Upload
dotuong
View
217
Download
1
Embed Size (px)
Citation preview
Hardening the Education
IT Environment IT Environment
with NGFW
Narongveth Yutithammanurak
Business Development Manager 23 Feb 2012
Technology Trends
� Security
� Performance
Security-as-a-ServicePage 2
� Bandwidth
� Efficiency
� Manageability
What are Students and Staffs doing?
� Web surfing
� Twitter, Facebook
� Downloading files
� Instant messaging
Security-as-a-ServicePage 3
� Instant messaging
� Streaming video
� Streaming audio
� Playing game online
� Personal email
These things we know?
User Port Protocol Application
� Port 80 is much more than Web browsing– 203.12.145.34 80 HTTP Web Browsing?
– Anna Stand 80 IM Yahoo-IM
� Port 443 is an encrypted mystery
Security-as-a-ServicePage 4
� Port 443 is an encrypted mystery– 124.50.13.45 443 HTTPS Secure banking?
– Paul Donson 443 Email Google Gmail
� Other ports are being exploited– 224.100.30.6 5060 SIP VoIP?
– John Buly 20129 P2P Orbit downloader
Beyond Threats
� Most traffic is not a threat-based but is
application and data
� Application can be good, bad or in-between
– Good: saleforce.com
– Bad: badworm.exe
Security-as-a-ServicePage 5
– Bad: badworm.exe
– In-between: P2P, Streaming video & audio
Common Question… to Admin
� Where is this TRAFFIC coming from?
� What APPLICATIONS are really on network?
� Where is ALL my BANDWIDTH going?
� What are the THREATS?
Security-as-a-ServicePage 6
� What are the THREATS?
?
Device Expectation
� Application Awareness and visibility
� Integrated full IPS with out compromising
performance
� Intelligent to identify Users
Security-as-a-ServicePage 7
� Standard Firewall capabilities
� Multiple option deployments
NGFW Definition
� Stateful Inspection
� Intrusion Prevention
� Application Control
� SSL Decryption/Inspection
Security-as-a-ServicePage 9
� SSL Decryption/Inspection
“By year-end 2014 [Next-Generation Firewall]
will rise to 35% of the installed base, with 60%
of new purchases being NGFWs.”
Source : Gartner NGFW Research note
What NGFW should do…
� Identify application/users regardless
– Ports =/ Applications
– IP Addresses =/ Users
– Packets =/ Content
� Protect in real-time against threats
Security-as-a-ServicePage 10
� Protect in real-time against threats
� Granular visibility and policy control
– Application access / Functionality
� Multi-gigabit with no performance Degraded
Control Network, Users & Traffic
� Bandwidth Manage OR Block
� By User or Group with Exception
� By Schedule
� By App (Category, App, Function)
Security-as-a-ServicePage 11
� By App (Category, App, Function)
NGFW Technology
Solution Features
� Consolidated & Integrated Security Technology
� Application Visibility - Inspection of Real-time & Latency Sensitive
Multi-Tiered Protection Technology
Next Generation Requirements
Security-as-a-ServicePage 14
of Real-time & Latency Sensitive Applications/Traffic
� Scalable & High Performing Enough to Protect Against Perimeter and Internal Network Challenges
Patented Re-Assembly Free DPI (RFDPI)
Multi-Core High Perf. Architecture
Dynamic Security Architecture
Security-as-a-ServicePage 16
1. DPI protect against network risks
2. Multi core scan in real-time
3. Dynamic network protections
NGFW Features
� Application intelligent control
� Gateway Security
– Intrusion Protection Service (IPS)
– Anti-Virus and Anti-Spyware
� URL Filtering Service
Security-as-a-ServicePage 18
� URL Filtering Service
� Bandwidth Management (QoS)
� User Authentication
Powerful Application Policy Creation
� “Allow IM, but block File Transfer”
� “Allow Facebook, but block Farmville”
� “Allow Facebook, but block all Facebookapplications”
Security-as-a-ServicePage 21
Application Use Enforcement
� Policy: need all staffs use IE 9.0
� Mission: Ensure all PCs are using IE 9.0
� Solution:
– Create a policy to looks for User Agent = MSIE 9.0
Security-as-a-ServicePage 22
– Create a policy to looks for User Agent = MSIE 9.0
in HTTP
– Allows IE 9.0 traffic and block other browsers
Deny FTP Upload
� Need to make sure the authorized staff can
upload file and on one can upload
� Create a policy to allow only certain people
FTP PUT
Security-as-a-ServicePage 23
Block Forbidden Files and Notify
� An EXE file
– from being downloaded
– as an email attachment
– from being transferred via FTP
� Create a policy to block forbidden file
Security-as-a-ServicePage 24
� Create a policy to block forbidden file
extension
Keep P2P Under Control
� P2P applications steal bandwidth and bring with malicious file
� P2P application simple changes a version number
� Create a policy to detect P2P application
Security-as-a-ServicePage 25
Intrusion Protection Service (IPS)
� Application vulnerabilities, Buffer overflows
� Scanning (worms, Trojans, software
vulnerabilities, backdoor exploits, and other
types of malicious attacks)
� Utilizing a comprehensive signature database
Security-as-a-ServicePage 31
� Utilizing a comprehensive signature database
� Focusing on
– known malicious traffic
– decreases false positives
– increasing network reliability and performance.
Gateway Anti-Virus and Anti-Spyware
� High-performance engine scans
– viruses, spyware, worms, Trojans
and application exploits
� Continually updated database
threat signatures
Security-as-a-ServicePage 32
threat signatures
� Inter-zone scanning delivers
protection also between internal
network zones
Content Filtering Service
� Granular content filtering
� Dynamically updated rating architecture
� Application traffic analytics
� Easy-to-use web-based management
Security-as-a-ServicePage 35
� Easy-to-use web-based management
� High-performance web caching and rating
architecture
� IP-based HTTPS content filtering
� Scalable, cost-effective solution
Managing Streaming Video
� The site such as “Youtube”
– block the site might work but the best answer
could be to limit the bandwidth
� Create a policy to limit streaming video
Security-as-a-ServicePage 37
Directory Integration
� Users no longer defined solely by IP address
� Manage and enforce policy based on user
and/or AD group
� Understand user application and threat
behavior based on AD, LDAP
Security-as-a-ServicePage 40
behavior based on AD, LDAP
Topology#1: Many-to-One Datacenter
Security-as-a-ServicePage 43
� Protect servers from outside
� IPS feature performed
� Focusing on known malicious traffic
Topology#2: Many-to-Many External
Security-as-a-ServicePage 44
� Protect users from surfing internet
� Outbound Protection
� Control application usages
� Shape user bandwidth
Topology#3: Many-to-Many Internal LAN
Security-as-a-ServicePage 45
� Concept for Internal protection
� Users to Datacenter / Server Farms
� Protect malware infect to servers
� Restrict user access
Best Practices
� First, identify and block all “bad” applications
� Second, safely enable all “good” applications
� Solid research and support – fast deployment
of new protections
Security-as-a-ServicePage 47
� Sustained high performance firewall + IPS
platform
System Integrator
� Hardware Ownership
– CPE
� One-Time Implement
� MA provided
MSSP
� Low cost of Ownership
– As-a-Service
� One-Time Implement
� Device Management
Difference
Security-as-a-ServicePage 50
� MA provided
� Admin Maintenance
� Device Management
� Security Monitoring
� Security Analyst
� Proactive Maintenance
� Align with SLA
Summary Benefits of NGFW
� All-in-one functionality
� Greater visibility and control
� Simplified management
� Better security
Security-as-a-ServicePage 51
� Better security
� Lower total cost of ownership