Check Point Whitepaper Securing Web 2.0 More Security, Lower TCO
The Problem The rules of the game have changed. Internet applications were once considered to be a pass time activity; a means to see pictures from our friends latest trips and to watch funny movies. Internet applications have now become essential business tools in the modern enterprise. We communicate with colleagues, customers and partners, we share information with others, and we get the latest news, opinions and view. Internet based tools such as Facebook, Twitter, Webex, LinkedIn, and Youtube to name a few, are becoming more and more prevalent in enterprises that acknowledge them as business enablers. However, these internet tools also introduce new risks to the environment. A number of useful internet applications have been converted to be used as attack tools against organizations. Applications such as Anonymizers, Peer-to-Peer File Sharing sites, Remote Administrative Tools, File Storage, File Sharing and Social Media have been used by attackers to exploit organizations. Anonymizers Some applications such as Tor or UltraSurf can be used to bypass security policies. Policies are essentially built around users IP addresses. By using anonymizers/proxy services, the user appears from a different IP and the policy may not be enforced for that user with that new IP address. In some cases, anonymizers can be used to hide criminal activity. There s a myriad of platforms and applications that could be used for personal or business reasons. Each organization needs to be aware of what users are using, and for what purposes, and then define their own Internet policy. The question has become; How can we harness the power of Web 2.0 without compromising security? How Do You Enable Web 2.0 Protection? Block Dangerous Applications First, you need to control applications running in your environment. Check Point offers the largest application library in the industry with over 4,700 apps and 240K widgets. The fact that we identify so many apps does not mean you need to control each and every one of them. Apps are grouped in over 130 different groups, by their type, security implications and risk level. We currently identify over 300 peer-to-peer applications and over 80 anonymizers. The AppWiki is constantly updated with new applications as they are introduced to the market so you are always kept up to date. As the policy is defined in the category level, you don t have to worry about new apps or apps you personally do not recognize. These apps are added to the category automatically and policy is enforced via the rules of the category set up by the administrator. Application Control enables control of Internet traffic that may not be a URLbased, client application such as Skype. It also enables control of applications that require granularity beyond the URL level for example Facebook chat. But organizations still need visibility and control of access to the more traditional, URL-based aspect of Web websites. Check Point combines URL Filtering to control access to websites, and Application Control to control use of applications. However, some items you may want blocked do not fall nicely into the buckets of URL Filtering or application. In the case of Anonymizers, do you really mind if it s a website, web app or client app that is used to bypass your company s policy? You simply want it blocked. Similarly, if we want to confirm business use for Media streams, we d like to have the same confirmation message whether it s a website, web app or client app. 3
Organizations need unified control and enforcement, for all aspects of web. Check Point is the only vendor to offer true unified control of all aspects of Web access to site categories, specific sites, applications groups and specific applications are managed in the same manner and in the same policy. Some categories include both applications and sites, so you don t have to worry whether something should be managed as a URL or an application. Peer-to-Peer File Sharing Peer-to-Peer (P2P) applications such as Bittorrent or Kazaa are used to share files between users. P2P is increasingly favored by attackers to spread malware where files are shared that could be malicious. P2P applications essentially open a backdoor to your network. They allow users to share folders through the P2P network that could leak sensitive data. Or your organization could be liable for users acquiring media illegally through a P2P network. Enable Social Media for Business Many organizations confess to blocking Facebook, but Facebook is an essential business tool in many businesses. Companies often publish information about upcoming webinars, events, information about latest releases and products, links to interesting articles and videos. Let s see how we can enable use of Social Media in the organization while not compromising on security. Check Point s application control can granularly control features and widgets within apps and platforms. For example, we can allow Facebook while blocking the less business relevant parts of it, such as chat. However, different users in the organization have different needs, and our security policy has to support the business, not stop it. For example, sales may use FB to stay in touch with customers and partners, whereas IT may use FB to get the latest industry news. So how can we make sure users get the access they need? Is it practical to ask the security manager to know what each user or group should or shouldn t be accessing? A practical solution needs to educate and engage end-users. And that s where Check Point UserCheck comes in. If a user goes to a questionable site or starts a questionable application, UserCheck simply asks the user to justify the business case for doing so. The user writes a reason, and the response is logged. In the same moment, the user is educated on business use policy, and knows they are being audited for use of company resources. 4
Understanding is a critical component of Web Control Administrators must have an overall view of web security events to ensure web control. Check Point offers 360 degrees visibility into all Web Security events. Starting with a graphical overview, a timeline of events, continuing with a list of events that can be filtered, grouped and sorted by user, application, category, risk level, bandwidth usage, time and more. Start with a list of events, then drill down to see full details of events, including more information on the site, application or the user. Offline reports can be generated to show the top categories, apps, sites and users to allow trend and capacity planning. Save Money It sounds like all this will cost a fortune. And why should you look at Check Point when you may already have a solution in place? With the new standalone Check Point Secure Web Gateway Appliance you get Web Control, AV, Analysis and Reporting in one easy package. And get better Total Cost of Ownership than legacy solutions that may be installed in your network. Remote Administration Tools Remote admin tools could be legitimate tools when used by admins and helpdesk. However, several attacks over the past year RSA, Nitro, ShadyRAT, Op. Aurora have used an off-the-shelf Remote Access Tool (RAT) called PoisonIvy. These attacks used PoisonIvy to remotely control the infected machine to further infiltrate the network, log keystrokes, or steal confidential information. Let s take for an example an organization of 1,000 users. A competitive solution (subscription per user: $98.40) will cost it over $100K (for simplicity we ve excluded additional costs such as database and additional servers). The Check Point solution including hardware and services for 3 years will cost 60% less. Check Point s Web Control enables secure use of Web 2.0 at a fraction of your current costs. Below are a few examples of cost saving you can get with the Check Point Secure Web Gateway Appliance at list price versus typical configurations of Websense and BlueCoat. It looks at a Total Cost of Ownership over a 3 year period. Secure Web Gateway Check Point Secure Web Gateway vs. Websense (< 250 (< 500 Medium < 1,000 Large (< 5,000 X-Large (< 10,000 Check Point 3 Year TCO $17,600 $24,600 $44,200 $76,800 $96,900 Websense 3 Year TCO $31,345 $57,600 $104,400 $448,000 $832,000 You Save 44% 57% 58% 83% 88% 5
Secure Web Gateway Check Point Secure Web Gateway vs. BlueCoat (< 250 (< 500 Medium < 1,000 Large (< 5,000 X-Large (< 10,000 Check Point 3 Year TCO $17,600 $24,600 $44,200 $76,800 $96,900 BlueCoat 3 Year TCO $26,220 $43,830 $66,850 $195,500 $400,600 You Save 33% 44% 34% 61% 76% Other things to consider when making your decision Unified Control Neither BlueCoat nor Websense have unified control of both applications and sites. Applications and sites need to be managed separately. For example if you want to block peer-to-peer applications, you need to block the site category for P2P and then the appropriate applications, separately. In Check Point s solution this is managed in the same rulebase, in the same rule, with the same category. This makes managing Web 2.0 practical. End-user engagement BlueCoat and Websense offer some very limited customization of a block message. There is no way of gaining information from the end user and no ability to define different types of engagements for different categories. Check Point s UserCheck is very intuitive to define, fully customizable, and provides an effective way to educate and interact with end-users. File Storage, File Sharing, Social Media One of the greatest characteristics of Web 2.0 is the ability to generate content and share it with others. There is also a risk there. Sensitive information can get into the wrong hands by storing confidential financial files, or inadvertently posting sensitive project information on Facebook. These acts could harm the reputation of an organization, cause loss of competitive advantage or create financial loss. Application Control Check Point s offers the largest application coverage and deepest granularity. With over 4,700 different applications in over 130 categories, Check Point towers above BlueCoat s and Websense application awareness capabilities, which are very limited and lack the expertise to identify applications signatures. Anti-malware BlueCoat requires an additional appliance to perform anti-virus (ProxyAV). This is a significant additional cost to you. While Websense has anti-malware capabilities they do not include the advanced bot identification and damage prevention that the Check Point s solution offers. Summary The rules of the game have changed. Securing Web 2.0 is no longer as simple as blocking an inappropriate URL. It is not just stopping an application from running. Securing Web 2.0 takes an integrated approach of URL filtering, application control, malware protection, bot protection, user awareness, user education and a way of having all web control visible to the administrator. Check Point Secure Web Gateway offers all this at a much more attractive cost than you are used to paying. 6
About Check Point Software Technologies Ltd. Check Point Software Technologies Ltd. (www.checkpoint.com), worldwide leader in securing the Internet, is the only vendor to deliver Total Security for networks, data and endpoints, unified under a single management framework. Check Point provides customers uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented Stateful Inspection technology. Today, Check Point continues to innovate with the development of the software blade architecture. The dynamic software blade architecture delivers secure, flexible and simple solutions that can be fully customized to meet the exact security needs of any organization or environment. Check Point customers include tens of thousands of businesses and organizations of all sizes including all Fortune 100 companies. Check Point award-winning ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft. CHECK POINT OFFICES Worldwide Headquarters 5 Ha Solelim Street Tel Aviv 67897, Israel Tel: 972-3-753 4555 Fax: 972-3-624-1100 email: info@checkpoint.com U.S. Headquarters 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391 ; 650-628-2000 Fax: 650-654-4233 URL: http://www.checkpoint.com 2003 2012 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point 2200, Check Point 4000 Appliances, Check Point 4200, Check Point 4600, Check Point 4800, Check Point 12000 Appliances, Check Point 12200, Check Point 12400, Check Point 12600, Check Point 21400, Check Point 6100 Security System, Check Point Anti-Bot Software Blade, Check Point Application Control Software Blade, Check Point Data Loss Prevention, Check Point DLP, Check Point DLP-1, Check Point Endpoint Security, Check Point Endpoint Security On Demand, the Check Point logo, Check Point Full Disk Encryption, Check Point GO, Check Point Horizon Manager, Check Point Identity Awareness, Check Point IPS, Check Point IPSec VPN, Check Point Media Encryption, Check Point Mobile, Check Point Mobile Access, Check Point NAC, Check Point Network Voyager, Check Point OneCheck, Check Point R75, Check Point Security Gateway, Check Point Update Service, Check Point WebCheck, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, DefenseNet, DynamicID, Endpoint Connect VPN Client, Endpoint Security, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IP Appliances, IPS-1, IPS Software Blade, IPSO, R75, Software Blade, IQ Engine, MailSafe, the More, better, Simpler Security logo, Multi-Domain Security Management, MultiSpect, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, Secure Virtual Workspace, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, SecurityPower, Series 80 Appliance, SiteManager-1, Smart-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, SmartEvent, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartReporter, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SmartWorkflow, SMP, SMP On-Demand, SocialGuard, SofaWare, Software Blade Architecture, the softwareblades logo, SSL Network Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector, UserCheck, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Edge, VPN-1 MASS, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VE, VPN-1 VSX, VSX, VSX-1, Web Intelligence, ZoneAlarm, ZoneAlarm Antivirus + Firewall, ZoneAlarm DataLock, ZoneAlarm Extreme Security, ZoneAlarm ForceField, ZoneAlarm Free Firewall, ZoneAlarm Pro Firewall, ZoneAlarm Internet Security Suite, ZoneAlarm Security Toolbar, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, 7,165,076, 7,540,013, 7,725,737 and 7,788,726 and may be protected by other U.S. Patents, foreign patents, or pending applications. September 6, 2012