements with the ability to configure your next-generation firewall as needed.
Change happens. Make sure you have flexibility in your security strategy.
Deep Packet Inspection
McAfee Next Generation Firewall relies on deep packet inspection (DPI) capabilities to thoroughly examine the various pieces of each packet to identify errors, malformed packets, known attacks, and other anomalies. Viruses, Trojans, spam, intrusion attempts, and other violations of normal protocol communications are quickly identified and blocked. DPI also forms the basis for application control, user authentication, quality of service functions, and AET prevention.
Data flowing across enterprise networks is susceptible to malicious intervention that can compromise those networks with disastrous results. Every application, email, web page, and Internet connection relies on information encapsulated into a discernible packets that can be easily distributed across data networks. These packets include information about the sender and receiver, as well as the actual contents, or payload. By manipulating pieces of the packet data, criminals can infiltrate networks, applications, data centers, and individual computers.
Know what’s on your network.
McAfee Next Generation Firewall Stream-Based Full Stack Normalization
Protocol agents
ck at ta
attack !
Plug-and-Play Deployment
McAfee Next Generation Firewall streamlines deployments with significant cost savings over manual installations. More importantly, centralized management gives you total control and visibility across your enterprise. Automation across workflows ensures consistency and reduces human error. The result is a more secure and compliant network for your entire organization.
Distributed organizations incur significant costs for the time and expense of business travel to support network security and connectivity. McAfee Next Generation Firewall gives your organization a simple solution for centrally deploying, managing, and updating remote locations. No special technical skills are required to install at remote locations, freeing your skilled staff to focus on more important network-related issues.
Low-cost distributed security defends your entire organization.
Delivery Initial
Configuration Connection Final Policy Configuration
Up, Running and in Use
Plug & Play 5 Minutes
Point Solution Deployment
16 Days
Multitenancy
Large enterprises and Managed Service Providers require distinction between domains to appropriately secure customers and users.
Shared service organizations typically manage their operations in ways that are similar to commercial Managed Security Service Providers (MSSPs). By providing separate but interoperable domain management, McAfee Next Generation Firewall gives both types of organizations significant operational efficiencies and highly secure environments. The bottom line is more control and more flexibility.
With McAfee Next Generation Firewall, your security team gains the situational awareness, administrative tools, automated functionality, and user and application controls required to protect against today’s increasingly complex threat landscape. McAfee Next Generation Firewall is the smart choice delivering enterprise network security in environments that require separation of business units, geographical locations, or external customer organizations.
Take control and stay flexible with multiple domain management.
Security Connected
Firewalls are the first line of defense for many organizations. However, traditional firewalls do not integrate with endpoint security solutions and do not have access to either global threat intelligence or local threat intelligence. Without this integration, organizations are unable to protect against many of today's complex attacks.
To address this challenge, McAfee delivers the Security Connected framework, which brings networks and endpoints together through centralized management that integrates with both global and local threat intelligence to provide visibility across all threat vectors.
McAfee offers a wide range of integrated network protection technologies, including McAfee Threat Intelligence Exchange, McAfee Advanced Threat Defense, McAfee Network Intrusion Prevention, McAfee Next Generation Firewall, McAfee Global Threat Intelligence, and McAfee Advanced Threat Defense. The McAfee network security framework provides maximum availability, security, integrity, flexibility, and manageability—with minimum overhead and risk.
A comprehensive security architecture enables optimal enterprise defense and resilience.
What Is an Advanced Evasion Technique (AET)?
Traditional network security equipment (intrusion prevention systems, intrusion detection systems, and next-generation firewalls) using packet-based inspection and signatures can be evaded with stealth attacks on multiple protocol layers. McAfee Next Generation Firewall relies on full-stack normalization for all traffic and stream- based data inspection and detection processes to identify evasions.
A separate, self-test called McAfee Evader is available to check the evasion protection capabilities of a security device.
This stealth threat approach delivers any payload.
We have also developed a special guide, “Advanced Evasion Techniques for Dummies.” Download it at mcafee.com/ngfw.
Confusion in the Market
“A clear indicator of the confusion is that while 70% of those surveyed believe they know what an AET is, 37% of those incorrectly define the term ‘advanced evasion technique (AET).’”
“Fewer than half of all surveyed respondents could properly define an AET.”
January 2014 global survey of 800 CIOs and security managers by Vanson Bourne
The Costs of Keeping a Secret
“Respondents whose organizations had experienced a network breach in the past 12 months estimate the average cost to the business to be $931,006.”
“Has your network security been breached within the last 12 months?”
January 2014 global survey of 800 CIOs and security managers by Vanson Bourne
AETs Are Misunderstood
The actual reported number of AETs is approximately 800 million.
“How many different AETs do you believe have been discovered and studied so far?”
January 2014 global survey of 800 CIOs and security managers by Vanson Bourne
McAfee Evader
McAfee Evader is the world’s first, software-based AET testing environment. Run this tool and you will:
• Launch controlled AET-borne attacks at your own defense technology.
• Tweak evasions and combinations and instantly see if you are successful.
• Prove to yourself and your management that you can prevent AETs or that you need to improve your network security.
McAfee Evader is not a hacking tool or a penetration test to see if different exploits can enter your system. Rather, McAfee Evader tests if a known exploit can be delivered, using AETs, through your current security devices to a target host.
But don’t take our word for it. Download McAfee Evader now for free, and see for yourself if your digital assets have real-world protection from AETs.
Download at evader.mcafee.com.
Try the free AET testing tool from McAfee.
Free tool download
Certifications
Common Criteria Certification CEF Certified
CSPN (First Level Standard Certification) FIPS 140-2 Certification
ICSA Labs Enterprise Certified Network Firewall Secured by RSA
Section 508 Accessibility
VMware Certified Virtual Appliance Program VPN Consortium Certification
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered
About Intel Security
McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security combines the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. Intel Security’s mission is to give everyone the confidence to live and work safely and securely in the digital world. www.intelsecurity.com.
McAfee. Part of Intel Security.
2821 Mission College Boulevard Santa Clara, CA 95054
