1

Next Generation Firewalls: Ready or Not

David StromAITP St. Louis March 2014

david@strom.com

2

Who am I?

• Long time tech journalist, product reviewer and speaker

• IT manager from the dawn of the PC era• Former editor-in-chief at Network Computing,

Tom’s Hardware.com• Author of two books on computer networking• Based here

3

Agenda

• Next Gen distinguishing characteristics• Issues with next gen deployment• UTM pro and con• Advanced persistent threat tools

4

The older firewall generation

5

Cisco ASA: what it used to be like

6

Next Gen distinguishing characteristics

• Applications granularity and awareness• Integrated IPS• IP Reputation management• Geolocation

7

8

Cisco ASA applications granularity

9

New Cisco ASA Dashboard

10

And another Cisco view

11

Palo Alto Networks “Applipedia”

12

13

Reputation management

14

15

McAfee Enterprise Firewall geo-location feature

16

Deployment issues

• Next gen does things differently from old school:– NAT– QoS– Outbound vs. inbound rule focus

17

18

Understanding app ID implications for users

19

One obstacle to switching to next-gen

20

Network documentation isn’t current

21

Handling VMs still an issue

22

Lots of VM security products…

23

Catbird’s compliance radar graph

24

25

Infrastructure misuse

26

What about UTMs?

• Pro:– A lot of protection for the $ nowadays

(Juniper/Check Point)– One box does it all

• Con:– Complex licensing issues– Can get expensive if you have high bandwidth

needs– Latency can kill you if you turn on Anti-Virus

27

Juniper SRX dashboard

28

SonicWall

29

30

Watchguard UTM

31

APT tools

• Try to catch the bad guys before they actually deploy their payloads, such as from Norse Corp. (local boys) and Cyphort

32

33

For more info

• david@strom.com• Twitter: @dstrom• http://strominator.com• TechTarget article: http://bit.ly/1dISmx4• Network World review of UTMs:

http://bit.ly/1fJtmHE