Next-Generation Firewalls: CEO, Miercom

Next-Generation Firewalls:

Results from the Lab

esu ts o

t e ab

Robert Smithers Robert Smithers

Agenda

P ti i

ti

V d

d P d t

•

Participating Vendors and Products

•

How We Did It

Categories of Products Tested

•

Categories of Products Tested

•

About the Technology

– Secure Web Gateway

– Secure Web Gateway

– Next-Generation Firewall

– Unified Threat Management

– Sandbox

Agenda

•

Three High Risk Event Results

Three High Risk Event Results

– CryptoLocker

– Outbound Botnet

– Worm and Trojans

•

Industry Average Comparisons

y

g

p

– Layer 3 Firewall Throughput

– Malicious Files Legacy

– Malicious URLs: Blended Malicious Threats

Agenda

•

Industry Average Comparisons

•

Industry Average Comparisons

– Malicious URLs Wild: Malc0de

– Layer 7 Firewall Throughput MaxLayer 7 Firewall Throughput Max

– Layer 7 Firewall Throughput Mixed

Participating Vendors and Products

•

Blue Coat ProxySG 300-5

•

Check Point 4210 NGFW

•

Check Point SWG-12600

•

Cisco ASA 5545-X with CX Module

Cisco ASA 5545 X with CX Module

•

Cisco ISA550W

•

Cyberoam CR100iNG

Cyberoam CR100iNG

Participating Vendors and Products

•

Dell SonicWALL TZ 105 (Cloud)

•

Dell SonicWALL TZ 105 (Appliance)

( pp

)

•

FireEye Malware Protection System 1310

•

Fortinet FortiGate 20-C

Fortinet FortiGate 20 C

•

Fortinet FortiGate 100-D

•

Fortinet FortiGate 800-C

Fortinet FortiGate 800 C

Participating Vendors and Products

•

Palo Alto PA-3020

•

Sophos SG 210

p

•

Sophos SG 230

•

Sophos UTM 220

Sophos UTM 220

•

WatchGuard XTM 525

How We Did It

Test equipment included:

– Ixia XG12 and BreakingPoint FireStorm

– Spirent Studio Security

– Apposite Linktropy 7500 PRO

WildP k t O iP k f Wi d

– WildPackets OmniPeek for Windows

– Windows 7 and Windows XP

Clients/Endpoints

C e ts/ dpo ts

Categories of

Products Tested

Products Tested

•

Secure Web Gateway

•

Next-Generation Firewall

•

Unified Threat Management

g

•

Sandbox

Secure Web Gateway (SWG)

• Edge security platform against Web-borne threats

that can invade enterprise network via Internet browsing; enforces organization’s policies for browsing; enforces organization s policies for Internet usage and regulatory compliance

• Essential functionality: URL filtering, malicious y g,

code detection/filtering and application control

• Products with real-time, cloud-based content

l d f h h l k

analysis tend to outperform those that look up URLs and/or threat signatures in static database

Secure Web Gateway (SWG)

and Enterprise

• Essential functionality: URL filtering, malicious code

d t ti /filt i d li ti t l detection/filtering and application control

– SMB: protects against basic threats, easy to implement/manage

– Enterprise: protection extended to advanced and targeted threats, requires more skill and resources to

implement/manage

O i li t l ith ft

• On-premises appliance most popular with software,

virtual, cloud (SWG as a Service) and on-premises / cloud hybrid versions also available

Next-Generation Firewall (NGFW)

E l ti t f t k d it d i

• Evolutionary type of network edge security device

• Possesses combination of functionality of basic

firewall and enhancements firewall and enhancements

– Traffic inspection enables

detection and blocking of malicious activity

malicious activity

– Application awareness enables

identification of attacks directed

k ll f

at network as well as enforcement of organization’s Internet usage and regulatory compliance policies

Next-Generation Firewall (NGFW)

• Available for organizations of all sizesAvailable for organizations of all sizes

• Can be deployed as appliance, virtual appliance

or software-based solution

• Inline “bump in the wire” deployment: enabling

functionality does result in reduced network performance

performance

• Next-generation firewall arguably has caused

basic firewall to go the way of video cassette basic firewall to go the way of video cassette recorders and VHS tapes, into obsolescence

Unified Threat Management (UTM)

• Just as Next-Generation Firewall, an evolutionary

class of network edge security platform

• Combination of firewall and VPN of basic firewall Combination of firewall and VPN of basic firewall plus…

• Intrusion Prevention System also found in

Next-Generation Firewall, URL filtering and antivirus also found in Secure Web Gateway, and anti-spam and mail antivirus also found in Spam Filtering productsp g p

Unified Threat Management (UTM)

• Available as appliance, virtual

appliance, software and cloud-based

• Network administrator must

find balance between security nd net o k pe fo m n e

and network performance

– Individual packets examined by each security function

Sandbox

• Security technique for protecting enterprise network • Security technique for protecting enterprise network

from malware by running applications and visiting Websites in a controlled environment

• FireEye leads market with competitors including

AhnLab, Blue Coat, Check Point, Damballa, McAfee, Palo Alto Networks and Sourcefire (acquired by Cisco ( q y in October 2013)

• Sandbox appliance or cloud-based

service is part of a multi layered service is part of a multi-layered security system

Sandbox

• Botnets zero day attacks and corporate

• Botnets, zero-day attacks and corporate

espionage among factors that fueled advent of sandbox; virtualization has facilitated utilization of sandbox

• Small percentage of malware has written-in

capability to try to defeat sandbox capability to try to defeat sandbox

– Check environment to determine if it is in a sandbox – Seek to be allowed to pass by attempting to time out

the sandbox, stalling by performing meaningless calculations

Spam Filtering

• Class of network security device that safeguard

against unwanted inbound and outbound Email: spam

– Inbound: protect networked computers against Inbound: protect networked computers against

dangerous forms of spam such as phishing attempts and Emails those

containing virusesg

– Outbound: protect against

networked computers from being compromised and used being compromised and used as a zombie in a botnet to generate spam

Spam Filtering

• Spam is no small problem: estimated 50-60% of

enterprise Email

• Key functionality: protect against inbound, targeted y y p g , g

phishing attacks

• Functionality growing in importance: ability to

re-evaluate URL link(s) in Email at the time of end re evaluate URL link(s) in Email at the time of end user click

• Available as appliance, software, managed service

Based on Gartner 2013 Magic Quadrant:

• Based on Gartner 2013 Magic Quadrant:

– Product leaders are Cisco, Proofpoint, Symantec, Microsoft and McAfee

Three High Risk Event Results

Specific High Risk Events

– CryptoLocker

– Outbound Botnet

CryptoLocker

•

Ransomware trojan

•

Encrypts specific types of files using RSA

yp

p

yp

g

public-key cryptography

•

Message displays an offer to decrypt the

g

p y

yp

Outbound Botnet

B t t i t k f i d t

• Botnet is a network of compromised computers

under control of a third party whose purpose is to invade the network

• Remains inactive until they get orders from their

command and control hosts

• Designed to steal the most valuable information

on a network

O tb d b t t d f t t t d t

• Outbound botnet defense protects corporate data

Worms

C t t f l th t

• Computer worms are a type of malware that

replicates functional copies of themselves to cause damage to data or software

• Host program or human help is not needed for

them to propagate

• Worm enters a computer through

a system vulnerability and uses a

file- or information-transport feature file- or information-transport feature to allow it to travel independently

Trojans

A T j i th t f l th t

• A Trojan is another type of malware that appears

as legitimate software

• Users are tricked into loading and executing it

• Users are tricked into loading and executing it

• Trojans can achieve a variety of attacks on the

host – from distractions (pop-up windows) to (p p p )

major damage (deleting files, activating and spreading other malware) on the host

• Can also create back doors to give malevolent

d

Industry Average Comparisons

• Layer 3 Firewall Throughputaye 3 e a oug put

• Malicious Files Legacy

• Malicious URLs: Blended Malicious ThreatsMalicious URLs: Blended Malicious Threats

• Malicious Files Wild

• Malicious Files Wild: Malc0deMalicious Files Wild: Malc0de

• Layer 7 Firewall Throughput Max

• Layer 7 Firewall Throughput Mixed

• Layer 7 Firewall Throughput Mixed

d

Industry Average Comparisons

• HTTP Proxy Throughputo y oug put

• Firewall + IPS Throughput

I d t A

C

i

Industry Average Comparisons

Layer 3 Firewall Throughput

2678 2500 3000 Mb p s) Industry Average 2029 1884 1886 1500 2000 T h ro ughput

( _{2,057.3 Mbps}y g

1322 500 1000 yer 3 Fi re w al l 0 La y

CR100iNG SonicWALL FortiGate UTM 220 XTM 525 CR100iNG

NSA 2600 100-D

I d t A

C

i

Industry Average Comparisons

Malicious Files Legacy

SWG-12600 Malware Protection Web Security

1.1

0.0

System 1310

y Gateway

I d t A

C

i

Industry Average Comparisons

Malicious URLs: Blended Malicious Threats

80.0 100.0 ked ( % ) 32.1 71.4 40.0 60.0 s UR Ls B loc k Industry Average 16.7 37.6

6.3 _{4.8 4.8}

0.0 20.0 Ma li ci o u

s _{25.1 Mbps}y g

4210

NGFW _ProtectionMalware System 1310 ASA 5545-X with CX FortiGate

800-C _ServicesSRX650 Gateway PA-3020 Web Security Gateway 0.0 1310 Module

I d t A

C

i

Industry Average Comparisons

Malicious Files Wild

83.8 93.0 _90.3 82.0 97.5 60 0 80.0 100.0 B lo cke d ( % ) Industry Average 73.5 Mbps 47.5 50.0 34.0 62.0 9.5 30.3 20.0 40.0 60.0 alic io u s F ile s B 4.2 9.5 0.0 M a

I d t A

C

i

Industry Average Comparisons

Malicious URLs Wild: Malc0de

83.8 _82.0 97.5 80.0 100.0 ed ( % ) 47.5 40.0 60.0 s URL s Bl oc ke Industry Average 41.6 Mbps 4.2 9.5 30.3 0 0 20.0 M alic io u s 4210

NGFW _5545-XASA with CX Malware Protection System 1310 FortiGate

800-C _ServicesSRX650 Gateway PA-3020 Web Security Gateway 0.0 with CX Module 1310

Industry Average Comparisons

Layer 7 Firewall Throughput Max

3240 3225 3000 3500 (M bps )

y

g p

I d t A

2260 2310 1500 2000 2500 l T h ro ughput Industry Average 2,158 Mbps 1400 1078 1590 500 1000 1500 ayer 7 F ir ew al l

CR100iNG SonicWALL FortiGate UTM 220 SG 210 SG 230 XTM525

0 500

L

a

CR100iNG SonicWALL

NSA2600 100-D XTM525

I d t A

C

i

Industry Average Comparisons

3500

Layer 7 Firewall Throughput Mixed

3100 3280 2500 3000 3500 t ( M bps) 2170 ₂₁₄₅ 1500 2000 2500 l T h ro ughpu t Industry Average 1,987 Mbps

1072 ₁₀₂₀ 1120

500 1000 1500 ayer 7 F ir ew al

SonicWALL FortiGate UTM 220 SG 210 SG 230 XTM 525

0 500

L

a

CR100iNG SonicWALL

NSA 2600 100-D

I d t A

C

i

Industry Average Comparisons

Application Control

t _{1,345 Mbps}

SonicWALL

132 _{403 442}

0

Ap

p

CR100iNG

FortiGate

100-D UTM 220 SG 210 SG 230 XTM 525

NSA 2600 100 D

I d t A

C

i

Industry Average Comparisons

800

HTTP Proxy Throughput

704 600 700 800 hput ( M bps) 585 400 500 rox y) T h ro ug Industry Average 380 Mbps 163 237 ₂₁₂ 100 200 300 all a n d A V ( P r SonicWALL

CR100iNG FortiGate_{100 D} UTM 220 SG 210 SG 230 XTM 525

N/A N/A 0 100 Fi re w a NSA 2600 CR100iNG _100-D

I d t A

C

i

Industry Average Comparisons

Firewall + IPS Throughput

700 658 500 600 700 u t (M b p s) 420 504 475 300 400 500 P S T h roughp u Industry Average 330 Mbps 163 132 190 100 200 300 ire w all a n d IP SonicWALL

CR100iNG FortiGate_100-D UTM 220 SG 210 SG 230 XTM 525

132 0 F i NSA 2600 CR100iNG _100-D

Industry Average Comparisons

Application Control / URL Filtering

pp

/

g

97.1

80.0 90.0 100.0

B

locked Industry Average

73 3 %

56.9 65.9 50.0 60.0 70.0 o m b in at io n

s 73.3 %

20.0 30.0 40.0 o to co l/A p p C o

ProxySG _SWG-12600 Web Security

0.0 10.0

% P

ro

y

300-5 SWG 12600

y Gateway

For more information contact

For more information, contact

[email protected]

Request our detailed report

on UTM and NGFW appliances.