Ngfw overview

Post on 19-May-2015

1.038 views 1 download



Ngfw overview

Transcript of Ngfw overview

Dell SonicWALL Next Generation FirewallWorkshop

2 Sonic WALLC onfidential

Dell SonicWALL’s legacy

1991 1996 2005 2007 2010 2011 2012


Became leading

provider of subscription services on optimized appliances

Became the leader in unit

share for Unified Threat Management

Firewall appliances

Shipped one million

appliances worldwideNamed to Visionaries Quadrant,

Gartner Magic Quadrant for


Thoma Bravo and SonicWall entered into a partnership

Positioned as “Leader” in

Gartner UTM Magic Quadrant

Positioned as “Visionary” in

Gartner SSL VPN Magic Quadrant

Announced SuperMassive™

E10000 Series

SNWL Earns NNS Labs

Recommended Rating for

NGFW SVMShipped two

million appliances worldwide

5/9: Joined the Dell family

3 Sonic WALLC onfidential

Magic Quadrant Unified Threat ManagementDell SonicWALL in Leaders QuadrantBy J ohn Pescatore, Greg Young

challengers leaders

niche players visionaries


ty t

o e



completeness of vision

as of March 5, 20 12

Dell SonicWALL


C hec k Point Software Tec hnologies

Watc hG uard

Sophos (Astaro)

C yberoam


C isc o

J uniper Networks



gateProtec tC lavister

Kerio Tec hnologies

Dell Vendor Profile Excerpted from MQ:Strengths•Dell has strong global partner and MSSP support.•Dell SonicWALL is well- known in the UTM space and appears frequent ly on Gartner client short lists.•The graphical elements of SonicWALL's management interface are consistently highly rated.•SonicWALL's release of new features has kept up with midmarket needs, and has been matched by usability enhancements.

Cautions•SonicWALL's push into the high end with SuperMassive may divert resources and focus from the UTM market.•SonicWALL does not offer a virtual appliance for the UTM space.

4 Sonic WALLC onfidential

2013 The NSS Security Value Map

5 Sonic WALLC onfidential

Dell Connected Security

38B security events analyzed


1m devices WW reporting on 40m


638B intrusions prevented in 2011

$14 trillion in assets protected


40,000 new malware samples

analyzed every day

4.2B malware attacks blocked in


Data encrypted and protected on

7m devices

Dell SonicWALL

Dell Dell Secureworks

Dell Credant

Dell KaceDell Quest

Dell is firmly committed to providing end- to- end IT solutions that enable customers to grow and thrive. This includes cont inuous protect ion of customers data, applicat ions, systems and networks.

Secure remote access

Email security

Policy & management


Network security

Dell SonicWALL product portfolio

Clean wireless – SonicPoint- N Series

WAN acceleration

ApplicationIntelligence and Control

GAV/ Anti- SpywareIntrusion


Anti- Spam Service

Enforced Client

Anti- Virus

Content FilteringService



For Network Security

SecureVirtual Assist

Mobile Connect

End Point Control


Spike LicensePack

Advanced Reporting

Native Access Module

Secure Virtual Assist

SecureVirtual Access

SecureVirtual Meeting

Mobile Connect

Web Application Firewall

Email Protection

EmailAnti- Virus


Global Management System

Analyzer Scrutinizer

7 Sonic WALLC onfidential

Dell SonicWALL Next-Gen FirewallsSuperMassiveE10000 & 9000 Series

Data centers, ISPs

E- Class NSA Series

Medium to large organizations

NSA Series

Branch offices and medium sized organizations

TZ Series

Small and remote offices


NSA E8500 NSA E6500 NSA E5500NSA E8510

NSA 4600 NSA 3600 NSA 2400 NSA 250M NSA 220

TZ 205 TZ 105TZ 215

9600 9400 9200

NSA 5600 NSA 6600

Dell SonicWALL Next Generat ion Firewalls

SuperMassive E10800SuperMassive E10400


Enterprise, Data CenterSuperMassive Series

TZ 215/WTZ 20 5/WTZ 10 5/W

SuperMassive 960 0SuperMassive 940 0SuperMassive 920 0

TZ Series

NSA 460 0NSA 3600NSA 260 0

NSA 220 /250 M

NSA 660 0NSA 5600

NSA Series

9 Sonic WALLC onfidential

E-Class Series Cert ificat ions

FIPS 140-2Common Criteria EAL4+

ICSA Firewall ICSA Enterprise Firewall(IPv6, High Availability, VoIP)

IPv6 Phase 1

IPv6 Phase 2

NSS Recommended NGFW (E10800 based on the same security engine)

10 Sonic WALLC onfidential

Dell SonicWALL Next Generation Firewall ArchitectureScan Everything – Every bit, every protocol, every user & application

11 Sonic WALLC onfidential

NGFW Orientation – SPI vs. DPI

Stateful Packet Inspection

12 Sonic WALLC onfidential

NGFW Orientation – SPI vs. DPI

Deep Packet Inspection

13 Sonic WALLC onfidential

Next Generation Firewall Technology

1. Stateful Packet Inspect ion

2. Intrusion Prevent ion– The front- line network defense against application attacks

3. Applicat ion Ident ificat ion & Visualizat ion– C an’t control what you can’t see

4. User Ident ificat ion through Single Sign On (SSO)– C orrelate network traffic with users

5. Applicat ion Control– G ranular control (Allow Facebook, Block Social G aming)

6. SSL Decrypt ion– Don’t allow threats to tunnel through encrypted channels

7. Threat Prevent ion– Anti- X (Virus/Trojan/Malware)


p Pa





14 Sonic WALLC onfidential

Application Intelligence, Control and Visualization

Applicat ion ChaosSo many on Port 80

Crit ical Apps Priorit ized Bandwidth

Acceptable Apps Managed Bandwidth

Unacceptable Apps Blocked

IdentifyBy Application - Not by Port & ProtocolBy User/Group-Not by IPBy Content Inspection-Not by Filename

CategorizeBy ApplicationBy Application CategoryBy DestinationBy ContentBy User/Group



ControlPrioritize Apps by PolicyManage Apps by PolicyBlock Apps by PolicyDetect and Block MalwareDetect & Prevent Intrusion Attempts


Visualize &Manage Policy

Cloud-BasedExtra-FirewallIntell igence


Malware Blocked

Massively ScalableNext-Generat ionSecurity Plat form

High Performance Multi-CoreRe-Assembly Free


Visualizat ion


Application intelligence, control and visualization

Identify Categorize Control


???Process Visualization

16 Sonic WALLC onfidential

Network Traffic Visualization

Real-time Traffic BreakdownUser Traffic Consumption Identify P2P Traffic

Bandwidth BreakdownApp Traffic Drilldown

17 Sonic WALLC onfidential

Identify and Control Applications

Application Library with over

3800 unique Application Uses

Granular Control

Allow Facebook, Block FarmvilleAllow C hat, Block File Transfer- G roup/User Based- Schedule Based- Exceptions

18 Sonic WALLC onfidential

Dashboard->Real-Time monitor

19 Sonic WALLC onfidential

(SonicOS5.9)Enhaned Logging

New to view, categorize and filter

20 Sonic WALLC onfidential

Application Control

21 Sonic WALLC onfidential

NGFW Features -DPI-SSL

22 Sonic WALLC onfidential

RFDPI Engine with DPI-SSL

RFDPI Engine

Incoming SSL Session Handling

Ultra-Scalable TCP Stack



Outgoing SSL Session Handling

SSL Stream out

SSL Stream in

23 Sonic WALLC onfidential

SSL Decryption (DPI SSL) Details

• Does not rely on a proxy configurat ion• Can inspect all SSL sessions on all ports independent ly of the

protocol (HTTPS, IM SSL, POP3 over SSL, etc…)• Scans both SSL encrypted and decrypted data• Can inject content such as block pages• Client Side DPI-SSL Security Services

– Gateway Anti- Virus, Gateway Anti- Spyware, Intrusion Prevention, Application Firewall, Content Filtering

• Server Side DPI-SSL Security Services– Gateway Anti- Virus, Gateway Anti- Spyware, Intrusion Prevention,

Application Firewall

• Optional: decrypted traffic can be sent directly to the server after DPI inspection. Benefit : SSL Offloading

24 Sonic WALLC onfidential

NGFW Features -SSO


25 Sonic WALLC onfidential

Single Sign-On Overview• SSO is a t ransparent user authent icat ion that provides access to

network resources with a single login.

User Workstation



No need for additional authentication!

Access Rules

Security Services

26 Sonic WALLC onfidential

SonicWALL SSO Agent

27 Sonic WALLC onfidential

Security Services


28 Sonic WALLC onfidential

SonicWALL On-Board DPI Security Services

Intrusion PreventionGateway Anti-VirusGateway Anti-SpywareCloud-AVContent/URL FilteringDPI SSL (SSL Inspection)Application Intelligence & ControlApplication VisualizationComprehensive Anti-Spam

29 Sonic WALLC onfidential

RFDPI based Gateway Anti-Virus



TCP Stream

Reassembly-free Base64 decoding

Reassembly- free deflate


Reassembly- free ZIP


Reassembly- free GZIP


Reassembly-free Gateway

Ant i-Virus scanning based on

Deep Packet Inspect ion technology

Ant i-Virus Prevent ion Response





Start stage

Protocol State


E-Mail Format

DecodingDecompression Scanning Prevent ion

Copyright 2010 SonicWALL Inc. All Rights Reserved29

30 Sonic WALLC onfidential

Content Filtering Service Overview

• Database in the cloud (millions of URLs rated)• Hardware- and OS- independent• Simple implementat ion• Granular control: 64 categories• GMS and Analyzer integrat ion (report ing)

31 Sonic WALLC onfidential



32 Sonic WALLC onfidential

Route Based IPSec VPN

• Tunnel Interface: A Tunnel Interface can be defined between the two end- points of the tunnel. Static routes will be used to route traffic through the tunnel interface.

• Note: The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.

33 Sonic WALLC onfidential


34 Sonic WALLC onfidential

Using All The coresIncrease SSL-VPN Sessions

Model Old NewNSA E8510 n/a 1,500/5000*

NSA E8500 50 1,500/5000*

NSA E7500 50 1,000/5000*

NSA E6500 50 750

NSA E5500 50 500

NSA 5000 30 350

NSA 4500 30 350

NSA 3500 30 250

NSA 2400 25 125

NSA 250 15 50

NSA 220 15 50

T Z 215 10 25

T Z 210 / 210W 10 25

T Z 200 / 200W 10 10

T Z 100 / 100W 5 5

35 Sonic WALLC onfidential

Mobile Connect for iOS/ Android

Dell Aventail E- Class SRA Appliances

Dell SonicWALL SRA Appliances

Dell SonicWALL Next-Generation Firewalls

Step 1: Download

Mobile Connect

Step 2:Install Mobile Connect

Step 3: Configure SSL VPN Connect ion

36 Sonic WALLC onfidential

Deployment Scenarios


37 Sonic WALLC onfidential

Top Deployments1. Tradit ional NAT Gateway with Security & Remote Access

2. High Availability Modes– Active/Passive with State Synchronization– Active/Active DPI with State Synchronization– Active/Active C lustering

3. In-Line Deployments: Wire mode or Layer 2 Bridge Mode, Tap Mode– Easy Network Insertion, no network re- numbering

4. “Clean Wireless” Deployment– Firewall as a wireless controller– DPI on all wireless traffic

5. “CleanVPN” Deployment– Firewall as a VPN C oncentrator– DPI on all incoming VPN traffic

6. VPN Concentrator for Distributed Enterprise– G lobal Management System (GMS) to provision and manage branch offices– C onnectivity through central SuperMassive or E- C lass NSA firewall– All security done at the central site

7. Network Segmentat ion (Security Zones)– Network Segmentation via VLAN & Security Zones– Different Security polic ies for each Security Zone

38 Sonic WALLC onfidential

Medium/Large Network Deployment with DPI Security

• Requirements– Layered security– Levels of trust created via defining

zones.– G ateway Firewalls between zones. – C ontext- aware security

– Enforce global Policy based on context (user, location, access method, Device, etc)

– Application- aware Security– Mitigate Advance persistent threats– O rchestrated Security management – Workload Virtualization introduces

Virtual Access Layer– Need security functions like physical


• Security Funct ions– AC Ls, Firewalls, IDS/IPS– host- based security (HIPS,

Vulnerability Scanning)– Email Security– Anti- Spyware– Secure Remote Access– SIEM/Log Monitoring

Virtual Access



Aggregat ion


Firewall, IDS/IPS, G ateway

services, …

• Security required at each layer to achieve global protection• Virtual Access layer requires security enforcement within virtual environment

NSA Series


39 Sonic WALLC onfidential

NGFW Wire & L2 Bridge Mode DeploymentNGFW insert ion into a network with an exist ing gateway firewall

Layer 2 Bridge or Wire Mode Deployment

Discover application usage & threats leaking through the traditional firewall

Before After

40 Sonic WALLC onfidential

Flexible Wire Mode Deployment

Bypass Inspect Secure

Allows for the quick and relatively non interruptive introduction of SuperMassive into a network (ie: between a core switch and a perimeter firewall, in front of a VM server farm, at a transition point between data c lassification domains).

Inspect Mode provides full visibility & low- risk, zero- latency packet path.

Secure Mode is the progression of Inspect Mode, actively interposing active control into the packet processing path.

41 Sonic WALLC onfidential

42 Sonic WALLC onfidential

Application Visualization Report

Detailed application report for offline report generation

Visualization database uploaded to

Report provides risk assessment, applications, bandwidth, vulnerabilities, URLs, etc