1 Network Gateway Security Sidewinder v7.0 - Customer Overview.

1

Network Gateway Security

Sidewinder v7.0 - Customer Overview

2

Sidewinder 7.0

Product Family - Snapshot

3

Product Family - SnapshotA complete product line for protecting network perimeters

Central Managemen

tIntelliCenter

Base

Ap

plian

ces

Cen

tral Tools

9 Base Appliance ModelsModels 110, 210, 410, 510, RM-700, 1100, 2100, 2150, 4150

Firewall/VPN(Application proxies, stateful inspection, packet filtering)

(~$1,500 to ~$75,900)

Event Monitoring& Reporting

On

-Pla

tform

Serv

ices Web BrowsingWeb Browsing

ProtectionsURL Blocking

Services

VirusesViruses& SpywareServices

SpamSpam& PhishingServices

IP ReputationIP ReputationServices

TrustedSource

IPSIPSSignature &

Anomaly BasedServices

SSLSSLTermination

Services

IPSec VPNIPSec VPNMobile User

Services

New

NewNew

New

4

Sidewinder 7.0

Overview

5

Key Security Market Drivers

Window between threat & countermeasures is too long

Patch cycle can’t keep up

Botnets, zombies, and threats in the wild exploding

~70% of new attacks are application-layer threats

Threat Exposure Proactive & Reliable Threat Detection

•AV, IDS•Anti-Spam

Signatures

•Anomalous behavior at the box

Local Behavior

Global Intelligence

Move to Integrated Appliances

Lots of Point

Appliances

Integrated Appliances

Overhead, Complexity

Too many point security products

Too many meetings with too many security vendors

Too many products to learn

Too much time maintaining current patch & version levels

Drivers Trends

6

Sidewinder Scales to the Largest Enterprises

Sidewinder is the leader in the mid to large enterprise portion of the IDC UTM security appliance market segment

UTM Market Projections

> UTM market forecasted to grow to $2.8 billion in 2010, a 32.8% CAGR from 2004 through 2010

> Traditional Firewall/VPN appliance market predicted to decline to $1.2 billion by 2010 at a CAGR of -3.0%

Fastest Growing Security Appliance Product Segment

Did you know that more organizations today are adopting multifunction security appliances over traditional firewalls?

7

Why Sidewinder?

”This is a huge-stakes game of ‘cat & mouse’ with tremendous bottom-line consequences for your organization. The best ‘cat’ in the game is the single-point security solution provided by Sidewinder.“

– a prominent government contractor

Highest Highest SecuritySecurity

Best Best PerformancePerformance

Global Global IntelligenceIntelligence

“Sidewinder is tops at combining protection and performance...Sidewinder can handle a ridiculous number of concurrent connections.”

– Network Computing

“I’ve been a satisfied Sidewinder customer for years and this technology will continue to be a key component in my corporate information security strategy.“ – Jeff Moss, President & Founder Black Hat

8

Outgoing Network Protection

• Control outbound access

• Authenticate users for access policy control & reporting

• Block all access to outbound services & Web sites unless explicitly allowed

• Secure active connections

• Inspect Internet usage for bad content & apps

• Stop viruses & spyware in requested files

• Protect clients with IPS & proxies

Sidewinder Has the Most Security Services!Complete Bi-directional multifunction security

SourceReputation

IPS

Antivirus FirewallVPN

URL Filtering

Incoming Network Protection

• Control inbound access

• Granularly control access to all protected resources

• Strongly authenticate users to apply role-based use of VPN tunnels

• Secure active connections

• Stop viruses & spyware in file transfers

• Stop spam via sender reputation & mail filtering

• Prevent attacks on servers and applications with IPS & proxies

9

Typical Deployment Options for Sidewinder

Perimeter Firewall

Users&

IntranetWeb

Servers

InternetMultifunction perimeter

UTM FirewallCentral site andremote branch offices

Protected Networks

Layered Firewall Internet

Legacy Stateful Inspection Firewall

DATABASE

Users

DMZ

Web Sites

Layered Bi-directional Firewall

Application Specific Firewall

Application-specific Proxy Firewall

Internet

OracleMS-SQLMetaFrameBloombergEtc.

SQLMS-SQLCitrix-ICASOCKSEtc.

10

Sidewinder as a Perimeter FirewallHighest performing, most secure perimeter firewall

Delivers Highest Security

>Highest app security certification – EAL4+

>No CERT advisories

>Most secure, patented operating system

>Trusted by financials, governments and other security sensitive organizations

and Best Performance

>Fastest multifunction security with Multi-Gbps throughput

>3x faster than competitors

>11 year deployment history in the most demanding networks

>Active/Active Load Sharing and performance scaling

with Global Intelligence

>Industry-first reputation firewall for proactive protection, TrustedSource

>Global knowledge system for more timely threat detection and response

>Automatic IPS signature updates for continuous protection

Dramatically reduced risk without trading off performance & manageability.

Perimeter Firewall

Users&

IntranetWeb

Servers

InternetMultifunction perimeter

UTM FirewallCentral site andremote branch offices

Protected Networks

11

Sidewinder as a Layered FirewallDefense in depth with strong user and data protections

Feel confident because you have applied ‘best practice’ security at your Internet point of presence.

Sample Security Policy

ENTERPRISELayered Security Policy

“Deploy proxy firewall inside Cisco PIX. Enforce security on outbound user activity and all inbound queries from DMZ systems to internal data”

Chief Security Officer

Layer 3 legacy firewalls can’t inspect deep enough into packet data payloads. Layer 3 legacy firewalls can’t inspect deep enough into packet data payloads.

Proxies are like baggage x-ray machines. They look deep inside the packet payload to find malicious content.70% of attacks are hiding

in the payload where otherfirewalls never look!

Layered Firewall Internet

Legacy Stateful Inspection Firewall

DATABASE

Users

DMZ

Web Sites

Layered Bi-directional Firewall

12

Bob is allowed by the proxy to receive streaming content within the application when other are not.

Kathy is restricted by the proxy to mouse, keyboard, & monitor use only.

No client software requiredNo client software required!

Sidewinder Protecting a Key Application Targeted security for mission critical applications

Ensures mission-critical applications are always highly available.

Customer Case Study

>U.S. stock exchange network backbone provider

>Maintains large Citrix remote desktop access solution for employees & partners

>Challenged because they needed granular user control over sub-functions in critical applications

>Utilizes Sidewinder’s Citrix-ICA proxy to granularly limit permitted activities by user - impossible to do with legacy firewalls!

Application Specific Firewall

Application-specific Proxy Firewall

Internet

OracleMS-SQLMetaFrameBloombergEtc.

SQLMS-SQLCitrix-ICASOCKSEtc.

13

Proxy Technology Vs. Packet Filtering

Only Trusted Proxies Talk to Your Servers!

Stateful Inspection Compromises Security

> External clients NEVER DIRECTLY CONNECT with the internal application servers TWO SEPARATE CONNECTIONS are

maintained per client-server session

ONLY TRUSTED PROXY is allowed to talk directly to the internal application servers

> Stateful Inspection (SI) allows external clients a DIRECT PACKET FLOW WITH SERVERS SI is more like a router than a true firewall –

COMPROMISING SECURITY to gain performance

Helping unknown sources get direct connections with internal servers is a POOR SECURITY DESIGN

Versus

PROXIES

STATEFUL INSPECTION

Securelyprocessing packets

…. Justpassing packets

14

Application Proxy Technology

HTTP Proxy• Layer 7 defenses

• Full packet assembly

• RFC compliance

• Configured to allowed use

• All else denied

ScanningEngines

Client

WebServer

UntrustedUntrusted Trusted

TC

P/IP

S

tack

TC

P/IP

S

tack

AppServer

Oracle

SQL

Citrix

VoIP

Etc.

Server

• ONLY Sidewinder’s trusted proxy is allowed to talk directly to internal application servers

•Two separate connections are maintained per client-server session

•Proxy securely processes client requests to the server

• Proxy automatically strips out attacks trying to introduce malicious commands that violate RFCs

• Proxy may be further configured to tightly enforce a limited-use policy for the application

•Client-server communications are configured to only allow needed operations and denies all else!

15

Proxy-Based Application DefensesThe power of the Positive Model of security

POSITIVE MODEL OF SECURITY“Deny all methods of communicating with the application unless the methods are explicitly

allowed.”

• Not just simple signature-based checks – that is the negative model of security (allow all traffic while looking for the bad known in the traffic)

• Positive Model proxies have deep understanding of the applications they protect

• Proxy GUI treatment allows very granular control over how clients communicate with protected applications

• Protecting applications this way stops zero-hour unknown attacks

• Proxy configuration selections define the only allowed communications with the protected applications!

• RFC compliance is automatically enforced.

16

Source Source

LondonPortland

Atlanta

Hong Kong

Protected Networks

Trusted Center

GOOD Reputation

BADReputation

Response

Request

CriticalSituation

The increase in bandwidth-stealing spam is staggering – a 68% increase between October and November 2006 - resulting in 90% of all inbound e-mail being spam!

TrustedSource™ Reputation ServicesAdd reputation scoring to your arsenal

17

REPUTATION SCORING - Physical World Example Should the bank trust your credit score?

Credit Agency

Breadth: How many businesses or people you track?Depth: Number of transactions or activities tracked.

How well do they monitor

your activity?

Real-time Continuous Analysis of activities allows useful scoring. This score dynamically changes over time.

How reliable & timely is their

analysis?

• No of transactions• Timely payments• Late payments

Credit Score1 10

Score determines terms of credit. Credit is not simply good or bad, there are many shades of grey.

How effective is the proactive

result?

Deny/approve Loan, Terms

Bank: Should we extend a loan to you? nomaybe

yes

18

Automatically Drop Over 540 messages (= approx. 60% of the Spam!)

How Sidewinder Uses TrustedSource Reputation Scoring

Typical Enterprise Email90% spam, 10% good email

• Granular reputation score calculated• Score associated with mail sender’s IP address• Customer defines threshold settings on

Sidewinder

Only 460 MessagesNeed to be Further Processed by:

Sidewinder anti-spam engineSidewinder anti-virus engine

1,000Messages• 90% Spam• 10% Good

GoodGoodMailMail

BadBad

Bad

Bad

OR

inside the Network

GlobalCenters

19

The Leader in Proactive Protection

Atlanta

Brazil

London

Hong KongPortland

DataStore

Internal Network

ReputationQuery

Internet Traffic

• Feeds from thousands of load balancers, FWs, Msg & Web gateways

• Highest quality data• Over 100 Billion

Messages/month• Millions of URLs

• 25 research scientists• Sophisticated behavior

analysis• 450,000+ zombies detected

each day• Best image spam detection

LargestReputation Network

Most Reliable Reputation Score

Be ProactiveBe Proactive in Protecting From Next Generation Threats

Work with the clear leader in this business!

-180

BadBad

+180

GoodGoodSuspicious

Reputation Score Calculated

20

TrustedSource Proactively Identifies OutbreaksBefore they happen…

Nov 3, 2005A/V Signatures

Nov 2, 2005Other Reputation Systems Triggered

Sept 12, 2005TrustedSourceFlagged Zombie

• Nov 1, 2005: This machine began sending Bagle worm across the Internet

• Nov 3, 2005: Anti-virus signatures were available to protect against Bagle

• Two months earlier, TrustedSource identified this machine as not being trustworthy

21

Why TrustedSource on Sidewinder?Drop, save & protect!

Enjoy!Dramatically less spam processing & significantly

increased security posture!

Legacy Firewalls…

…treat spam like legitimate traffic, introducing huge amounts of undesirable traffic to the downstream network.

Sidewinder Appliances……use TrustedSource’s reputation services to treat spam like ‘malware infected junk’, dropping it without processing anything more than the initial ‘hello’ from a spammer!

Dro

pS

ave

Pro

tect

Don’t to pay the cost of processing spam. Drop over 60% of spam at the perimeter the moment it tries to say ‘hello.’

Your bandwidth is for delivering quality customer service, and for your employees to efficiently do their jobs.

Bad source IPs often distribute spyware & viruses, so dropping all known ‘bad’ IP sender requests at the perimeter just makes common sense.

STOP KNOWN SPAM!(including phishing, malicious URLs & infected attachments)Vs.

22

Case Study – Orange County, CA

Just like everyone else…spam is hitting ‘the OC’ hard

• Orange County, CA uses Sidewinder as its internet point of presence (POP) for e-mail

• Since October 2005, the number of e-mail connections they see per day has jumped from 100k to 900k

• “I am surprised to be able to say this, but I definitely believe that the combination of the Trusted Source feature and long-term black holing have had a very measurable and significant positive impact which is visible as a distinct trend.”

David Tulo, OC Security Engineer

Sidewinder and TrustedSource respond to the challenge (TS turned on in yellow)

23

(IPS) Intrusion Prevention Security ServiceStrong design scales performance

Accelerator Card for Enterprise modelsSoftware engine for lower-end models

Sidewinder Intrusion Prevention is built for maximum performance and detection using industry leading acceleration technology.

IPS Signature-based Intrusion Prevention is available on all of our appliance models.

24

(IPS) Intrusion Prevention Security ServiceIPS Attack signature service

Knowledge SystemKnowledge System

AutomatedSignatureUpdates

Download Site

Signature candidates Created for review

Signature candidates Created for review

Global grid of shallow decoys

Global grid of shallow decoys

IPS Threat Knowledge System

1. Learning algorithms are deployed in a global grid of shallow decoys

2. They look for traffic that the algorithms can classify (good, bad, unknown)

3. Unknown content sent into knowledge system for classification,

4. System automatically builds signature candidates for human quality review

5. Signatures are then released to our download servers for retrieval by your Sidewinder

Tested & qualified signatures

Tested & qualified signatures

25

SIP.SOFTSTONE.REXPLOIT"; content: "| B8 75 C1 e4 88 2D |"; content: "| 50 59 33 c0 50 68 68 61 63 6b 54 5a 50 52 52 50 53 51 c3 |"; sid: 20010585;)

Look for relevant signature groups for the service VoIP/SIP and add to the rule

Select how you want the firewall to respond if the signature is hit

26

Signature groups are provided so the firewall is at maximum efficiency in

employing signatures only for services and

connections you wish to inspect with signatures.

27

SecureOS® Self-Defending Platforms

IT Security Summit 2006Greg Young, John Pescatore

• “…are more secure (by orders of magnitudes) than the PCs and servers they are protecting.”

• “…are focused on demonstrating best of breed in developing secure software, rather than joining the patch of the month club.”

It is important in the future that network security products…“Secure Computing

has a well-deserved reputation for quality assurance and has never had to issue a patch to correct a product vulnerability.”

1H 06 FW Magic Quadrant

Zero Emergency Patch Projects (11+ Years)

28

SecureOS® Architecture

Secure Operating System / SecureOS®

Secured by our patented Type Enforcement® technology

Type enforcement tables in OS kernel strictly control allread, write and execute rules for every piece of software

29

-rw-r--r-- 1 bin bin 3929 Mar 15 09:43 nss2:conf nss.conf.External-rw-r--r-- 1 bin bin 3930 Mar 15 09:43 nss2:conf nss.conf.External.bak-rw-r--r-- 1 bin bin 3930 Mar 13 09:04 nss4:conf nss.conf.Extranet-rw-r--r-- 1 bin bin 3919 Mar 13 12:24 nss1:conf nss.conf.Internal-rw-r--r-- 1 bin bin 3920 Mar 13 12:2a4 nss1:conf nss.conf.Internal.bakdrwxr-xr-x 2 ntp ntp 512 Nov 19 20:29 ntpc:diry ntp

Standard UNIX Permissions

User and Group Information

Time StampEXAMPLE:

Any NTP process that attempts to access any function that is not Type Enforced “ntpc:xxxx” will be stopped, alarmed, and notifications sent.

• Every single file, directory, and process on Sidewinder has Type Enforcement (TE) tags added by our software engineers

• Tags are strictly enforced by the domain controller table in the kernel of the OS!

Understanding Type Enforcement®

Tables & Tags!

30

Type Enforcement®

A Mandatory Access Control Mechanism

A software coding technique that protects and contains all computer processes, data, and all hosted software from mis-use.

With Mandatory Access Control…

• The system’s software-use policy is hard-coded by the developer (e.g., Secure Computing Corporation)

• No user (e.g., hacker) or administrator under any scenario is permitted to grant less restrictive access to how the software runs than the developer specified

• No software can be executed on the platform that is foreign (e.g., an attack script or Trojan) – so whether the attack software is known or unknown, it is blocked from executing

• Unlike discretionary access control…

• Discretionary access control systems permit users (e.g., hackers) through accident or malice to exploit vulnerabilites in software to manipulate it to their use, including getting complete root acccess (a comon method here is to lauch a buffer-over-flow attack

Mandatory Access Control

31

Type Enforcement® Has a Real Purpose

PROBLEM:

Check Point HTTP software compromised

DAMAGE:

Attacker can gain root access control

Check PointFebruary 2004

SOLUTION:

Patch Check Point software

Other security vendors release emergency patches all the time – disrupting your business.

Other security vendors release emergency patches all the time – disrupting your business.

32

Sidewinder Versatile, broad and deep inspection under one interface

Secure Operating System / SecureOS®

Secured by our patented Type Enforcement® technology

Single Rule View Manage all aspects of security policy for inside and outside network edges with 1 interface.

Global Intelligence & Knowledge Systems

TrustedSource™ Sender Reputation IPS Threat Knowledge System

Signature-based Intrusion Prevention

Custom IPS rulesIPS integrated into firewall policyASIC accelerated engine

On-box Security Services & Scanning EnginesAntispamAntivirus & Anti-spyware

SSL Decryption Secure DNS ServerURL Filtering Secure Email Server

Application Gateway Security – Proxies

Citrix ICA

SNMP

MS-SQL

Oracle

Telnet

FTP

IIOP

RTSP

H.323

SIP

SMTP

HTTP/HTTPS

DOS Prevention

Network Layer Controls

High Availability Security Zones Stateful InspectionVLAN

33

Sidewinder Defense-in-DepthComplete set of security features under one unified management

Key DifferentiatorKey Differentiator: Sidewinder provides the most security technologies under one unified, efficient policy management tool

Stop Unknown Threats Stops Known Threats

Network Access Rules

Auth& Role-based access

Network Access Rules

Auth& Role-based access

Reputation Services

Intelligent Application Inspection

Virus &Malware

Prevention

In-bound Access Controls

Out-bound Access Controls

Single Rule View means lower admin

overhead, and better policy management

efficiency

IPS

34

Leading Edge Hardware Platforms

410, 510

Regional OfficeRegional Office Corporate HQCorporate HQ

Inte

rfac

es,

red

un

dan

cy,

Sp

eed

Inte

rfac

es,

red

un

dan

cy,

Sp

eed

•Powerful Appliances

• Ultra-fast 64 bit processing

• State of the art dual-core Intel architecture

• ASICs and crypto hardware acceleration available

• Multi-GB application layer performance (up to 3X faster)

•Highly Available Platforms

• HA pairs – one to many mgmt.

• Clusters – one to many management

• RAID & power supply redundancy

• Rugged – military & heavy industry

• Industry Leading Warranty

• 3 yr warranty (included with purchase)

• Next Business Day on-site hardware repair services (standard 410 to 4150 models)

Purpose-built appliances that are secure and scalable; can be easily deployed, managed, and maintained.

110, 210

1100

4150

2100, 2150

Branch OfficeBranch Office

ASIC

IPSCrypto

RM-700

New

35

Best Performing Solution Enterprise class application security performance

“When it comes to performance numbers, Sidewinder can handle a ridiculous number of concurrent connections.”

“Sidewinder is tops at combining protection and performance...”Network

Computing

Application Security Throughput

• When turning on application layer inspection, Sidewinder shines

• Our competitors focus on stateful inspection throughput, perform badly at layer 7

Sources:http://www.securecomputing.com/index.cfm?skey=956http://www.netfast.com/xq/asp/qx/PDF/Juniper%20Networks/110007.pdf http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.htm (chart6) lhttp://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

-

500

1,000

1,500

2,000

2,500

Juniper SSG 5400 Cisco ASA 5540 Sidewinder 4150

Mb

ps

2.25 Gbps

500 Mbps450 Mbps

36

Central Monitoring, Alerting & ReportingNetwork Gateway Security

•Central server

• Reporting for multiple security appliances

•Web Portal

• Customizable web portal with views specific to the user, dashboards

• Anywhere, anytime access to reports (web based)

•Reports

• Printable reports in several languages

• Pre-built compliance reports

• Hourly, daily, weekly, monthly, and “all” time ranges

Graphical DashboardGraphical Dashboard

Instant ReportsInstant Reports

Customizable AlertsCustomizable Alerts

Compliance Reporting

Compliance Reporting

37

Case Study ExamplesNetwork Gateway Security

American Express

• Global company in over 130 countries.

• Transitioned from a centralized architecture - required layered security with proxy firewall for inside edge.

• Superb technical support was key to selection of Sidewinder.

• Complemented not replaced existing perimeter firewalls; deployed as an inside edge gateway for many locations

• Reduced overhead and costs for multiple edge security functions (e.g. SmartFilter on Sidewinder)

Australian Taxation Office

• Australian government agency, responsible for revenue/taxation; a constantly attacked organization.

• 24,000 employees and 1,150,000 clients that interact with the ATO through the firewall plus 19,000 tax agents – performance was a critical requirement.

• Rolled out over 12 Sidewinders for both perimeter and layered firewalls.

• Deploying Sidewinder reduced performance overhead by 80 percent, confirmed enterprise scale and throughput.

“The ATO needed the most comprehensive security appliance available, and we found it in Sidewinder G2”, says David Hay. “Sidewinder’s approach consolidates multiple security functions in a single system, it makes managing our security environment much less complex.”

38

Evaluating Network Gateway Security Products

Platform LifespanIs the platform architected to receive software upgrades for years into the future or will an ASIC forklift upgrade be on your horizon sooner rather than later?

CertificationDoes the product have application layer firewall certifications relevant to fighting application-layer attacks?

Single Unified ManagementDoes the product give you a single unified view of all security policies or do you have to manage & view them separately?

Application Security PerformanceDoes the product scale to multi-gigabit throughput when doing real application security processing?

Global IntelligenceCan the product leverage source IP reputation intelligence to eliminate millions of known bad senders immediately at the outside interface?

Operating System (OS) SecurityCan the vendor prove that the product has never required emergency security patches?

Other vendor

Secure Computing

Category

39

Why Sidewinder?

Proven, Fast and Secure

Global Global IntelligenceIntelligence

Best Best PerformancePerformance

Highest Highest SecuritySecurity