Miercom: Independent Analysis, Research and Reviews - Next … · 2014. 4. 10. · • Juniper SRX650 Services Gateway. Participating Vendors and Products • Palo Alto PA-3020 •

Next-Generation Firewalls: Results from the Labesu ts o t e ab

Robert SmithersRobert SmithersCEO, Miercom

AgendaP ti i ti V d d P d t• Participating Vendors and Products

• How We Did ItCategories of Products Tested• Categories of Products Tested

• About the Technology– Secure Web Gateway– Secure Web Gateway– Next-Generation Firewall– Unified Threat Management– Sandbox– Spam Filtering

Agenda• Three High Risk Event ResultsThree High Risk Event Results

– CryptoLocker– Outbound Botnet– Worm and Trojans

• Industry Average Comparisonsy g p– Layer 3 Firewall Throughput– Malicious Files Legacy– Malicious URLs: Blended Malicious Threats– Malicious Files Wild

Agenda• Industry Average Comparisons• Industry Average Comparisons

– Malicious URLs Wild: Malc0de– Layer 7 Firewall Throughput MaxLayer 7 Firewall Throughput Max– Layer 7 Firewall Throughput Mixed– Application Controlpp

Participating Vendors and Products• Blue Coat ProxySG 300-5• Check Point 4210 NGFW• Check Point SWG-12600• Cisco ASA 5545-X with CX ModuleCisco ASA 5545 X with CX Module• Cisco ISA550W• Cyberoam CR100iNGCyberoam CR100iNG• Dell SonicWALL NSA 2600

Participating Vendors and Products• Dell SonicWALL TZ 105 (Cloud)• Dell SonicWALL TZ 105 (Appliance)( pp )• FireEye Malware Protection System 1310• Fortinet FortiGate 20-CFortinet FortiGate 20 C• Fortinet FortiGate 100-D• Fortinet FortiGate 800-CFortinet FortiGate 800 C• Juniper SRX650 Services Gateway

Participating Vendors and Products• Palo Alto PA-3020• Sophos SG 210p• Sophos SG 230• Sophos UTM 220Sophos UTM 220• WatchGuard XTM 525• Websense Web Security GatewayWebsense Web Security Gateway

How We Did ItTest equipment included:

– Ixia XG12 and BreakingPoint FireStorm– Spirent Studio Security– Apposite Linktropy 7500 PRO

WildP k t O iP k f Wi d– WildPackets OmniPeek for Windows– Windows 7 and Windows XP

Clients/EndpointsC e ts/ dpo ts– Monitoring Tools

Categories ofProducts TestedProducts Tested

• Secure Web Gateway• Next-Generation Firewall• Unified Threat Managementg• Sandbox• Spam FilteringSpam Filtering

Secure Web Gateway (SWG)• Edge security platform against Web-borne threats

that can invade enterprise network via Internet browsing; enforces organization’s policies for browsing; enforces organization s policies for Internet usage and regulatory compliance

• Essential functionality: URL filtering, malicious y g,code detection/filtering and application control

• Products with real-time, cloud-based content l d f h h l kanalysis tend to outperform those that look up

URLs and/or threat signatures in static database

Secure Web Gateway (SWG)• Class of product for organizations of all sizes: SMB • Class of product for organizations of all sizes: SMB

and Enterprise• Essential functionality: URL filtering, malicious code

d t ti /filt i d li ti t ldetection/filtering and application control– SMB: protects against basic threats, easy to

implement/manage– Enterprise: protection extended to advanced and targeted

threats, requires more skill and resources to implement/manage

O i li t l ith ft • On-premises appliance most popular with software, virtual, cloud (SWG as a Service) and on-premises / cloud hybrid versions also available

Next-Generation Firewall (NGFW)E l ti t f t k d it d i• Evolutionary type of network edge security device

• Possesses combination of functionality of basic firewall and enhancementsfirewall and enhancements– Traffic inspection enables

detection and blocking ofmalicious activitymalicious activity

– Application awareness enablesidentification of attacks directed

k ll fat network as well as enforcementof organization’s Internet usageand regulatory compliance policies

Next-Generation Firewall (NGFW)• Available for organizations of all sizesAvailable for organizations of all sizes• Can be deployed as appliance, virtual appliance

or software-based solution• Inline “bump in the wire” deployment: enabling

functionality does result in reduced network performanceperformance

• Next-generation firewall arguably has caused basic firewall to go the way of video cassette basic firewall to go the way of video cassette recorders and VHS tapes, into obsolescence

Unified Threat Management (UTM)• Just as Next-Generation Firewall, an evolutionary

class of network edge security platform• Combination of firewall and VPN of basic firewall Combination of firewall and VPN of basic firewall

plus…• Intrusion Prevention System also found in Next-

Generation Firewall, URL filtering and antivirus also found in Secure Web Gateway, and anti-spam and mail antivirus also found in Spam Filtering productsp g p

• Primarily aimed at small and mid-sized businesses

Unified Threat Management (UTM)Available as appliance virtual• Available as appliance, virtualappliance, software andcloud-based

• Network administrator mustfind balance between securitynd net o k pe fo m n eand network performance– Individual packets examined by each security function

enabled, adding to latency/detracting from throughput, g y/ g g p

Sandbox• Security technique for protecting enterprise network • Security technique for protecting enterprise network

from malware by running applications and visiting Websites in a controlled environment

• FireEye leads market with competitors including AhnLab, Blue Coat, Check Point, Damballa, McAfee, Palo Alto Networks and Sourcefire (acquired by Cisco ( q yin October 2013)

• Sandbox appliance or cloud-basedservice is part of a multi layeredservice is part of a multi-layeredsecurity system

Sandbox• Botnets zero day attacks and corporate • Botnets, zero-day attacks and corporate

espionage among factors that fueled advent of sandbox; virtualization has facilitated utilization of sandbox

• Small percentage of malware has written-in capability to try to defeat sandboxcapability to try to defeat sandbox– Check environment to determine if it is in a sandbox– Seek to be allowed to pass by attempting to time out

the sandbox, stalling by performing meaningless calculations

Spam Filtering• Class of network security device that safeguard

against unwanted inbound and outbound Email: spam– Inbound: protect networked computers against Inbound: protect networked computers against

dangerous forms of spam such as phishingattempts and Emails thosecontaining virusesg

– Outbound: protect againstnetworked computers frombeing compromised and usedbeing compromised and usedas a zombie in a botnet togenerate spam

Spam Filtering• Spam is no small problem: estimated 50-60% of

enterprise Email• Key functionality: protect against inbound, targeted y y p g , g

phishing attacks• Functionality growing in importance: ability to

re-evaluate URL link(s) in Email at the time of endre evaluate URL link(s) in Email at the time of enduser click

• Available as appliance, software, managed serviceBased on Gartner 2013 Magic Quadrant:• Based on Gartner 2013 Magic Quadrant:– Product leaders are Cisco, Proofpoint, Symantec, Microsoft

and McAfee

Three High Risk Event ResultsSpecific High Risk Events

– CryptoLocker– Outbound Botnet– Worm/Trojan

CryptoLocker• Ransomware trojan• Encrypts specific types of files using RSA yp p yp g

public-key cryptography• Message displays an offer to decrypt the g p y yp

data if payment is made

Outbound BotnetB t t i t k f i d t • Botnet is a network of compromised computers under control of a third party whose purpose isto invade the network

• Remains inactive until they get orders from their command and control hosts

• Designed to steal the most valuable information on a networkO tb d b t t d f t t t d t • Outbound botnet defense protects corporate data from leaving the network

WormsC t t f l th t • Computer worms are a type of malware that replicates functional copies of themselves to cause damage to data or software

• Host program or human help is not needed for them to propagate

• Worm enters a computer througha system vulnerability and uses afile- or information-transport featurefile- or information-transport featureto allow it to travel independently

TrojansA T j i th t f l th t • A Trojan is another type of malware that appears as legitimate software

• Users are tricked into loading and executing it• Users are tricked into loading and executing it

• Trojans can achieve a variety of attacks on the host – from distractions (pop-up windows) to (p p p )major damage (deleting files, activating and spreading other malware) on the host

• Can also create back doors to give malevolent users access to the system

dIndustry Average Comparisons• Layer 3 Firewall Throughputaye 3 e a oug put

• Malicious Files Legacy

• Malicious URLs: Blended Malicious ThreatsMalicious URLs: Blended Malicious Threats

• Malicious Files Wild

• Malicious Files Wild: Malc0deMalicious Files Wild: Malc0de

• Layer 7 Firewall Throughput Max

• Layer 7 Firewall Throughput Mixed• Layer 7 Firewall Throughput Mixed

• Application Control

dIndustry Average Comparisons• HTTP Proxy Throughputo y oug put

• Firewall + IPS Throughput

• Application Control / URL FilteringApplication Control / URL Filtering

I d t A C iIndustry Average ComparisonsLayer 3 Firewall Throughput

26782500

3000

Mbp

s)

Industry Average

20291884 1886

1500

2000

Thro

ughp

ut ( y g2,057.3 Mbps

1322

500

1000

yer 3

Fir

ewal

l

0

Lay

CR100iNG SonicWALL FortiGate UTM 220 XTM 525CR100iNGNSA 2600 100-D

Source: Miercom, UTM and NGFW Industry Assessment 2014

I d t A C iIndustry Average ComparisonsMalicious Files Legacy

81.880.0

100.0

d (%

)

74.260.0

File

s B

lock

ed

Industry Average39.3 Mbps

20.0

40.0

Mal

icio

us F

SWG-12600 Malware Protection Web Security

1.10.0

System 1310y

GatewaySource: Miercom, UTM and NGFW Industry Assessment 2014

I d t A C iIndustry Average ComparisonsMalicious URLs: Blended Malicious Threats

80.0

100.0

ked

(%)

32.1

71.4

40.0

60.0

s U

RLs

Blo

ck

Industry Average

16.7

37.6

6.3 4.8 4.80.0

20.0

Mal

icio

us

y g25.1 Mbps

4210NGFW

MalwareProtection

System1310

ASA5545-Xwith CX

FortiGate800-C

SRX650ServicesGateway

PA-3020 WebSecurityGateway

0.0

1310ModuleSource: Miercom, UTM and NGFW Industry Assessment 2014

I d t A C iIndustry Average ComparisonsMalicious Files Wild

83.893.0 90.3

82.0

97.5

60 0

80.0

100.0

Blo

cked

(%

)


47.5 50.0

34.0

62.0

9.530.320.0

40.0

60.0

alic

ious

File

s B

4.29.5

0.0

Ma


I d t A C iIndustry Average ComparisonsMalicious URLs Wild: Malc0de

83.8 82.0

97.580.0

100.0

ed (%

)

47.5

40.0

60.0

s U

RLs

Blo

cke


4.29.5

30.3

0 0

20.0

Mal

icio

us

4210NGFW ASA5545-X

with CX

MalwareProtection

System1310

FortiGate800-C

SRX650ServicesGateway

PA-3020 WebSecurityGateway

0.0

with CXModule 1310


Industry Average ComparisonsLayer 7 Firewall Throughput Max

3240 32253000

3500

(Mbp

s)

y g p

I d t A2260 2310

1500

2000

2500

l Thr

ough

put Industry Average

2,158 Mbps

14001078

1590

500

1000

1500

ayer

7 F

irew

all

CR100iNG SonicWALLFortiGate UTM 220 XTM525SG 210 SG 230

0

500

La

CR100iNG SonicWALLNSA2600 100-D

XTM525


I d t A C iIndustry Average Comparisons3500

Layer 7 Firewall Throughput Mixed

31003280

2500

3000

3500

t (M

bps)

2170 2145

1500

2000

2500

l Thr

ough

put

Industry Average1,987 Mbps

1072 1020 1120

500

1000

1500

ayer

7 F

irew

al

SonicWALL FortiGate UTM 220 XTM 525SG 210 SG 230

0

500La

CR100iNG SonicWALLNSA 2600 100-D


I d t A C iIndustry Average ComparisonsApplication Control

2650

3300

2500

3000

3500

put (

Mbp

s)

2090

2650

1500

2000

2500

trol

Thr

ough

p

Industry Average

1130

500

1000

1500

plic

atio

n C

ont 1,345 Mbps

SonicWALL

132 403 4420

App

CR100iNGFortiGate

100-D UTM 220 SG 210 SG 230 XTM 525NSA 2600

100 D


I d t A C iIndustry Average Comparisons800

HTTP Proxy Throughput

704600

700

800

hput

(Mbp

s)

585

400

500

roxy

) Thr

oug

Industry Average380 Mbps

163

237 212100

200

300

all a

nd A

V (P

r

SonicWALLCR100iNGFortiGate

100 DUTM 220 SG 210 SG 230 XTM 525

N/A N/A0

100

Fire

wa

NSA 2600CR100iNG 100-D


I d t A C iIndustry Average ComparisonsFirewall + IPS Throughput

700

658

500

600

700

ut (M

bps)

420

504475

300

400

500

PS T

hrou

ghpu

Industry Average330 Mbps

163132

190100

200

300

irew

all a

nd IP

SonicWALLCR100iNGFortiGate

100-DUTM 220 SG 210 SG 230 XTM 525

132

0

Fi

NSA 2600CR100iNG 100-D


Industry Average ComparisonsApplication Control / URL Filteringpp / g

97.1

80.0

90.0

100.0

Blo

cked

Industry Average73 3 %

56.965.9

50.0

60.0

70.0

ombi

natio

ns 73.3 %

20.0

30.0

40.0

otoc

ol/A

pp C

o

ProxySG SWG-12600 Web Security

0.0

10.0

% P

ro

y300-5

SWG 12600 yGateway


For more information contactFor more information, [email protected]

Request our detailed reporton UTM and NGFW appliances.

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile () /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/CreateJDFFile false /Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles false /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /UseDocumentProfile /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice

Miercom: Independent Analysis, Research and Reviews - Next … · 2014. 4. 10. · • Juniper SRX650 Services Gateway. Participating Vendors and Products • Palo Alto PA-3020 •

Documents