WP Next-Generation Firewall Market Analysis The - Firewall Market Analysis: The SonicWALL Difference SonicWALL advantages over Check Point, Cisco, Fortinet, Juniper, and Palo Alto Networks

  • Published on

  • View

  • Download

Embed Size (px)


  • Next-Generation Firewall Market Analysis: The SonicWALL Difference

    SonicWALL advantages over Check Point, Cisco, Fortinet, Juniper, and Palo Alto Networks

    CONTENTS Introduction 2 Application Intelligence 3 Application Visualization (on Box) 3 Application Visualization (off Box) 4 Application Control 4 Architecture and Performance 5 Malware Prevention 5 Technology Ownership 6 Value-add Security Features 7 Breadth of Coverage 7 Distributed Management 8 Conclusion 8

  • 2

    Introduction Next-Generation Firewalls (NGFWs) have rapidly become a must-have countermeasure for todays security and compliance conscious organizations. Simply put, this is because NGFWs overcome the deficiencies and challenges of conventional, stateful inspection firewalls that rely solely on IP addresses, ports, and protocols for classifying and controlling network traffic. In particular, by adding application awareness and control, integrated threat prevention, and the ability to account for other contextual information (e.g., user identity) on top of legacy network-layer capabilities, NGFWs:

    Provide the ability to effectively control exactly which applications are being used on the network, how they are being used, and who is using them while also preventing associated threats, despite the fact that the majority of applications now rely on only a handful of protocols (e.g., HTTP and HTTPS), and the proliferation of evasive techniques such as the use of non-standard ports, protocol tunneling, SSL encryption, and port-hopping

    Reduce device sprawl, network complexity, and the inevitable gaps in ones defenses by obviating the need for numerous helper products (e.g., standalone network IPS, gateway anti-virus, URL/content filtering, etc.)

    At least that is the case in theory. As the saying goes, however, the devil is in the details. In reality, there is considerable variation from one product to the next in terms of how NGFW capabilities are being achieved, and, therefore, in terms of how well they deliver on their supposed value propositions.

    The purpose of this paper is threefold: to expose some of the variability and associated weaknesses of competing products; to arm evaluators with the means to further reveal similar differences and deficiencies; and, to highlight why your organizations next firewall purchase should be a Next-Generation Firewall from SonicWALL. In particular, this paper examines nine crucial areas of NGFW characteristics and capabilities where the SonicWALL NGFW has compelling advantages compared to its primary competitors. In each case, a general description of the area is provided, followed by explanation of SonicWALLs strengths and capabilities in that area, enumeration of competitor shortcomings, and identification of probing questions NGFW purchasers can use to help obtain essential details and reveal the true capabilities of the products they are considering.

    Competing NGFW Products

    Check Point Security Gateways Cisco ASA Series Adaptive Security Appliances Fortinet FortiGate Appliances Juniper Networks SRX Series Services Gateways Palo Alto Networks PA-Series Firewalls

    Areas of Differentiation

    Application Intelligence Application Visualization (On-Box) Application Visualization (Off-Box) Application Control Architecture and Performance Malware Prevention Technology Ownership Value-Add Security Features Breadth of Coverage Distributed Management

  • 3

    Application Intelligence Application intelligence, or awareness, is a foundational component of a Next-Generation Firewall. It is what enables the identification of individual applications within network traffic, ideally irrespective of port, protocol, or evasive tactic. Coverage should be both broad and deep in terms of the variety of applications and specific functions within them that can be distinguished and is typically based on the presence of an extensive application signature library and the resources to maintain it.

    SonicWALL capabilities and strengths. The SonicWALL Next-Generation Firewall leverages SonicWALLs Reassembly-Free Deep Packet Inspection (RFDPI) and a continuously expanding signature database to scan every packet across every protocol and interface to identify and control over 3,500 applications and individual application functions. This approach has no reliance, dependence, or limitation relative to the ports and protocols being used, and can optionally be extended to SSL encrypted traffic as well. In addition, the SonicWALL Research Team constantly generates new signatures which are automatically delivered and implemented without administrators having to update rules and/or underlying application objects. Organizations can also create their own custom signatures, as needed or desired.

    In comparison. Check Point, Cisco, and Juniper initially classify all traffic using port and protocol-dependent methods prior to passing it to an IPS-oriented module for application detection and enforcement. characteristic of a solution where application awareness has been bolted on (rather than designed in from the outset), this approach is inherently flawed because it allows traffic that is initially miss-classified based on an unreliable, initial inspection technique to bypass further inspection and control. Cisco, Fortinet, and Juniper also have considerably fewer signatures than the SonicWALL solution, and lack custom signature creation capabilities. Check Points recently released Application Control Software Blade, on the other hand, requires navigation and management of over 50,000 signatures and depends on configuration of non-standard ports for each signature. It also lacks both SSL inspection and custom signature capabilities.

    Questions purchasers should ask candidates to pursue this topic further include:

    What are the specific mechanisms used to identify apps and how do they work?

    What must be done to identify apps regardless of port, protocol, and SSL encryption?

    Is application identification the primary means for classifying traffic, or has application intelligence and control been retrofitted to a traditional firewall?

    Who is responsible for signature creation, what is the frequency of updates, how are they delivered and implemented, and do they extend to individual app functions?

    Application Visualization (On-Box) Application visualization refers to the ability for administrators to see what is actually happening on the network which specific applications are being used, by which users, when, to what extent, and so forth. Such information is essential for policy and rule development, troubleshooting and analysis, illustrating the impact of rule enforcement, and illuminating the need for changes over time.

    SonicWALL capabilities and strengths. SonicWALL provides extensive, on-box visualization and analysis tools. Specifically, the SonicWALL Visualization Dashboard includes the Real-Time Monitor (for viewing summary and system-level information) and the AppFlow Monitor (for viewing granular, real-time data pertaining to applications, users, URLs, initiators, responders, threats, VoIP, VPN, devices, and content). Available data can be viewed in multiple formats (e.g., list, pie chart, graph), subjected to virtually any series of filters, and manipulated multiple ways to maximize its usefulness.

  • 4

    In comparison. The Check Point, Cisco, Fortinet, and Juniper solutions all lack an on-box capability for visualizing application data in real time. Neither do they provide forensic analysis tools that deliver an in-depth, real-time understanding of network utilization.

    Questions purchasers should ask candidates to pursue this topic further include:

    Does the solution include on-box visualization for real-time investigation of network activity by application, user, bandwidth consumption, URL, and so forth?

    In what specific ways can the available data be manipulated and analyzed?

    Application Visualization (Off-Box) SonicWALL capabilities and strengths. Beyond its unique on-box visualization capabilities, the SonicWALL Next-Generation Firewall also supports an open (i.e., industry standard) mechanism IPFIX/NetFlow with Extensions for exporting all of the same in-depth and application-oriented data to external collectors and tools (e.g., Scrutinizer from Plixer International). This allows organizations to leverage a wide range of 3rd-party management applications for longer-term trending and in-depth forensic analysis of network usage and potential, threat-related activities.

    In comparison. None of SonicWALLs competitors share the ability to export application intelligence information to external IPFIX/NetFlow collectors at the same level of granularity as the SonicWALL Next-Generation Firewall.

    Questions purchasers should ask candidates to pursue this topic further include:

    Does the solution enable export of granular application intelligence information via an open (i.e., industry standard) mechanism?

    Which third party collectors and management tools work provide reporting and analysis capabilities for the NGFW?

    Application Control The ultimate goal of application intelligence and visibility, application control entails the execution of a response (e.g., block or allow) to network traffic based on the applications it is conveying, as well as attributes such as user and device identity.

    SonicWALL capabilities and strengths. With the SonicWALL Next-Generation Firewall, administrators can configure highly flexible policies based on application type, specific application, or specific application functionality (e.g., file transfer within IM), while also accounting for a wide range of contextual variables, including user and device identity, the type of content involved, and time of day, week, or month. Moreover, the SonicWALL solution supports numerous actions not just allow, block, and log, but also (and potentially most valuably) bandwidth prioritization and limits. In addition, SonicWALL uniquely enables administrators to create objects of groups of applications, as well as URLs and URL categories, and then apply bandwidth management rules to those objects. For example, an IT manager can select a group of social media applications as well as shopping URL categories and restrict the aggregated bandwidth consumed to 500 kbps.

    In comparison. Check Point, Cisco, Fortinet, and Juniper lack the granularity of control required in businesses today. For example, a Web application such as Facebook can be seen as both bad and good to a company as a productivity threat, a security threat, and a valuable marketing tool. SonicWALL has the granularity of control to enable a marketing department in a company to have prioritized bandwidth to use Facebook, but at the same time to prevent other departments from using it during working hours and ALL users from accessing Farmville and Mafia Wars. In addition, although these competitors have content

  • 5

    filtering capabilities, administrators are forced to manage applications and URLs as separate entities with separate GUIs. In the case of Palo Alto Networks, management of URLs with applications is supported, but the solution fails to enable bandwidth management for the combined objects, thereby negating a central benefit of having a unified architecture.

    Questions purchasers should ask candidates to pursue this topic further include:

    What are all of the attributes that can be used to formulate app control policies?

    What are all of the possible responses/actions that can be configured?

    Can bandwidth management rules be set on a per user, group, and functionality basis to control how applications consume the network?

    Can application and content filtering categories be combined into a single object that is then subjected to a single, unified bandwidth management rule?

    Architecture and Performance The NGFW feature set including application intelligence, content inspection, IPS, and malware prevention is relatively compute intensive. In this regard, a products architecture will play a significant role in terms of achievable throughput and introduced latency.

    SonicWALL capabilities and strengths. SonicWALL Reassembly-Free Deep Packet Inspection is a highly efficient, single-pass engine. This means of inspection is designed specifically for real-time applications and latency sensitive traffic, delivering control and protection without the need to proxy connections, execute handoffs to separate modules, or repeat costly packet processing and stream-reassembly routines.

    In comparison. The Juniper, Fortinet and Check Point architectures attempt to provide a NGFW feature set and anti-malware capabilities by adding proxy/assembly based scanning engines to their solutions an approach which introduces latency to the network. SonicWALLs architecture was designed from the start around Re-assembly Free Deep Packet Inspection to maximize network throughput and to minimize latency.

    Questions purchasers should ask candidates to pursue this topic further include:

    Does the solution feature a single, unified software engine, or does it require system-level handoffs to distinctly separate inspection modules?

    How many times must low-level packet handling and/or stream reassembly routines are repeated to support the entire set of security services?

    Malware Prevention Next-Generation Firewalls, by definition, include integrated threat prevention capabilities, typically anchored by a robust intrusion prevention feature set. Malware prevention builds on this core strength by adding one or more components focused specifically on the eradication of viruses, spyware, and other forms of malware.

    SonicWALL capabilities and strengths. The SonicWALL RFDPI engine allows both arbitrarily large files (i.e., there is no size limitation) and large numbers of small files to be scanned for all types of malware while still maintaining high performance. Malware scans are bi-directional (enabling threat detection upon phoning home), and are applicable for all protocols and applications regardless of port. In addition, SonicWALL supplements its onboard signature language with additional malware detection capabilities using its Intelligent Cloud Malware Detection Engine. Flows susceptible to malware infections are tokenized by the RFDPI engine and these tokens are then compared in real-time much like a high-speed DNS query to a cloud database containing millions of malware signatures.

  • 6

    In comparison. Cisco, Fortinet, Palo Alto Networks, and Juniper all have file count and/or size limitations for malware scanning that either result in significant performance penalties or traffic being allowed to pass without inspection. Malware scanning technologies for Check Point, Cisco, Fortinet, and Palo Alto Networks are limited to a relatively small subset of protocols. In addition, none of the competing solutions include cloud-based augmentation for malware scanni...


View more >