Ngfw overview
-
Upload
motty-ben-atia -
Category
Technology
-
view
1.037 -
download
1
description
Transcript of Ngfw overview
Dell SonicWALL Next Generation FirewallWorkshop
2 Sonic WALLC onfidential
Dell SonicWALL’s legacy
1991 1996 2005 2007 2010 2011 2012
Founded
Became leading
provider of subscription services on optimized appliances
Became the leader in unit
share for Unified Threat Management
Firewall appliances
Shipped one million
appliances worldwideNamed to Visionaries Quadrant,
Gartner Magic Quadrant for
SSL VPN
Thoma Bravo and SonicWall entered into a partnership
Positioned as “Leader” in
Gartner UTM Magic Quadrant
Positioned as “Visionary” in
Gartner SSL VPN Magic Quadrant
Announced SuperMassive™
E10000 Series
SNWL Earns NNS Labs
Recommended Rating for
NGFW SVMShipped two
million appliances worldwide
5/9: Joined the Dell family
3 Sonic WALLC onfidential
Magic Quadrant Unified Threat ManagementDell SonicWALL in Leaders QuadrantBy J ohn Pescatore, Greg Young
challengers leaders
niche players visionaries
abili
ty t
o e
xecu
te
completeness of vision
as of March 5, 20 12
Dell SonicWALL
Fortinet
C hec k Point Software Tec hnologies
Watc hG uard
Sophos (Astaro)
C yberoam
Netasq
C isc o
J uniper Networks
Netgear
Trustwave
gateProtec tC lavister
Kerio Tec hnologies
Dell Vendor Profile Excerpted from MQ:Strengths•Dell has strong global partner and MSSP support.•Dell SonicWALL is well- known in the UTM space and appears frequent ly on Gartner client short lists.•The graphical elements of SonicWALL's management interface are consistently highly rated.•SonicWALL's release of new features has kept up with midmarket needs, and has been matched by usability enhancements.
Cautions•SonicWALL's push into the high end with SuperMassive may divert resources and focus from the UTM market.•SonicWALL does not offer a virtual appliance for the UTM space.
4 Sonic WALLC onfidential
2013 The NSS Security Value Map
5 Sonic WALLC onfidential
Dell Connected Security
38B security events analyzed
daily
1m devices WW reporting on 40m
users
638B intrusions prevented in 2011
$14 trillion in assets protected
daily
40,000 new malware samples
analyzed every day
4.2B malware attacks blocked in
2011
Data encrypted and protected on
7m devices
Dell SonicWALL
Dell Dell Secureworks
Dell Credant
Dell KaceDell Quest
Dell is firmly committed to providing end- to- end IT solutions that enable customers to grow and thrive. This includes cont inuous protect ion of customers data, applicat ions, systems and networks.
Secure remote access
Email security
Policy & management
Hosted
Network security
Dell SonicWALL product portfolio
Clean wireless – SonicPoint- N Series
WAN acceleration
ApplicationIntelligence and Control
GAV/ Anti- SpywareIntrusion
PreventionComprehensive
Anti- Spam Service
Enforced Client
Anti- Virus
Content FilteringService
GlobalVPN
ClientSSL VPN
For Network Security
SecureVirtual Assist
Mobile Connect
End Point Control
ConnectMobile
Spike LicensePack
Advanced Reporting
Native Access Module
Secure Virtual Assist
SecureVirtual Access
SecureVirtual Meeting
Mobile Connect
Web Application Firewall
Email Protection
EmailAnti- Virus
EmailCompliance
Global Management System
Analyzer Scrutinizer
7 Sonic WALLC onfidential
Dell SonicWALL Next-Gen FirewallsSuperMassiveE10000 & 9000 Series
Data centers, ISPs
E- Class NSA Series
Medium to large organizations
NSA Series
Branch offices and medium sized organizations
TZ Series
Small and remote offices
E10200E10400E10800
NSA E8500 NSA E6500 NSA E5500NSA E8510
NSA 4600 NSA 3600 NSA 2400 NSA 250M NSA 220
TZ 205 TZ 105TZ 215
9600 9400 9200
NSA 5600 NSA 6600
Dell SonicWALL Next Generat ion Firewalls
SuperMassive E10800SuperMassive E10400
SMB/Campus/Branch
Enterprise, Data CenterSuperMassive Series
TZ 215/WTZ 20 5/WTZ 10 5/W
SuperMassive 960 0SuperMassive 940 0SuperMassive 920 0
TZ Series
NSA 460 0NSA 3600NSA 260 0
NSA 220 /250 M
NSA 660 0NSA 5600
NSA Series
9 Sonic WALLC onfidential
E-Class Series Cert ificat ions
FIPS 140-2Common Criteria EAL4+
ICSA Firewall ICSA Enterprise Firewall(IPv6, High Availability, VoIP)
IPv6 Phase 1
IPv6 Phase 2
NSS Recommended NGFW (E10800 based on the same security engine)
10 Sonic WALLC onfidential
Dell SonicWALL Next Generation Firewall ArchitectureScan Everything – Every bit, every protocol, every user & application
11 Sonic WALLC onfidential
NGFW Orientation – SPI vs. DPI
Stateful Packet Inspection
12 Sonic WALLC onfidential
NGFW Orientation – SPI vs. DPI
Deep Packet Inspection
13 Sonic WALLC onfidential
Next Generation Firewall Technology
1. Stateful Packet Inspect ion
2. Intrusion Prevent ion– The front- line network defense against application attacks
3. Applicat ion Ident ificat ion & Visualizat ion– C an’t control what you can’t see
4. User Ident ificat ion through Single Sign On (SSO)– C orrelate network traffic with users
5. Applicat ion Control– G ranular control (Allow Facebook, Block Social G aming)
6. SSL Decrypt ion– Don’t allow threats to tunnel through encrypted channels
7. Threat Prevent ion– Anti- X (Virus/Trojan/Malware)
Dee
p Pa
cket
Insp
ectio
n
14 Sonic WALLC onfidential
Application Intelligence, Control and Visualization
Applicat ion ChaosSo many on Port 80
Crit ical Apps Priorit ized Bandwidth
Acceptable Apps Managed Bandwidth
Unacceptable Apps Blocked
IdentifyBy Application - Not by Port & ProtocolBy User/Group-Not by IPBy Content Inspection-Not by Filename
CategorizeBy ApplicationBy Application CategoryBy DestinationBy ContentBy User/Group
Users/Groups
Ingress
ControlPrioritize Apps by PolicyManage Apps by PolicyBlock Apps by PolicyDetect and Block MalwareDetect & Prevent Intrusion Attempts
Policy
Visualize &Manage Policy
Cloud-BasedExtra-FirewallIntell igence
Egress
Malware Blocked
Massively ScalableNext-Generat ionSecurity Plat form
High Performance Multi-CoreRe-Assembly Free
DPI
Visualizat ion
Policy
Application intelligence, control and visualization
Identify Categorize Control
????
???Process Visualization
16 Sonic WALLC onfidential
Network Traffic Visualization
Real-time Traffic BreakdownUser Traffic Consumption Identify P2P Traffic
Bandwidth BreakdownApp Traffic Drilldown
17 Sonic WALLC onfidential
Identify and Control Applications
Application Library with over
3800 unique Application Uses
Granular Control
Allow Facebook, Block FarmvilleAllow C hat, Block File Transfer- G roup/User Based- Schedule Based- Exceptions
18 Sonic WALLC onfidential
Dashboard->Real-Time monitor
19 Sonic WALLC onfidential
(SonicOS5.9)Enhaned Logging
New to view, categorize and filter
20 Sonic WALLC onfidential
Application Control
21 Sonic WALLC onfidential
NGFW Features -DPI-SSL
22 Sonic WALLC onfidential
RFDPI Engine with DPI-SSL
RFDPI Engine
Incoming SSL Session Handling
Ultra-Scalable TCP Stack
Decryption
Re-Encryption
Outgoing SSL Session Handling
SSL Stream out
SSL Stream in
23 Sonic WALLC onfidential
SSL Decryption (DPI SSL) Details
• Does not rely on a proxy configurat ion• Can inspect all SSL sessions on all ports independent ly of the
protocol (HTTPS, IM SSL, POP3 over SSL, etc…)• Scans both SSL encrypted and decrypted data• Can inject content such as block pages• Client Side DPI-SSL Security Services
– Gateway Anti- Virus, Gateway Anti- Spyware, Intrusion Prevention, Application Firewall, Content Filtering
• Server Side DPI-SSL Security Services– Gateway Anti- Virus, Gateway Anti- Spyware, Intrusion Prevention,
Application Firewall
• Optional: decrypted traffic can be sent directly to the server after DPI inspection. Benefit : SSL Offloading
24 Sonic WALLC onfidential
NGFW Features -SSO
24
25 Sonic WALLC onfidential
Single Sign-On Overview• SSO is a t ransparent user authent icat ion that provides access to
network resources with a single login.
User Workstation
Authorized
passwrd123
No need for additional authentication!
Access Rules
Security Services
26 Sonic WALLC onfidential
SonicWALL SSO Agent
27 Sonic WALLC onfidential
Security Services
27
28 Sonic WALLC onfidential
SonicWALL On-Board DPI Security Services
Intrusion PreventionGateway Anti-VirusGateway Anti-SpywareCloud-AVContent/URL FilteringDPI SSL (SSL Inspection)Application Intelligence & ControlApplication VisualizationComprehensive Anti-Spam
29 Sonic WALLC onfidential
RFDPI based Gateway Anti-Virus
HTTP
SMTP
TCP Stream
Reassembly-free Base64 decoding
Reassembly- free deflate
decompression
Reassembly- free ZIP
decompression
Reassembly- free GZIP
decompression
Reassembly-free Gateway
Ant i-Virus scanning based on
Deep Packet Inspect ion technology
Ant i-Virus Prevent ion Response
POP3
IMAP
FTP
Packet
Start stage
Protocol State
Machine
E-Mail Format
DecodingDecompression Scanning Prevent ion
Copyright 2010 SonicWALL Inc. All Rights Reserved29
30 Sonic WALLC onfidential
Content Filtering Service Overview
• Database in the cloud (millions of URLs rated)• Hardware- and OS- independent• Simple implementat ion• Granular control: 64 categories• GMS and Analyzer integrat ion (report ing)
31 Sonic WALLC onfidential
VPN
31
32 Sonic WALLC onfidential
Route Based IPSec VPN
• Tunnel Interface: A Tunnel Interface can be defined between the two end- points of the tunnel. Static routes will be used to route traffic through the tunnel interface.
• Note: The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.
33 Sonic WALLC onfidential
SSL VPN
34 Sonic WALLC onfidential
Using All The coresIncrease SSL-VPN Sessions
Model Old NewNSA E8510 n/a 1,500/5000*
NSA E8500 50 1,500/5000*
NSA E7500 50 1,000/5000*
NSA E6500 50 750
NSA E5500 50 500
NSA 5000 30 350
NSA 4500 30 350
NSA 3500 30 250
NSA 2400 25 125
NSA 250 15 50
NSA 220 15 50
T Z 215 10 25
T Z 210 / 210W 10 25
T Z 200 / 200W 10 10
T Z 100 / 100W 5 5
35 Sonic WALLC onfidential
Mobile Connect for iOS/ Android
Dell Aventail E- Class SRA Appliances
Dell SonicWALL SRA Appliances
Dell SonicWALL Next-Generation Firewalls
Step 1: Download
Mobile Connect
Step 2:Install Mobile Connect
Step 3: Configure SSL VPN Connect ion
36 Sonic WALLC onfidential
Deployment Scenarios
36
37 Sonic WALLC onfidential
Top Deployments1. Tradit ional NAT Gateway with Security & Remote Access
2. High Availability Modes– Active/Passive with State Synchronization– Active/Active DPI with State Synchronization– Active/Active C lustering
3. In-Line Deployments: Wire mode or Layer 2 Bridge Mode, Tap Mode– Easy Network Insertion, no network re- numbering
4. “Clean Wireless” Deployment– Firewall as a wireless controller– DPI on all wireless traffic
5. “CleanVPN” Deployment– Firewall as a VPN C oncentrator– DPI on all incoming VPN traffic
6. VPN Concentrator for Distributed Enterprise– G lobal Management System (GMS) to provision and manage branch offices– C onnectivity through central SuperMassive or E- C lass NSA firewall– All security done at the central site
7. Network Segmentat ion (Security Zones)– Network Segmentation via VLAN & Security Zones– Different Security polic ies for each Security Zone
38 Sonic WALLC onfidential
Medium/Large Network Deployment with DPI Security
• Requirements– Layered security– Levels of trust created via defining
zones.– G ateway Firewalls between zones. – C ontext- aware security
– Enforce global Policy based on context (user, location, access method, Device, etc)
– Application- aware Security– Mitigate Advance persistent threats– O rchestrated Security management – Workload Virtualization introduces
Virtual Access Layer– Need security functions like physical
layer
• Security Funct ions– AC Ls, Firewalls, IDS/IPS– host- based security (HIPS,
Vulnerability Scanning)– Email Security– Anti- Spyware– Secure Remote Access– SIEM/Log Monitoring
Virtual Access
Core
WAN
Aggregat ion
Access
Firewall, IDS/IPS, G ateway
services, …
• Security required at each layer to achieve global protection• Virtual Access layer requires security enforcement within virtual environment
NSA Series
38
39 Sonic WALLC onfidential
NGFW Wire & L2 Bridge Mode DeploymentNGFW insert ion into a network with an exist ing gateway firewall
Layer 2 Bridge or Wire Mode Deployment
Discover application usage & threats leaking through the traditional firewall
Before After
40 Sonic WALLC onfidential
Flexible Wire Mode Deployment
Bypass Inspect Secure
Allows for the quick and relatively non interruptive introduction of SuperMassive into a network (ie: between a core switch and a perimeter firewall, in front of a VM server farm, at a transition point between data c lassification domains).
Inspect Mode provides full visibility & low- risk, zero- latency packet path.
Secure Mode is the progression of Inspect Mode, actively interposing active control into the packet processing path.
41 Sonic WALLC onfidential
42 Sonic WALLC onfidential
Application Visualization Report
Detailed application report for offline report generation
Visualization database uploaded to www.mysonicwall.com
Report provides risk assessment, applications, bandwidth, vulnerabilities, URLs, etc