1 Network Gateway Security Sidewinder v7.0 - Customer Overview
Dec 25, 2015
1
Network Gateway Security
Sidewinder v7.0 - Customer Overview
2
Sidewinder 7.0
Product Family - Snapshot
3
Product Family - SnapshotA complete product line for protecting network perimeters
Central Managemen
tIntelliCenter
Base
Ap
plian
ces
Cen
tral Tools
9 Base Appliance ModelsModels 110, 210, 410, 510, RM-700, 1100, 2100, 2150, 4150
Firewall/VPN(Application proxies, stateful inspection, packet filtering)
(~$1,500 to ~$75,900)
Event Monitoring& Reporting
On
-Pla
tform
Serv
ices Web BrowsingWeb Browsing
ProtectionsURL Blocking
Services
VirusesViruses& SpywareServices
SpamSpam& PhishingServices
IP ReputationIP ReputationServices
TrustedSource
IPSIPSSignature &
Anomaly BasedServices
SSLSSLTermination
Services
IPSec VPNIPSec VPNMobile User
Services
New
NewNew
New
4
Sidewinder 7.0
Overview
5
Key Security Market Drivers
Window between threat & countermeasures is too long
Patch cycle can’t keep up
Botnets, zombies, and threats in the wild exploding
~70% of new attacks are application-layer threats
Threat Exposure Proactive & Reliable Threat Detection
•AV, IDS•Anti-Spam
Signatures
•Anomalous behavior at the box
Local Behavior
Global Intelligence
Move to Integrated Appliances
Lots of Point
Appliances
Integrated Appliances
Overhead, Complexity
Too many point security products
Too many meetings with too many security vendors
Too many products to learn
Too much time maintaining current patch & version levels
Drivers Trends
6
Sidewinder Scales to the Largest Enterprises
Sidewinder is the leader in the mid to large enterprise portion of the IDC UTM security appliance market segment
UTM Market Projections
> UTM market forecasted to grow to $2.8 billion in 2010, a 32.8% CAGR from 2004 through 2010
> Traditional Firewall/VPN appliance market predicted to decline to $1.2 billion by 2010 at a CAGR of -3.0%
Fastest Growing Security Appliance Product Segment
Did you know that more organizations today are adopting multifunction security appliances over traditional firewalls?
7
Why Sidewinder?
”This is a huge-stakes game of ‘cat & mouse’ with tremendous bottom-line consequences for your organization. The best ‘cat’ in the game is the single-point security solution provided by Sidewinder.“
– a prominent government contractor
Highest Highest SecuritySecurity
Best Best PerformancePerformance
Global Global IntelligenceIntelligence
“Sidewinder is tops at combining protection and performance...Sidewinder can handle a ridiculous number of concurrent connections.”
– Network Computing
“I’ve been a satisfied Sidewinder customer for years and this technology will continue to be a key component in my corporate information security strategy.“ – Jeff Moss, President & Founder Black Hat
8
Outgoing Network Protection
• Control outbound access
• Authenticate users for access policy control & reporting
• Block all access to outbound services & Web sites unless explicitly allowed
• Secure active connections
• Inspect Internet usage for bad content & apps
• Stop viruses & spyware in requested files
• Protect clients with IPS & proxies
Sidewinder Has the Most Security Services!Complete Bi-directional multifunction security
SourceReputation
IPS
Antivirus FirewallVPN
URL Filtering
Incoming Network Protection
• Control inbound access
• Granularly control access to all protected resources
• Strongly authenticate users to apply role-based use of VPN tunnels
• Secure active connections
• Stop viruses & spyware in file transfers
• Stop spam via sender reputation & mail filtering
• Prevent attacks on servers and applications with IPS & proxies
9
Typical Deployment Options for Sidewinder
Perimeter Firewall
Users&
IntranetWeb
Servers
InternetMultifunction perimeter
UTM FirewallCentral site andremote branch offices
Protected Networks
Layered Firewall Internet
Legacy Stateful Inspection Firewall
DATABASE
Users
DMZ
Web Sites
Layered Bi-directional Firewall
Application Specific Firewall
Application-specific Proxy Firewall
Internet
OracleMS-SQLMetaFrameBloombergEtc.
SQLMS-SQLCitrix-ICASOCKSEtc.
10
Sidewinder as a Perimeter FirewallHighest performing, most secure perimeter firewall
Delivers Highest Security
>Highest app security certification – EAL4+
>No CERT advisories
>Most secure, patented operating system
>Trusted by financials, governments and other security sensitive organizations
and Best Performance
>Fastest multifunction security with Multi-Gbps throughput
>3x faster than competitors
>11 year deployment history in the most demanding networks
>Active/Active Load Sharing and performance scaling
with Global Intelligence
>Industry-first reputation firewall for proactive protection, TrustedSource
>Global knowledge system for more timely threat detection and response
>Automatic IPS signature updates for continuous protection
Dramatically reduced risk without trading off performance & manageability.
Perimeter Firewall
Users&
IntranetWeb
Servers
InternetMultifunction perimeter
UTM FirewallCentral site andremote branch offices
Protected Networks
11
Sidewinder as a Layered FirewallDefense in depth with strong user and data protections
Feel confident because you have applied ‘best practice’ security at your Internet point of presence.
Sample Security Policy
ENTERPRISELayered Security Policy
“Deploy proxy firewall inside Cisco PIX. Enforce security on outbound user activity and all inbound queries from DMZ systems to internal data”
Chief Security Officer
Layer 3 legacy firewalls can’t inspect deep enough into packet data payloads. Layer 3 legacy firewalls can’t inspect deep enough into packet data payloads.
Proxies are like baggage x-ray machines. They look deep inside the packet payload to find malicious content.70% of attacks are hiding
in the payload where otherfirewalls never look!
Layered Firewall Internet
Legacy Stateful Inspection Firewall
DATABASE
Users
DMZ
Web Sites
Layered Bi-directional Firewall
12
Bob is allowed by the proxy to receive streaming content within the application when other are not.
Kathy is restricted by the proxy to mouse, keyboard, & monitor use only.
No client software requiredNo client software required!
Sidewinder Protecting a Key Application Targeted security for mission critical applications
Ensures mission-critical applications are always highly available.
Customer Case Study
>U.S. stock exchange network backbone provider
>Maintains large Citrix remote desktop access solution for employees & partners
>Challenged because they needed granular user control over sub-functions in critical applications
>Utilizes Sidewinder’s Citrix-ICA proxy to granularly limit permitted activities by user - impossible to do with legacy firewalls!
Application Specific Firewall
Application-specific Proxy Firewall
Internet
OracleMS-SQLMetaFrameBloombergEtc.
SQLMS-SQLCitrix-ICASOCKSEtc.
13
Proxy Technology Vs. Packet Filtering
Only Trusted Proxies Talk to Your Servers!
Stateful Inspection Compromises Security
> External clients NEVER DIRECTLY CONNECT with the internal application servers TWO SEPARATE CONNECTIONS are
maintained per client-server session
ONLY TRUSTED PROXY is allowed to talk directly to the internal application servers
> Stateful Inspection (SI) allows external clients a DIRECT PACKET FLOW WITH SERVERS SI is more like a router than a true firewall –
COMPROMISING SECURITY to gain performance
Helping unknown sources get direct connections with internal servers is a POOR SECURITY DESIGN
Versus
PROXIES
STATEFUL INSPECTION
Securelyprocessing packets
…. Justpassing packets
14
Application Proxy Technology
HTTP Proxy• Layer 7 defenses
• Full packet assembly
• RFC compliance
• Configured to allowed use
• All else denied
ScanningEngines
Client
WebServer
UntrustedUntrusted Trusted
TC
P/IP
S
tack
TC
P/IP
S
tack
AppServer
Oracle
SQL
Citrix
VoIP
Etc.
Server
• ONLY Sidewinder’s trusted proxy is allowed to talk directly to internal application servers
•Two separate connections are maintained per client-server session
•Proxy securely processes client requests to the server
• Proxy automatically strips out attacks trying to introduce malicious commands that violate RFCs
• Proxy may be further configured to tightly enforce a limited-use policy for the application
•Client-server communications are configured to only allow needed operations and denies all else!
15
Proxy-Based Application DefensesThe power of the Positive Model of security
POSITIVE MODEL OF SECURITY“Deny all methods of communicating with the application unless the methods are explicitly
allowed.”
• Not just simple signature-based checks – that is the negative model of security (allow all traffic while looking for the bad known in the traffic)
• Positive Model proxies have deep understanding of the applications they protect
• Proxy GUI treatment allows very granular control over how clients communicate with protected applications
• Protecting applications this way stops zero-hour unknown attacks
• Proxy configuration selections define the only allowed communications with the protected applications!
• RFC compliance is automatically enforced.
16
Source Source
LondonPortland
Atlanta
Hong Kong
Protected Networks
Trusted Center
GOOD Reputation
BADReputation
Response
Request
CriticalSituation
The increase in bandwidth-stealing spam is staggering – a 68% increase between October and November 2006 - resulting in 90% of all inbound e-mail being spam!
TrustedSource™ Reputation ServicesAdd reputation scoring to your arsenal
17
REPUTATION SCORING - Physical World Example Should the bank trust your credit score?
Credit Agency
Breadth: How many businesses or people you track?Depth: Number of transactions or activities tracked.
How well do they monitor
your activity?
Real-time Continuous Analysis of activities allows useful scoring. This score dynamically changes over time.
How reliable & timely is their
analysis?
• No of transactions• Timely payments• Late payments
Credit Score1 10
Score determines terms of credit. Credit is not simply good or bad, there are many shades of grey.
How effective is the proactive
result?
Deny/approve Loan, Terms
Bank: Should we extend a loan to you? nomaybe
yes
18
Automatically Drop Over 540 messages (= approx. 60% of the Spam!)
How Sidewinder Uses TrustedSource Reputation Scoring
Typical Enterprise Email90% spam, 10% good email
• Granular reputation score calculated• Score associated with mail sender’s IP address• Customer defines threshold settings on
Sidewinder
Only 460 MessagesNeed to be Further Processed by:
Sidewinder anti-spam engineSidewinder anti-virus engine
1,000Messages• 90% Spam• 10% Good
GoodGoodMailMail
BadBad
Bad
Bad
OR
inside the Network
GlobalCenters
19
The Leader in Proactive Protection
Atlanta
Brazil
London
Hong KongPortland
DataStore
Internal Network
ReputationQuery
Internet Traffic
• Feeds from thousands of load balancers, FWs, Msg & Web gateways
• Highest quality data• Over 100 Billion
Messages/month• Millions of URLs
• 25 research scientists• Sophisticated behavior
analysis• 450,000+ zombies detected
each day• Best image spam detection
LargestReputation Network
Most Reliable Reputation Score
Be ProactiveBe Proactive in Protecting From Next Generation Threats
Work with the clear leader in this business!
-180
BadBad
+180
GoodGoodSuspicious
Reputation Score Calculated
20
TrustedSource Proactively Identifies OutbreaksBefore they happen…
Nov 3, 2005A/V Signatures
Nov 2, 2005Other Reputation Systems Triggered
Sept 12, 2005TrustedSourceFlagged Zombie
• Nov 1, 2005: This machine began sending Bagle worm across the Internet
• Nov 3, 2005: Anti-virus signatures were available to protect against Bagle
• Two months earlier, TrustedSource identified this machine as not being trustworthy
21
Why TrustedSource on Sidewinder?Drop, save & protect!
Enjoy!Dramatically less spam processing & significantly
increased security posture!
Legacy Firewalls…
…treat spam like legitimate traffic, introducing huge amounts of undesirable traffic to the downstream network.
Sidewinder Appliances……use TrustedSource’s reputation services to treat spam like ‘malware infected junk’, dropping it without processing anything more than the initial ‘hello’ from a spammer!
Dro
pS
ave
Pro
tect
Don’t to pay the cost of processing spam. Drop over 60% of spam at the perimeter the moment it tries to say ‘hello.’
Your bandwidth is for delivering quality customer service, and for your employees to efficiently do their jobs.
Bad source IPs often distribute spyware & viruses, so dropping all known ‘bad’ IP sender requests at the perimeter just makes common sense.
STOP KNOWN SPAM!(including phishing, malicious URLs & infected attachments)Vs.
22
Case Study – Orange County, CA
Just like everyone else…spam is hitting ‘the OC’ hard
• Orange County, CA uses Sidewinder as its internet point of presence (POP) for e-mail
• Since October 2005, the number of e-mail connections they see per day has jumped from 100k to 900k
• “I am surprised to be able to say this, but I definitely believe that the combination of the Trusted Source feature and long-term black holing have had a very measurable and significant positive impact which is visible as a distinct trend.”
David Tulo, OC Security Engineer
Sidewinder and TrustedSource respond to the challenge (TS turned on in yellow)
23
(IPS) Intrusion Prevention Security ServiceStrong design scales performance
Accelerator Card for Enterprise modelsSoftware engine for lower-end models
Sidewinder Intrusion Prevention is built for maximum performance and detection using industry leading acceleration technology.
IPS Signature-based Intrusion Prevention is available on all of our appliance models.
24
(IPS) Intrusion Prevention Security ServiceIPS Attack signature service
Knowledge SystemKnowledge System
AutomatedSignatureUpdates
Download Site
Signature candidates Created for review
Signature candidates Created for review
Global grid of shallow decoys
Global grid of shallow decoys
IPS Threat Knowledge System
1. Learning algorithms are deployed in a global grid of shallow decoys
2. They look for traffic that the algorithms can classify (good, bad, unknown)
3. Unknown content sent into knowledge system for classification,
4. System automatically builds signature candidates for human quality review
5. Signatures are then released to our download servers for retrieval by your Sidewinder
Tested & qualified signatures
Tested & qualified signatures
25
SIP.SOFTSTONE.REXPLOIT"; content: "| B8 75 C1 e4 88 2D |"; content: "| 50 59 33 c0 50 68 68 61 63 6b 54 5a 50 52 52 50 53 51 c3 |"; sid: 20010585;)
Look for relevant signature groups for the service VoIP/SIP and add to the rule
Select how you want the firewall to respond if the signature is hit
26
Signature groups are provided so the firewall is at maximum efficiency in
employing signatures only for services and
connections you wish to inspect with signatures.
27
SecureOS® Self-Defending Platforms
IT Security Summit 2006Greg Young, John Pescatore
• “…are more secure (by orders of magnitudes) than the PCs and servers they are protecting.”
• “…are focused on demonstrating best of breed in developing secure software, rather than joining the patch of the month club.”
It is important in the future that network security products…“Secure Computing
has a well-deserved reputation for quality assurance and has never had to issue a patch to correct a product vulnerability.”
1H 06 FW Magic Quadrant
Zero Emergency Patch Projects (11+ Years)
28
SecureOS® Architecture
Secure Operating System / SecureOS®
Secured by our patented Type Enforcement® technology
Type enforcement tables in OS kernel strictly control allread, write and execute rules for every piece of software
29
-rw-r--r-- 1 bin bin 3929 Mar 15 09:43 nss2:conf nss.conf.External-rw-r--r-- 1 bin bin 3930 Mar 15 09:43 nss2:conf nss.conf.External.bak-rw-r--r-- 1 bin bin 3930 Mar 13 09:04 nss4:conf nss.conf.Extranet-rw-r--r-- 1 bin bin 3919 Mar 13 12:24 nss1:conf nss.conf.Internal-rw-r--r-- 1 bin bin 3920 Mar 13 12:2a4 nss1:conf nss.conf.Internal.bakdrwxr-xr-x 2 ntp ntp 512 Nov 19 20:29 ntpc:diry ntp
Standard UNIX Permissions
User and Group Information
Time StampEXAMPLE:
Any NTP process that attempts to access any function that is not Type Enforced “ntpc:xxxx” will be stopped, alarmed, and notifications sent.
• Every single file, directory, and process on Sidewinder has Type Enforcement (TE) tags added by our software engineers
• Tags are strictly enforced by the domain controller table in the kernel of the OS!
Understanding Type Enforcement®
Tables & Tags!
30
Type Enforcement®
A Mandatory Access Control Mechanism
A software coding technique that protects and contains all computer processes, data, and all hosted software from mis-use.
With Mandatory Access Control…
• The system’s software-use policy is hard-coded by the developer (e.g., Secure Computing Corporation)
• No user (e.g., hacker) or administrator under any scenario is permitted to grant less restrictive access to how the software runs than the developer specified
• No software can be executed on the platform that is foreign (e.g., an attack script or Trojan) – so whether the attack software is known or unknown, it is blocked from executing
• Unlike discretionary access control…
• Discretionary access control systems permit users (e.g., hackers) through accident or malice to exploit vulnerabilites in software to manipulate it to their use, including getting complete root acccess (a comon method here is to lauch a buffer-over-flow attack
Mandatory Access Control
31
Type Enforcement® Has a Real Purpose
PROBLEM:
Check Point HTTP software compromised
DAMAGE:
Attacker can gain root access control
Check PointFebruary 2004
SOLUTION:
Patch Check Point software
Other security vendors release emergency patches all the time – disrupting your business.
Other security vendors release emergency patches all the time – disrupting your business.
32
Sidewinder Versatile, broad and deep inspection under one interface
Secure Operating System / SecureOS®
Secured by our patented Type Enforcement® technology
Single Rule View Manage all aspects of security policy for inside and outside network edges with 1 interface.
Global Intelligence & Knowledge Systems
TrustedSource™ Sender Reputation IPS Threat Knowledge System
Signature-based Intrusion Prevention
Custom IPS rulesIPS integrated into firewall policyASIC accelerated engine
On-box Security Services & Scanning EnginesAntispamAntivirus & Anti-spyware
SSL Decryption Secure DNS ServerURL Filtering Secure Email Server
Application Gateway Security – Proxies
Citrix ICA
SNMP
MS-SQL
Oracle
Telnet
FTP
IIOP
RTSP
H.323
SIP
SMTP
HTTP/HTTPS
DOS Prevention
Network Layer Controls
High Availability Security Zones Stateful InspectionVLAN
33
Sidewinder Defense-in-DepthComplete set of security features under one unified management
Key DifferentiatorKey Differentiator: Sidewinder provides the most security technologies under one unified, efficient policy management tool
Stop Unknown Threats Stops Known Threats
Network Access Rules
Auth& Role-based access
Network Access Rules
Auth& Role-based access
Reputation Services
Intelligent Application Inspection
Virus &Malware
Prevention
In-bound Access Controls
Out-bound Access Controls
Single Rule View means lower admin
overhead, and better policy management
efficiency
IPS
34
Leading Edge Hardware Platforms
410, 510
Regional OfficeRegional Office Corporate HQCorporate HQ
Inte
rfac
es,
red
un
dan
cy,
Sp
eed
Inte
rfac
es,
red
un
dan
cy,
Sp
eed
•Powerful Appliances
• Ultra-fast 64 bit processing
• State of the art dual-core Intel architecture
• ASICs and crypto hardware acceleration available
• Multi-GB application layer performance (up to 3X faster)
•Highly Available Platforms
• HA pairs – one to many mgmt.
• Clusters – one to many management
• RAID & power supply redundancy
• Rugged – military & heavy industry
• Industry Leading Warranty
• 3 yr warranty (included with purchase)
• Next Business Day on-site hardware repair services (standard 410 to 4150 models)
Purpose-built appliances that are secure and scalable; can be easily deployed, managed, and maintained.
110, 210
1100
4150
2100, 2150
Branch OfficeBranch Office
ASIC
IPSCrypto
RM-700
New
35
Best Performing Solution Enterprise class application security performance
“When it comes to performance numbers, Sidewinder can handle a ridiculous number of concurrent connections.”
“Sidewinder is tops at combining protection and performance...”Network
Computing
Application Security Throughput
• When turning on application layer inspection, Sidewinder shines
• Our competitors focus on stateful inspection throughput, perform badly at layer 7
Sources:http://www.securecomputing.com/index.cfm?skey=956http://www.netfast.com/xq/asp/qx/PDF/Juniper%20Networks/110007.pdf http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.htm (chart6) lhttp://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
-
500
1,000
1,500
2,000
2,500
Juniper SSG 5400 Cisco ASA 5540 Sidewinder 4150
Mb
ps
2.25 Gbps
500 Mbps450 Mbps
36
Central Monitoring, Alerting & ReportingNetwork Gateway Security
•Central server
• Reporting for multiple security appliances
•Web Portal
• Customizable web portal with views specific to the user, dashboards
• Anywhere, anytime access to reports (web based)
•Reports
• Printable reports in several languages
• Pre-built compliance reports
• Hourly, daily, weekly, monthly, and “all” time ranges
Graphical DashboardGraphical Dashboard
Instant ReportsInstant Reports
Customizable AlertsCustomizable Alerts
Compliance Reporting
Compliance Reporting
37
Case Study ExamplesNetwork Gateway Security
American Express
• Global company in over 130 countries.
• Transitioned from a centralized architecture - required layered security with proxy firewall for inside edge.
• Superb technical support was key to selection of Sidewinder.
• Complemented not replaced existing perimeter firewalls; deployed as an inside edge gateway for many locations
• Reduced overhead and costs for multiple edge security functions (e.g. SmartFilter on Sidewinder)
Australian Taxation Office
• Australian government agency, responsible for revenue/taxation; a constantly attacked organization.
• 24,000 employees and 1,150,000 clients that interact with the ATO through the firewall plus 19,000 tax agents – performance was a critical requirement.
• Rolled out over 12 Sidewinders for both perimeter and layered firewalls.
• Deploying Sidewinder reduced performance overhead by 80 percent, confirmed enterprise scale and throughput.
“The ATO needed the most comprehensive security appliance available, and we found it in Sidewinder G2”, says David Hay. “Sidewinder’s approach consolidates multiple security functions in a single system, it makes managing our security environment much less complex.”
38
Evaluating Network Gateway Security Products
Platform LifespanIs the platform architected to receive software upgrades for years into the future or will an ASIC forklift upgrade be on your horizon sooner rather than later?
CertificationDoes the product have application layer firewall certifications relevant to fighting application-layer attacks?
Single Unified ManagementDoes the product give you a single unified view of all security policies or do you have to manage & view them separately?
Application Security PerformanceDoes the product scale to multi-gigabit throughput when doing real application security processing?
Global IntelligenceCan the product leverage source IP reputation intelligence to eliminate millions of known bad senders immediately at the outside interface?
Operating System (OS) SecurityCan the vendor prove that the product has never required emergency security patches?
Other vendor
Secure Computing
Category
39
Why Sidewinder?
Proven, Fast and Secure
Global Global IntelligenceIntelligence
Best Best PerformancePerformance
Highest Highest SecuritySecurity