Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014

7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014

http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 1/39

Next-Generation Firewalls:

(And Other Really Cool Security Produc

Results from the Lab

Robert SmithersCEO, Miercom



About Us

• Networking Team and Test Alliance• Publish Media Testing Lab Affiliation

• Vendor Agnostic - No Undue Influence

• Belief Editorial Integrity and Excellence

• Reports For the Community License Free

• 30 Years Security Consulting and Testing

• Always Improving and Learning



Agenda

• Vendors and Products• How We Did It

• Categories of Products Tested

• About the Technology – Secure Web Gateway

– Next-Generation Firewall – Unified Threat Management

– Sandbox

– Spam Filtering



Agenda• High Risk High Visibility Events

– Advanced Persistent Threat Exploits

– CryptoLocker

– Outbound Botnet

– Worm and Trojans

• Industry Average Comparisons – Layer 3 Firewall Throughput

– Malicious Files Legacy

– Malicious URLs: Blended Malicious Threats

– Malicious Files Wild



Agenda

• Industry Average Comparisons – Malicious URLs Wild: Malc0de

– Layer 7 Firewall Throughput Max

– Layer 7 Firewall Throughput Mixed

– Application Control



“Participating” Vendors and Products

• All vendors / products have opportunity to

represent before, during and after review• No pay to play – Costs vendors nothing

• We do not claim affiliation or partnership withany vendor

• Participation does not imply relationshipMiercom and vendor

• Some are unwilling participants

• Some vendors don’t like us



Vendors and Products

• Blue Coat ProxySG 300-5• Check Point 4210 NGFW

• Check Point SWG-12600

• Check Point 4800

• Cisco ASA 5545-X• Cisco ISA550W

• Cyberoam CR100iNG

• Dell SonicWALL NSA 2600



Vendors and Products

• Dell SonicWALL TZ 105 (Cloud)• Dell SonicWALL TZ 105 (Appliance)

• FireEye MPS 1310

• Fortinet FortiGate 20-C

• Fortinet FortiGate 800-C• Fortinet FortiGate 100-D

• Juniper SRX650 Services Gateway





How We Did It

Test equipment included:

– Ixia XG12 and BreakingPoint FireStorm

– Spirent Studio Security

– Apposite Linktropy 7500 PRO

– WildPackets OmniPeek for Windows – Windows 7 and Windows XP

Clients/Endpoints

– Monitoring Tools



Test Tools and Scripts



Categories of Products Tested

• Secure Web Gateway

• Next-Generation Firewall

• Unified Threat Management

• Sandbox – Threat Emulation

• Spam Filtering



Secure Web Gateway (SWG)

• Edge security platform against Web-borne threats that caenterprise network via Internet browsing; enforces organipolicies for Internet usage and regulatory compliance

• Essential functionality: URL filtering, malicious codedetection/filtering and application control

• Products with real-time, cloud-based content analysis tenoutperform those that look up URLs and/or threat signatustatic database



Secure Web Gateway (SWG)

• Class of product for organizations of all sizes: SMB and E• Essential functionality: URL filtering, malicious code

detection/filtering and application control

– SMB: protects against basic threats, easy to implement/man

– Enterprise: protection extended to advanced and targeted threquires more skill and resources to implement/manage

• On-premises appliance most popular with software, virtua(SWG as a Service) and on-premises / cloud hybrid versioalso available



Next-Generation Firewall (NGFW

• Evolutionary type of network edge security device• Possesses combination of functionality of basic firewall a

enhancements

– Traffic inspection enables detection andblocking of malicious activity

– Application awareness enablesidentification of attacks directedat network as well as enforcementof organization’s Internet usageand regulatory compliance policies



Next-Generation Firewall (NGFW

• Available for organizations of all sizes

• Can be deployed as appliance, virtual appliance or softwa

based solution

• Inline “bump in the wire” deployment: enabling functionali

result in reduced network performance• Next-generation firewall arguably has caused basic firewa

way of video cassette recorders and VHS tapes, into obso



Unified Threat Management (UTM

• Just as Next-Generation Firewall, an evolutionary class oedge security platform

• Combination of firewall and VPN of basic firewall plus…

• Intrusion Prevention System also found in Next-Generatio

URL filtering and antivirus also found in Secure Web Gateanti-spam and mail antivirus also found in Spam Filtering

• Primarily aimed at small and mid-sized businesses



Unified Threat Management (UTM

• Available as appliance, virtualappliance, software and

cloud-based

• Network administrator must

find balance between security

and network performance

– Individual packets examined by each security function enab

to latency/detracting from throughput



Sandbox

• Security technique for protecting enterprise network from mrunning applications and visiting Websites in a controlled e

• FireEye leads market with competitors including AhnLab,

Check Point, Damballa, McAfee, Palo Alto Networks and S

(acquired by Cisco in October 2013)

• Sandbox appliance or cloud-based

service is part of a multi-layered

security system



Sandbox

• Botnets, zero-day attacks and corporate espionage amonthat fueled advent of sandbox; virtualization has facilitated

of sandbox

• Small percentage of malware has written-in capability to t

sandbox

– Check environment to determine if it is in a sandbox

– Seek to be allowed to pass by attempting to time out the san

stalling by performing meaningless calculations



Spam Filtering

• Class of network security device that safeguard against uinbound and outbound Email: spam

– Inbound: protect networked computersagainst dangerous forms of spam suchas phishing attempts and Emailscontaining viruses

– Outbound: protect againstnetworked computers frombeing compromised and usedas a zombie in a botnet togenerate spam



Spam Filtering

• Spam is no small problem: estimated 50-60% of enterpris• Key functionality: protect against inbound, targeted phishi

• Functionality growing in importance: ability to re-evaluate

link(s) in Email at the time of end user click

• Available as appliance, software, managed service• Based on Gartner 2013 Magic Quadrant:

– Product leaders are Cisco, Proofpoint, Symantec, Microsoft



High Risk Event High Visibility Even

• Specific High Risk Events

– Advanced Persistent Threat

– CryptoLocker

– Outbound Botnet

– Worm/Trojan



Advanced Persistent Threats

• Home Depot, Target, etc. (is ____mart next?)• Initial access and presence seemingly benign

• Takes advantage of underlying weekness in network defe

complacency, and performance limit on DPI, behavioral a

• OPFOR has a patient strategy and awaits some long term• All were 100 percent avoidable, “BUT”

• Designed to steal customer PII, and credit card informatio



CryptoLocker

• Ransomware trojan

• Encrypts specific types of files using RSA

public-key cryptography

• Message displays an offer to decrypt

the data if payment is made





Worms

• Computer worms are a type of malware thatreplicates functional copies of themselves tocause damage to data or software

• Host program or human help is not neededfor them to propagate

• Worm enters a computer througha system vulnerability and uses afile- or information-transport featureto allow it to travel independently



Trojans

• A Trojan is another type of malware that appears as legitisoftware

• Users are tricked into loading and executing it

• Trojans can achieve a variety of attacks on the host – from

distractions (pop-up windows) to major damage (deleting

activating and spreading other malware) on the host

• Can also create back doors to give malevolent users acce

system



Industry Average Comparisons

• Layer 3 Firewall Throughput

• Layer 7 Firewall Throughput Mixed

• Layer 7 Firewall Throughput Max

• NGFW Throughput Security Features Enabled

• Malicious URLs: Blended Malicious Threats

• Malicious Files Wild• Malicious Files Wild: Malc0de

• Application Control

• ATP Threat Emulation Catch Rate



Industry Average ComparisonLayer 3 Firewall Throughput

655

20291884

1322

2678

0

500

1000

1500

2000

2500

3000

L a y e r 3 F i r

e w a l l T h r o u g h p u t ( M b p s )

Industry Average

2,057.3 Mbps

ISA550W CR100iNGSonicWALLNSA 2600

FortiGate100-D

UTM 220 X



Industry Average Comparison

2170

1072 1020

1970

1

0

500

1000

1500

2000

2500

L a y e r 7 F i r

e w a l l T h r o u g h p u t ( M b p s )

Layer 7 Firewall Throughput Mixed

CR100iNGSonicWALLNSA 2600

FortiGate

100-DUTM 220 X

Industry Average

1,742.0 Mbps




2260

1400

1078

2230

0

500

1000

1500

2000

2500

L a y e r 7 F i r e w a l l T h r o u g h p u t ( M b p s ) Industry Average

1,966.3 Mbps

CR100iNGSonicWALL

NSA2600

FortiGate

100-DUTM 220

Layer 7 Firewall Throughput Max



Industry Average ComparisonNGFW Throughput Security Features Enab

39.59 36.69

33.62

26.13

12.11

5.100

5

10

15

20

25

30

35

40

DPI DPI+AV DPI+AV+AppCtrl

T h r o u g h p u t ( G b p s ) McAfee

NGFW5206

Industry Average



Industry Average ComparisonMalicious URLs: Blended Malicious Thre

16.7

37.6

6.3

32.1

4.8 4.8

0.0

20.0

40.0

60.0

80.0

100.0

M a l i c i o u s U R L s B l o c k e d ( %

)

4210

NGFWMPS

1310

FortiGate

800-CSRX650

Services Gateway

A

Industry Average

25.1 Blocking %

C



Malicious Files Wild

83.8

93.0

47.5

90.3

50.0

34.0

4.2

82.0

62.0

9.5

30

0.0

20.0

40.0

60.0

80.0

100.0

M a l i c i o u s F i l e s B l o c k e d

( % )


A

Industry Average

73.5 Blocking %

C



Industry Average ComparisonMalicious URLs Wild: Malc0de

47.5

83.8

4.2

82.0

9.530.3

0.0

20.0

40.0

60.0

80.0

100.0

M a l i c

i o u s U R L s B l o c k e d ( % )

4210

NGFW

CMPS

1310

FortiGate

800-CSRX650

Services

Gateway

A

Industry Average

41.6 Blocking %




56.9

97.1

65.9

0.0

10.0

20.0

30.0

40.0

50.0

60.0

70.0

80.0

90.0

100.0

% P

r o t o c o l / A p p C o m b i n a t i o n s B l o c

k e d

ProxySG

300-5SWG-12600 Web Security

Gateway

Application Control / URL Filtering

Industry Average

73.3 Blocking %




0

10

20

30

40

50

60

70

80

90

100

Check Point 4800 FireEye MPS 1310 Palo Alto 3020 Sourcefire Fortinet 100-D Zscaler APT

P e r c e n t D e t e c t R a t e ( % )

ATP Threat Emulation Catch Rate

A B



Questions?

Documents

Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014