Upload
lugmaref
View
213
Download
0
Embed Size (px)
DESCRIPTION
Test
Citation preview
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 1/39
Next-Generation Firewalls:
(And Other Really Cool Security Produc
Results from the Lab
Robert SmithersCEO, Miercom
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 2/39
About Us
• Networking Team and Test Alliance• Publish Media Testing Lab Affiliation
• Vendor Agnostic - No Undue Influence
• Belief Editorial Integrity and Excellence
• Reports For the Community License Free
• 30 Years Security Consulting and Testing
• Always Improving and Learning
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 3/39
Agenda
• Vendors and Products• How We Did It
• Categories of Products Tested
• About the Technology – Secure Web Gateway
– Next-Generation Firewall – Unified Threat Management
– Sandbox
– Spam Filtering
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 4/39
Agenda• High Risk High Visibility Events
– Advanced Persistent Threat Exploits
– CryptoLocker
– Outbound Botnet
– Worm and Trojans
• Industry Average Comparisons – Layer 3 Firewall Throughput
– Malicious Files Legacy
– Malicious URLs: Blended Malicious Threats
– Malicious Files Wild
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 5/39
Agenda
• Industry Average Comparisons – Malicious URLs Wild: Malc0de
– Layer 7 Firewall Throughput Max
– Layer 7 Firewall Throughput Mixed
– Application Control
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 6/39
“Participating” Vendors and Products
• All vendors / products have opportunity to
represent before, during and after review• No pay to play – Costs vendors nothing
• We do not claim affiliation or partnership withany vendor
• Participation does not imply relationshipMiercom and vendor
• Some are unwilling participants
• Some vendors don’t like us
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 7/39
Vendors and Products
• Blue Coat ProxySG 300-5• Check Point 4210 NGFW
• Check Point SWG-12600
• Check Point 4800
• Cisco ASA 5545-X• Cisco ISA550W
• Cyberoam CR100iNG
• Dell SonicWALL NSA 2600
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 8/39
Vendors and Products
• Dell SonicWALL TZ 105 (Cloud)• Dell SonicWALL TZ 105 (Appliance)
• FireEye MPS 1310
• Fortinet FortiGate 20-C
• Fortinet FortiGate 800-C• Fortinet FortiGate 100-D
• Juniper SRX650 Services Gateway
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 9/39
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 10/39
How We Did It
Test equipment included:
– Ixia XG12 and BreakingPoint FireStorm
– Spirent Studio Security
– Apposite Linktropy 7500 PRO
– WildPackets OmniPeek for Windows – Windows 7 and Windows XP
Clients/Endpoints
– Monitoring Tools
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 11/39
Test Tools and Scripts
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 12/39
Categories of Products Tested
• Secure Web Gateway
• Next-Generation Firewall
• Unified Threat Management
• Sandbox – Threat Emulation
• Spam Filtering
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 13/39
Secure Web Gateway (SWG)
• Edge security platform against Web-borne threats that caenterprise network via Internet browsing; enforces organipolicies for Internet usage and regulatory compliance
• Essential functionality: URL filtering, malicious codedetection/filtering and application control
• Products with real-time, cloud-based content analysis tenoutperform those that look up URLs and/or threat signatustatic database
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 14/39
Secure Web Gateway (SWG)
• Class of product for organizations of all sizes: SMB and E• Essential functionality: URL filtering, malicious code
detection/filtering and application control
– SMB: protects against basic threats, easy to implement/man
– Enterprise: protection extended to advanced and targeted threquires more skill and resources to implement/manage
• On-premises appliance most popular with software, virtua(SWG as a Service) and on-premises / cloud hybrid versioalso available
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 15/39
Next-Generation Firewall (NGFW
• Evolutionary type of network edge security device• Possesses combination of functionality of basic firewall a
enhancements
– Traffic inspection enables detection andblocking of malicious activity
– Application awareness enablesidentification of attacks directedat network as well as enforcementof organization’s Internet usageand regulatory compliance policies
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 16/39
Next-Generation Firewall (NGFW
• Available for organizations of all sizes
• Can be deployed as appliance, virtual appliance or softwa
based solution
• Inline “bump in the wire” deployment: enabling functionali
result in reduced network performance• Next-generation firewall arguably has caused basic firewa
way of video cassette recorders and VHS tapes, into obso
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 17/39
Unified Threat Management (UTM
• Just as Next-Generation Firewall, an evolutionary class oedge security platform
• Combination of firewall and VPN of basic firewall plus…
• Intrusion Prevention System also found in Next-Generatio
URL filtering and antivirus also found in Secure Web Gateanti-spam and mail antivirus also found in Spam Filtering
• Primarily aimed at small and mid-sized businesses
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 18/39
Unified Threat Management (UTM
• Available as appliance, virtualappliance, software and
cloud-based
• Network administrator must
find balance between security
and network performance
– Individual packets examined by each security function enab
to latency/detracting from throughput
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 19/39
Sandbox
• Security technique for protecting enterprise network from mrunning applications and visiting Websites in a controlled e
• FireEye leads market with competitors including AhnLab,
Check Point, Damballa, McAfee, Palo Alto Networks and S
(acquired by Cisco in October 2013)
• Sandbox appliance or cloud-based
service is part of a multi-layered
security system
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 20/39
Sandbox
• Botnets, zero-day attacks and corporate espionage amonthat fueled advent of sandbox; virtualization has facilitated
of sandbox
• Small percentage of malware has written-in capability to t
sandbox
– Check environment to determine if it is in a sandbox
– Seek to be allowed to pass by attempting to time out the san
stalling by performing meaningless calculations
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 21/39
Spam Filtering
• Class of network security device that safeguard against uinbound and outbound Email: spam
– Inbound: protect networked computersagainst dangerous forms of spam suchas phishing attempts and Emailscontaining viruses
– Outbound: protect againstnetworked computers frombeing compromised and usedas a zombie in a botnet togenerate spam
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 22/39
Spam Filtering
• Spam is no small problem: estimated 50-60% of enterpris• Key functionality: protect against inbound, targeted phishi
• Functionality growing in importance: ability to re-evaluate
link(s) in Email at the time of end user click
• Available as appliance, software, managed service• Based on Gartner 2013 Magic Quadrant:
– Product leaders are Cisco, Proofpoint, Symantec, Microsoft
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 23/39
High Risk Event High Visibility Even
• Specific High Risk Events
– Advanced Persistent Threat
– CryptoLocker
– Outbound Botnet
– Worm/Trojan
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 24/39
Advanced Persistent Threats
• Home Depot, Target, etc. (is ____mart next?)• Initial access and presence seemingly benign
• Takes advantage of underlying weekness in network defe
complacency, and performance limit on DPI, behavioral a
• OPFOR has a patient strategy and awaits some long term• All were 100 percent avoidable, “BUT”
• Designed to steal customer PII, and credit card informatio
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 25/39
CryptoLocker
• Ransomware trojan
• Encrypts specific types of files using RSA
public-key cryptography
• Message displays an offer to decrypt
the data if payment is made
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 26/39
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 27/39
Worms
• Computer worms are a type of malware thatreplicates functional copies of themselves tocause damage to data or software
• Host program or human help is not neededfor them to propagate
• Worm enters a computer througha system vulnerability and uses afile- or information-transport featureto allow it to travel independently
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 28/39
Trojans
• A Trojan is another type of malware that appears as legitisoftware
• Users are tricked into loading and executing it
• Trojans can achieve a variety of attacks on the host – from
distractions (pop-up windows) to major damage (deleting
activating and spreading other malware) on the host
• Can also create back doors to give malevolent users acce
system
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 29/39
Industry Average Comparisons
• Layer 3 Firewall Throughput
• Layer 7 Firewall Throughput Mixed
• Layer 7 Firewall Throughput Max
• NGFW Throughput Security Features Enabled
• Malicious URLs: Blended Malicious Threats
• Malicious Files Wild• Malicious Files Wild: Malc0de
• Application Control
• ATP Threat Emulation Catch Rate
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 30/39
Industry Average ComparisonLayer 3 Firewall Throughput
655
20291884
1322
2678
0
500
1000
1500
2000
2500
3000
L a y e r 3 F i r
e w a l l T h r o u g h p u t ( M b p s )
Industry Average
2,057.3 Mbps
ISA550W CR100iNGSonicWALLNSA 2600
FortiGate100-D
UTM 220 X
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 31/39
Industry Average Comparison
2170
1072 1020
1970
1
0
500
1000
1500
2000
2500
L a y e r 7 F i r
e w a l l T h r o u g h p u t ( M b p s )
Layer 7 Firewall Throughput Mixed
CR100iNGSonicWALLNSA 2600
FortiGate
100-DUTM 220 X
Industry Average
1,742.0 Mbps
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 32/39
Industry Average Comparison
2260
1400
1078
2230
0
500
1000
1500
2000
2500
L a y e r 7 F i r e w a l l T h r o u g h p u t ( M b p s ) Industry Average
1,966.3 Mbps
CR100iNGSonicWALL
NSA2600
FortiGate
100-DUTM 220
Layer 7 Firewall Throughput Max
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 33/39
Industry Average ComparisonNGFW Throughput Security Features Enab
39.59 36.69
33.62
26.13
12.11
5.100
5
10
15
20
25
30
35
40
DPI DPI+AV DPI+AV+AppCtrl
T h r o u g h p u t ( G b p s ) McAfee
NGFW5206
Industry Average
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 34/39
Industry Average ComparisonMalicious URLs: Blended Malicious Thre
16.7
37.6
6.3
32.1
4.8 4.8
0.0
20.0
40.0
60.0
80.0
100.0
M a l i c i o u s U R L s B l o c k e d ( %
)
4210
NGFWMPS
1310
FortiGate
800-CSRX650
Services Gateway
A
Industry Average
25.1 Blocking %
C
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 35/39
Malicious Files Wild
83.8
93.0
47.5
90.3
50.0
34.0
4.2
82.0
62.0
9.5
30
0.0
20.0
40.0
60.0
80.0
100.0
M a l i c i o u s F i l e s B l o c k e d
( % )
Industry Average Comparison
A
Industry Average
73.5 Blocking %
C
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 36/39
Industry Average ComparisonMalicious URLs Wild: Malc0de
47.5
83.8
4.2
82.0
9.530.3
0.0
20.0
40.0
60.0
80.0
100.0
M a l i c
i o u s U R L s B l o c k e d ( % )
4210
NGFW
CMPS
1310
FortiGate
800-CSRX650
Services
Gateway
A
Industry Average
41.6 Blocking %
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 37/39
Industry Average Comparison
56.9
97.1
65.9
0.0
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
90.0
100.0
% P
r o t o c o l / A p p C o m b i n a t i o n s B l o c
k e d
ProxySG
300-5SWG-12600 Web Security
Gateway
Application Control / URL Filtering
Industry Average
73.3 Blocking %
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 38/39
Industry Average Comparison
0
10
20
30
40
50
60
70
80
90
100
Check Point 4800 FireEye MPS 1310 Palo Alto 3020 Sourcefire Fortinet 100-D Zscaler APT
P e r c e n t D e t e c t R a t e ( % )
ATP Threat Emulation Catch Rate
A B
7/18/2019 Miercom Preso Interop NYC NGFW ATP 0900 1OCT2014
http://slidepdf.com/reader/full/miercom-preso-interop-nyc-ngfw-atp-0900-1oct2014 39/39
Questions?