Next-Generation Firewalls: Results from the Labesu ts o t e ab
Robert SmithersRobert SmithersCEO, Miercom
AgendaP ti i ti V d d P d t• Participating Vendors and Products
• How We Did ItCategories of Products Tested• Categories of Products Tested
• About the Technology– Secure Web Gateway– Secure Web Gateway– Next-Generation Firewall– Unified Threat Management– Sandbox– Spam Filtering
Agenda• Three High Risk Event ResultsThree High Risk Event Results
– CryptoLocker– Outbound Botnet– Worm and Trojans
• Industry Average Comparisonsy g p– Layer 3 Firewall Throughput– Malicious Files Legacy– Malicious URLs: Blended Malicious Threats– Malicious Files Wild
Agenda• Industry Average Comparisons• Industry Average Comparisons
– Malicious URLs Wild: Malc0de– Layer 7 Firewall Throughput MaxLayer 7 Firewall Throughput Max– Layer 7 Firewall Throughput Mixed– Application Controlpp
Participating Vendors and Products• Blue Coat ProxySG 300-5• Check Point 4210 NGFW• Check Point SWG-12600• Cisco ASA 5545-X with CX ModuleCisco ASA 5545 X with CX Module• Cisco ISA550W• Cyberoam CR100iNGCyberoam CR100iNG• Dell SonicWALL NSA 2600
Participating Vendors and Products• Dell SonicWALL TZ 105 (Cloud)• Dell SonicWALL TZ 105 (Appliance)( pp )• FireEye Malware Protection System 1310• Fortinet FortiGate 20-CFortinet FortiGate 20 C• Fortinet FortiGate 100-D• Fortinet FortiGate 800-CFortinet FortiGate 800 C• Juniper SRX650 Services Gateway
Participating Vendors and Products• Palo Alto PA-3020• Sophos SG 210p• Sophos SG 230• Sophos UTM 220Sophos UTM 220• WatchGuard XTM 525• Websense Web Security GatewayWebsense Web Security Gateway
How We Did ItTest equipment included:
– Ixia XG12 and BreakingPoint FireStorm– Spirent Studio Security– Apposite Linktropy 7500 PRO
WildP k t O iP k f Wi d– WildPackets OmniPeek for Windows– Windows 7 and Windows XP
Clients/EndpointsC e ts/ dpo ts– Monitoring Tools
Categories ofProducts TestedProducts Tested
• Secure Web Gateway• Next-Generation Firewall• Unified Threat Managementg• Sandbox• Spam FilteringSpam Filtering
Secure Web Gateway (SWG)• Edge security platform against Web-borne threats
that can invade enterprise network via Internet browsing; enforces organization’s policies for browsing; enforces organization s policies for Internet usage and regulatory compliance
• Essential functionality: URL filtering, malicious y g,code detection/filtering and application control
• Products with real-time, cloud-based content l d f h h l kanalysis tend to outperform those that look up
URLs and/or threat signatures in static database
Secure Web Gateway (SWG)• Class of product for organizations of all sizes: SMB • Class of product for organizations of all sizes: SMB
and Enterprise• Essential functionality: URL filtering, malicious code
d t ti /filt i d li ti t ldetection/filtering and application control– SMB: protects against basic threats, easy to
implement/manage– Enterprise: protection extended to advanced and targeted
threats, requires more skill and resources to implement/manage
O i li t l ith ft • On-premises appliance most popular with software, virtual, cloud (SWG as a Service) and on-premises / cloud hybrid versions also available
Next-Generation Firewall (NGFW)E l ti t f t k d it d i• Evolutionary type of network edge security device
• Possesses combination of functionality of basic firewall and enhancementsfirewall and enhancements– Traffic inspection enables
detection and blocking ofmalicious activitymalicious activity
– Application awareness enablesidentification of attacks directed
k ll fat network as well as enforcementof organization’s Internet usageand regulatory compliance policies
Next-Generation Firewall (NGFW)• Available for organizations of all sizesAvailable for organizations of all sizes• Can be deployed as appliance, virtual appliance
or software-based solution• Inline “bump in the wire” deployment: enabling
functionality does result in reduced network performanceperformance
• Next-generation firewall arguably has caused basic firewall to go the way of video cassette basic firewall to go the way of video cassette recorders and VHS tapes, into obsolescence
Unified Threat Management (UTM)• Just as Next-Generation Firewall, an evolutionary
class of network edge security platform• Combination of firewall and VPN of basic firewall Combination of firewall and VPN of basic firewall
plus…• Intrusion Prevention System also found in Next-
Generation Firewall, URL filtering and antivirus also found in Secure Web Gateway, and anti-spam and mail antivirus also found in Spam Filtering productsp g p
• Primarily aimed at small and mid-sized businesses
Unified Threat Management (UTM)Available as appliance virtual• Available as appliance, virtualappliance, software andcloud-based
• Network administrator mustfind balance between securitynd net o k pe fo m n eand network performance– Individual packets examined by each security function
enabled, adding to latency/detracting from throughput, g y/ g g p
Sandbox• Security technique for protecting enterprise network • Security technique for protecting enterprise network
from malware by running applications and visiting Websites in a controlled environment
• FireEye leads market with competitors including AhnLab, Blue Coat, Check Point, Damballa, McAfee, Palo Alto Networks and Sourcefire (acquired by Cisco ( q yin October 2013)
• Sandbox appliance or cloud-basedservice is part of a multi layeredservice is part of a multi-layeredsecurity system
Sandbox• Botnets zero day attacks and corporate • Botnets, zero-day attacks and corporate
espionage among factors that fueled advent of sandbox; virtualization has facilitated utilization of sandbox
• Small percentage of malware has written-in capability to try to defeat sandboxcapability to try to defeat sandbox– Check environment to determine if it is in a sandbox– Seek to be allowed to pass by attempting to time out
the sandbox, stalling by performing meaningless calculations
Spam Filtering• Class of network security device that safeguard
against unwanted inbound and outbound Email: spam– Inbound: protect networked computers against Inbound: protect networked computers against
dangerous forms of spam such as phishingattempts and Emails thosecontaining virusesg
– Outbound: protect againstnetworked computers frombeing compromised and usedbeing compromised and usedas a zombie in a botnet togenerate spam
Spam Filtering• Spam is no small problem: estimated 50-60% of
enterprise Email• Key functionality: protect against inbound, targeted y y p g , g
phishing attacks• Functionality growing in importance: ability to
re-evaluate URL link(s) in Email at the time of endre evaluate URL link(s) in Email at the time of enduser click
• Available as appliance, software, managed serviceBased on Gartner 2013 Magic Quadrant:• Based on Gartner 2013 Magic Quadrant:– Product leaders are Cisco, Proofpoint, Symantec, Microsoft
and McAfee
Three High Risk Event ResultsSpecific High Risk Events
– CryptoLocker– Outbound Botnet– Worm/Trojan
CryptoLocker• Ransomware trojan• Encrypts specific types of files using RSA yp p yp g
public-key cryptography• Message displays an offer to decrypt the g p y yp
data if payment is made
Outbound BotnetB t t i t k f i d t • Botnet is a network of compromised computers under control of a third party whose purpose isto invade the network
• Remains inactive until they get orders from their command and control hosts
• Designed to steal the most valuable information on a networkO tb d b t t d f t t t d t • Outbound botnet defense protects corporate data from leaving the network
WormsC t t f l th t • Computer worms are a type of malware that replicates functional copies of themselves to cause damage to data or software
• Host program or human help is not needed for them to propagate
• Worm enters a computer througha system vulnerability and uses afile- or information-transport featurefile- or information-transport featureto allow it to travel independently
TrojansA T j i th t f l th t • A Trojan is another type of malware that appears as legitimate software
• Users are tricked into loading and executing it• Users are tricked into loading and executing it
• Trojans can achieve a variety of attacks on the host – from distractions (pop-up windows) to (p p p )major damage (deleting files, activating and spreading other malware) on the host
• Can also create back doors to give malevolent users access to the system
dIndustry Average Comparisons• Layer 3 Firewall Throughputaye 3 e a oug put
• Malicious Files Legacy
• Malicious URLs: Blended Malicious ThreatsMalicious URLs: Blended Malicious Threats
• Malicious Files Wild
• Malicious Files Wild: Malc0deMalicious Files Wild: Malc0de
• Layer 7 Firewall Throughput Max
• Layer 7 Firewall Throughput Mixed• Layer 7 Firewall Throughput Mixed
• Application Control
dIndustry Average Comparisons• HTTP Proxy Throughputo y oug put
• Firewall + IPS Throughput
• Application Control / URL FilteringApplication Control / URL Filtering
I d t A C iIndustry Average ComparisonsLayer 3 Firewall Throughput
26782500
3000
Mbp
s)
Industry Average
20291884 1886
1500
2000
Thro
ughp
ut ( y g2,057.3 Mbps
1322
500
1000
yer 3
Fir
ewal
l
0
Lay
CR100iNG SonicWALL FortiGate UTM 220 XTM 525CR100iNGNSA 2600 100-D
Source: Miercom, UTM and NGFW Industry Assessment 2014
I d t A C iIndustry Average ComparisonsMalicious Files Legacy
81.880.0
100.0
d (%
)
74.260.0
File
s B
lock
ed
Industry Average39.3 Mbps
20.0
40.0
Mal
icio
us F
SWG-12600 Malware Protection Web Security
1.10.0
System 1310y
GatewaySource: Miercom, UTM and NGFW Industry Assessment 2014
I d t A C iIndustry Average ComparisonsMalicious URLs: Blended Malicious Threats
80.0
100.0
ked
(%)
32.1
71.4
40.0
60.0
s U
RLs
Blo
ck
Industry Average
16.7
37.6
6.3 4.8 4.80.0
20.0
Mal
icio
us
y g25.1 Mbps
4210NGFW
MalwareProtection
System1310
ASA5545-Xwith CX
FortiGate800-C
SRX650ServicesGateway
PA-3020 WebSecurityGateway
0.0
1310ModuleSource: Miercom, UTM and NGFW Industry Assessment 2014
I d t A C iIndustry Average ComparisonsMalicious Files Wild
83.893.0 90.3
82.0
97.5
60 0
80.0
100.0
Blo
cked
(%
)
Industry Average73.5 Mbps
47.5 50.0
34.0
62.0
9.530.320.0
40.0
60.0
alic
ious
File
s B
4.29.5
0.0
Ma
Source: Miercom, UTM and NGFW Industry Assessment 2014
I d t A C iIndustry Average ComparisonsMalicious URLs Wild: Malc0de
83.8 82.0
97.580.0
100.0
ed (%
)
47.5
40.0
60.0
s U
RLs
Blo
cke
Industry Average41.6 Mbps
4.29.5
30.3
0 0
20.0
Mal
icio
us
4210NGFW ASA5545-X
with CX
MalwareProtection
System1310
FortiGate800-C
SRX650ServicesGateway
PA-3020 WebSecurityGateway
0.0
with CXModule 1310
Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average ComparisonsLayer 7 Firewall Throughput Max
3240 32253000
3500
(Mbp
s)
y g p
I d t A2260 2310
1500
2000
2500
l Thr
ough
put Industry Average
2,158 Mbps
14001078
1590
500
1000
1500
ayer
7 F
irew
all
CR100iNG SonicWALLFortiGate UTM 220 XTM525SG 210 SG 230
0
500
La
CR100iNG SonicWALLNSA2600 100-D
XTM525
Source: Miercom, UTM and NGFW Industry Assessment 2014
I d t A C iIndustry Average Comparisons3500
Layer 7 Firewall Throughput Mixed
31003280
2500
3000
3500
t (M
bps)
2170 2145
1500
2000
2500
l Thr
ough
put
Industry Average1,987 Mbps
1072 1020 1120
500
1000
1500
ayer
7 F
irew
al
SonicWALL FortiGate UTM 220 XTM 525SG 210 SG 230
0
500La
CR100iNG SonicWALLNSA 2600 100-D
Source: Miercom, UTM and NGFW Industry Assessment 2014
I d t A C iIndustry Average ComparisonsApplication Control
2650
3300
2500
3000
3500
put (
Mbp
s)
2090
2650
1500
2000
2500
trol
Thr
ough
p
Industry Average
1130
500
1000
1500
plic
atio
n C
ont 1,345 Mbps
SonicWALL
132 403 4420
App
CR100iNGFortiGate
100-D UTM 220 SG 210 SG 230 XTM 525NSA 2600
100 D
Source: Miercom, UTM and NGFW Industry Assessment 2014
I d t A C iIndustry Average Comparisons800
HTTP Proxy Throughput
704600
700
800
hput
(Mbp
s)
585
400
500
roxy
) Thr
oug
Industry Average380 Mbps
163
237 212100
200
300
all a
nd A
V (P
r
SonicWALLCR100iNGFortiGate
100 DUTM 220 SG 210 SG 230 XTM 525
N/A N/A0
100
Fire
wa
NSA 2600CR100iNG 100-D
Source: Miercom, UTM and NGFW Industry Assessment 2014
I d t A C iIndustry Average ComparisonsFirewall + IPS Throughput
700
658
500
600
700
ut (M
bps)
420
504475
300
400
500
PS T
hrou
ghpu
Industry Average330 Mbps
163132
190100
200
300
irew
all a
nd IP
SonicWALLCR100iNGFortiGate
100-DUTM 220 SG 210 SG 230 XTM 525
132
0
Fi
NSA 2600CR100iNG 100-D
Source: Miercom, UTM and NGFW Industry Assessment 2014
Industry Average ComparisonsApplication Control / URL Filteringpp / g
97.1
80.0
90.0
100.0
Blo
cked
Industry Average73 3 %
56.965.9
50.0
60.0
70.0
ombi
natio
ns 73.3 %
20.0
30.0
40.0
otoc
ol/A
pp C
o
ProxySG SWG-12600 Web Security
0.0
10.0
% P
ro
y300-5
SWG 12600 yGateway
Source: Miercom, UTM and NGFW Industry Assessment 2014
For more information contactFor more information, [email protected]
Request our detailed reporton UTM and NGFW appliances.
/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile () /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False
/CreateJDFFile false /Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles false /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /UseDocumentProfile /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice