Next-Generation Firewalls: Results from the Lab Robert Smithers Robert Smithers CEO, Miercom
Agenda Participating i Vendors and Products How We Did It Categories of Products Tested About the Technology Secure Web Gateway Next-Generation Firewall Unified Threat Management Sandbox Spam Filtering
Agenda Three High Risk Event Results CryptoLocker Outbound Botnet Worm and Trojans Industry Average Comparisons Layer 3 Firewall Throughput Malicious Files Legacy Malicious URLs: Blended Malicious Threats Malicious Files Wild
Agenda Industry Average Comparisons Malicious URLs Wild: Malc0de Layer 7 Firewall Throughput Max Layer 7 Firewall Throughput Mixed Application Control
Participating Vendors and Products Blue Coat ProxySG 300-5 Check Point 4210 NGFW Check Point SWG-12600 Cisco ASA 5545-X with CX Module Cisco ISA550W Cyberoam CR100iNG Dell SonicWALL NSA 2600
Participating Vendors and Products Dell SonicWALL TZ 105 (Cloud) Dell SonicWALL TZ 105 (Appliance) FireEye Malware Protection System 1310 Fortinet FortiGate 20-C Fortinet FortiGate 100-D Fortinet FortiGate 800-C Juniper SRX650 Services Gateway
Participating Vendors and Products Palo Alto PA-3020 Sophos SG 210 Sophos SG 230 Sophos UTM 220 WatchGuard XTM 525 Websense Web Security Gateway
How We Did It Test equipment included: Ixia XG12 and BreakingPoint FireStorm Spirent Studio Security Apposite Linktropy 7500 PRO WildPackets OmniPeek for Windows Windows 7 and Windows XP Clients/Endpoints Monitoring Tools
Categories of Products Tested Secure Web Gateway Next-Generation Firewall Unified Threat Management Sandbox Spam Filtering
Secure Web Gateway (SWG) Edge security platform against Web-borne threats that can invade enterprise network via Internet browsing; enforces organization s policies for Internet usage and regulatory compliance Essential functionality: URL filtering, malicious code detection/filtering and application control Products with real-time, cloud-based content analysis tend to outperform those that look up URLs and/or threat signatures in static database
Secure Web Gateway (SWG) Class of product for organizations of all sizes: SMB and Enterprise Essential functionality: URL filtering, malicious code detection/filtering ti i and application control SMB: protects against basic threats, easy to implement/manage Enterprise: protection extended to advanced and targeted threats, requires more skill and resources to implement/manage O i li t l ith ft On-premises appliance most popular with software, virtual, cloud (SWG as a Service) and on-premises / cloud hybrid versions also available
Next-Generation Firewall (NGFW) Evolutionary type of network edge security device Possesses combination of functionality of basic firewall and enhancements Traffic inspection enables detection and blocking of malicious activity Application awareness enables identification of attacks directed at network as well as enforcement of organization s Internet usage and regulatory compliance policies
Next-Generation Firewall (NGFW) Available for organizations of all sizes Can be deployed as appliance, virtual appliance or software-based solution Inline bump in the wire deployment: enabling functionality does result in reduced network performance Next-generation firewall arguably has caused basic firewall to go the way of video cassette recorders and VHS tapes, into obsolescence
Unified Threat Management (UTM) Just as Next-Generation Firewall, an evolutionary class of network edge security platform Combination of firewall and VPN of basic firewall plus Intrusion Prevention System also found in Next- Generation Firewall, URL filtering and antivirus also found in Secure Web Gateway, and anti-spam and mail antivirus also found in Spam Filtering products Primarily aimed at small and mid-sized businesses
Unified Threat Management (UTM) Available as appliance, virtual appliance, software and cloud-based Network administrator must find balance between security and network performance e Individual packets examined by each security function enabled, adding to latency/detracting from throughput
Sandbox Security technique for protecting enterprise network from malware by running applications and visiting Websites in a controlled environment FireEye leads market with competitors including AhnLab, Blue Coat, Check Point, Damballa, McAfee, Palo Alto Networks and Sourcefire (acquired by Cisco in October 2013) Sandbox appliance or cloud-based service is part of a multi-layeredlayered security system
Sandbox Botnets, zero-day attacks and corporate espionage among factors that fueled advent of sandbox; virtualization has facilitated utilization of sandbox Small percentage of malware has written-in capability to try to defeat sandbox Check environment to determine if it is in a sandbox Seek to be allowed to pass by attempting to time out the sandbox, stalling by performing meaningless calculations
Spam Filtering Class of network security device that safeguard against unwanted inbound and outbound Email: spam Inbound: protect networked computers against dangerous forms of spam such as phishing attempts and Emails those containing viruses Outbound: protect against networked computers from being compromised and used as a zombie in a botnet to generate spam
Spam Filtering Spam is no small problem: estimated 50-60% of enterprise Email Key functionality: protect against inbound, targeted phishing attacks Functionality growing in importance: ability to re-evaluate evaluate URL link(s) in Email at the time of end user click Available as appliance, software, managed service Based on Gartner 2013 Magic Quadrant: Product leaders are Cisco, Proofpoint, Symantec, Microsoft and McAfee
Three High Risk Event Results Specific High Risk Events CryptoLocker Outbound Botnet Worm/Trojan
Ransomware trojan CryptoLocker Encrypts specific types of files using RSA public-key cryptography Message displays an offer to decrypt the g p y yp data if payment is made
Outbound Botnet Botnet t is a network of compromised computers under control of a third party whose purpose is to invade the network Remains inactive until they get orders from their command and control hosts Designed to steal the most valuable information on a network Outbound botnet t defense protects t corporate data from leaving the network
Worms Computer worms are a type of malware that t replicates functional copies of themselves to cause damage to data or software Host program or human help is not needed for them to propagate Worm enters a computer through a system vulnerability and uses a file- or information-transport feature to allow it to travel independently
Trojans A Trojan is another type of malware that t appears as legitimate software Users are tricked into loading and executing it Trojans can achieve a variety of attacks on the host from distractions (pop-up p p windows) to major damage (deleting files, activating and spreading other malware) on the host Can also create back doors to give malevolent users access to the system
Industry Average Comparisons Layer 3 Firewall Throughput Malicious Files Legacy Malicious URLs: Blended Malicious Threats Malicious Files Wild Malicious Files Wild: Malc0de Layer 7 Firewall Throughput Max Layer 7 Firewall Throughput Mixed Application Control
Industry Average Comparisons HTTP Proxy Throughput Firewall + IPS Throughput Application Control / URL Filtering
Industry Average Comparisons 3000 Layer 3 Firewall Throughput Throughput ( Mbps) 2500 2000 1500 2029 2678 Industry Average 2,057.3 Mbps 1884 1886 Lay yer 3 Firewall 1000 500 1322 0 CR100iNG SonicWALL FortiGate UTM 220 XTM 525 NSA 2600 100-D Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons 100.0 Malicious Files Legacy Malicious Files Blocked (%) 80.0 60.0 40.0 20.0 81.8 Industry Average 39.3 Mbps 74.2 0.0 1.1 SWG-12600 Malware Protection Web Security System 1310 Gateway Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons Malicious URLs: Blended Malicious Threats 100.0 Malicious URLs Block ked (%) 80.0 60.0 40.0 20.0 0.0 16.7 37.6 32.1 Industry Average 25.1 Mbps 6.3 4.8 4.8 71.4 4210 NGFW ASA 5545-X with CX Module Malware Protection System 1310 FortiGate 800-C SRX650 Services Gateway PA-3020 Web Security Gateway Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons Ma alicious Files Blocked (%) 100.0 80.0 60.00 40.0 20.0 83.8 Malicious Files Wild 93.0 90.3 47.5 50.0 Industry Average 73.5 Mbps 34.0 4.2 82.0 62.0 9.5 30.3 97.5 0.0 Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons Malicious URLs Wild: Malc0de Malicious URLs Blocke ed (%) 100.0 80.0 60.0 40.0 20.0 47.5 83.8 82.0 4.2 Industry Average 41.6 Mbps 9.5 30.3 97.5 00 0.0 4210 NGFW ASA 5545-X with CX Module Malware Protection System 1310 FortiGate 800-C SRX650 Services Gateway PA-3020 Web Security Gateway Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons 3500 Layer 7 Firewall Throughput Max La ayer 7 Firewall l Throughput (Mbps) 3000 2500 2000 1500 1000 500 2260 Industry Average 2,158 Mbps 2310 1400 1078 3240 3225 1590 0 FortiGate UTM 220 SG 210 SG 230 CR100iNG SonicWALL XTM525 NSA2600 100-D Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons 3500 Layer 7 Firewall Throughput Mixed l Throughput (Mbps) La ayer 7 Firewal 3000 2500 2000 1500 1000 500 Industry Average 2170 1,987 Mbps 2145 1072 1020 3100 3280 1120 0 CR100iNG SonicWALL FortiGate UTM 220 SG 210 SG 230 XTM 525 NSA 2600 100-D Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons Application Control 3500 App plication Cont trol Throughp put (Mbps) 3000 2500 2000 1500 1000 500 0 2090 132 3300 2650 Industry Average 1,345 Mbps 1130 403 442 CR100iNG SonicWALL NSA 2600 FortiGate 100-D UTM 220 SG 210 SG 230 XTM 525 Source: Miercom, UTM and NGFW Industry Assessment 2014
hput (Mbps) Firewa all and AV (Pr roxy) Throug Industry Average Comparisons 800 700 600 500 400 300 200 100 0 163 HTTP Proxy Throughput Industry Average 380 Mbps N/A 237 212 585 704 N/A CR100iNG SonicWALL NSA 2600 FortiGate 100-D UTM 220 SG 210 SG 230 XTM 525 Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons 700 Firewall + IPS Throughput Fi irewall and IP PS Throughpu ut (Mbps) 600 500 400 300 200 100 Industry Average 330 Mbps 163 132 420 190 504 658 475 0 FortiGate UTM 220 SG 210 SG 230 XTM 525 CR100iNG SonicWALL 100-D NSA 2600 Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average Comparisons Application Control / URL Filtering % Pro otocol/app Co ombinations Blocked 100.0 90.0 80.0 70.0 60.0 50.0 40.0 30.0 20.0 10.0 0.0 56.9 97.1 Industry Average 73.33 % 65.9 ProxySG SWG-12600 Web Security 300-5 Gateway Source: Miercom, UTM and NGFW Industry Assessment 2014
For more information, contact reviews@miercom.com Request our detailed report on UTM and NGFW appliances.