Post on 01-Nov-2014
description
1
Next Generation Firewalls: Ready or Not
David StromAITP St. Louis March 2014
david@strom.com
2
Who am I?
• Long time tech journalist, product reviewer and speaker
• IT manager from the dawn of the PC era• Former editor-in-chief at Network Computing,
Tom’s Hardware.com• Author of two books on computer networking• Based here
3
Agenda
• Next Gen distinguishing characteristics• Issues with next gen deployment• UTM pro and con• Advanced persistent threat tools
4
The older firewall generation
5
Cisco ASA: what it used to be like
6
Next Gen distinguishing characteristics
• Applications granularity and awareness• Integrated IPS• IP Reputation management• Geolocation
7
8
Cisco ASA applications granularity
9
New Cisco ASA Dashboard
10
And another Cisco view
11
Palo Alto Networks “Applipedia”
12
13
Reputation management
14
15
McAfee Enterprise Firewall geo-location feature
16
Deployment issues
• Next gen does things differently from old school:– NAT– QoS– Outbound vs. inbound rule focus
17
18
Understanding app ID implications for users
19
One obstacle to switching to next-gen
20
Network documentation isn’t current
21
Handling VMs still an issue
22
Lots of VM security products…
23
Catbird’s compliance radar graph
24
25
Infrastructure misuse
26
What about UTMs?
• Pro:– A lot of protection for the $ nowadays
(Juniper/Check Point)– One box does it all
• Con:– Complex licensing issues– Can get expensive if you have high bandwidth
needs– Latency can kill you if you turn on Anti-Virus
27
Juniper SRX dashboard
28
SonicWall
29
30
Watchguard UTM
31
APT tools
• Try to catch the bad guys before they actually deploy their payloads, such as from Norse Corp. (local boys) and Cyphort
32
33
For more info
• david@strom.com• Twitter: @dstrom• http://strominator.com• TechTarget article: http://bit.ly/1dISmx4• Network World review of UTMs:
http://bit.ly/1fJtmHE