Evaluation criteria for Next-Generation Firewalls

Transcription

1 Evaluation criteria for Next-Generation Firewalls This document outlines many of the important features and capabilities to look for when evaluating a Next-Generation Firewall (NGFW), in order to help product evaluators perform an accurate vendor comparison.

2 Table of contents 1 What to look for in a Next-Generation Firewall 3 2 Evaluation criteria For Next-Generation Firewalls 4 3 Stateful packet inspection features Zone-based policy control Default deny rules Bandwidth management Connection limiting Detection prevention Dynamic ports IP checksum enforcement Flood protection Multicast support QoS support SSL control Flexible Spi rules 5 4 VPN support Site-to-site VPN support Client Vpn support 6 5 VoIP support VoIP features 6 6 Security Deep packet inspection Additional security services Security Research Team 9 7 Complete support for application intelligence Application intelligence, control and visualization 10 8 Miscellaneous important features Important features 11 9 Easy to configure and manage Ease of configuration Ease of management Ease of monitoring/logging Wireless features Wireless support Company stability and maturity Reference customers Patents Analyst recognition Industry certifications Global support 13 2

3 1 What to look for in a Next-Generation Firewall Next-Generation Firewalls provide all the features of common Stateful Packet Inspection firewalls with the additional capabilities of identifying, visualizing and controlling applications regardless of port or protocol. Instead of setting access policy based on well-known ports or addresses, policy can now be set on a per-application-level basis for a particular user or group. The problem with traditional proxybased firewalls is that monitoring and control only takes place on proxyable ports, e.g., port 80 (web) or port 25 (SMTP). However, the majority of malicous traffic passes through the firewall on non-proxyable ports or is encrypted using SSL. The challenge is to design a Next-Generation Firewall that can provide full threat protection on any port with high performance and low latency using a single Deep Packet Inspection (DPI) engine including SSL inspection designed by an integrated Security Research Team (SRT). The criteria listed below are prerequisites of any Next-Generation Firewall used for application control. Organizations should be aware that many Next- Generation Firewall solutions provide only a few of the capabilities that Next-Generation Firewall technology enables. Such solutions might offer valuable functionality in some enterprises but cannot be considered a fully functional, versatile and scalable Next-Generation Firewall solution. 1. Full Stateful Packet Inspection (SPI) Capabilities. First and foremost is the requirement to match all the functions and controls of the existing SPI proxybased firewall. This includes policy creation and control, site-to-site VPN support, WAN failover and load balancing, 3G/4G WAN failover, IPSec and SSL VPN remote access support, central management, reporting and high availability including clustering. 2. Intrusion Prevention. Full Deep Packet Inspection capabilities provide protection from application vulnerabilities, buffer overflows and blended threats that can open up a network to exploits. Intrusion Prevention Services (IPS) protect against an array of networkbased application vulnerabilities and exploits from both internal and external threats. IPS monitors the network for malicious or anomalous traffic, then blocks or logs the traffic based on predefined and automatically updated conditions. Automatic updates ensure that new threats are dynamically blocked. 3. Application Identification and Control. Next-Generation Firewalls provide the ability to identify applications by unique signatures, regardless or port or protocol being used. Applications can be visually displayed in realtime to guarantee bandwidth prioritization and ensure maximum network security and productivity. Administrators can set granular controls on an application-level basis, along with prioritizing applications and throttle bandwidth or denying access 4. SSL Decryption and Inspection. Many threats today are being propagated over secure channels using SSL for encryption. Therefore, the ability to de-encrypt, inspect, and then re-encrypt SSL traffic is a critical function for a Next- Generation Firewall to provide. 5. User Identification. t only is the ability to provide application identification and control critical necessary for a Next-Generation Firewall, but this also needs to be tied to an organization s LDAP or Active Directory infrastructure. longer is it necessary to track down a source IP address to a physical user. Next-Generation Firewalls have the ability to support single sign-on and automatically link a user ID to an endpoint for access control and reporting. Next-Generation Firewalls are not just about application control Many organizations are looking at Next-Generation Firewalls as a way to secure access from external, public connections. In today s world, many threats originate on the inside from users on the corporate network accessing public websites like Facebook and YouTube. Next-Generation Firewalls allow IT organizations to authenticate, authorize, and scan network traffic in both directions ensuring secure access to all resources. How Next-Generation Firewalls stack up against traditional proxy-based firewalls Low latency Ability to scale to wire speeds Deep Packet Inspection across any port and protocol SSL inspection IPSec and SSL VPN support Layer 7 Application Control 3

4 1 What to look for in a Next-Generation Firewall (continued) 6. Gateway anti-virus and gateway anti-spyware. With respect to the strict definition of a Next-Generation Firewall, gateway-level eradication of malware is not required. However, the best solution provides bi-directional scanning of all traffic regardless of content size or the number of active sessions with automated signature updates. 7. Security research team. A Next- Generation Firewall is only as good as the application, IPS, and anti-malware signatures that are created. Vendors should have an integrated Security Research Team (SRT) that manually and automatically collect new application and malware samples, create new signatures, and then automatically push the signatures out to subscribed firewalls. In addition, the SRT should be an active member of various security organizations, such as the Microsoft Active Protections Program. 8. Support for extra firewall intelligence. The firewall should be able to consult off-appliance data sources to further bolster an organization s security posture. For example, IP reputation, web-filtering, and more can be augmented with the use of cloud-based intelligence 9. High performance, availability and scalability. Performing Deep Packet Inspection incurs a significant performance penalty in traditional proxy-based firewalls. In addition, many limitations arise in terms of the protocols, ports, and file sizes that can be scanned. A true Next-Generation Firewall needs to be able to perform Deep Packet Inspection at near wire speeds, across all port and protocols. In addition, it also needs to be able to scale up to today s 10 GbE networks. That means not just having 10 GbE ports on the firewall, but the ability to support 10 GbE throughput rates with full DPI enabled. 10. Third party certifications and reviews. Third party reviews and certifications from industry leading organizations, such as ICSA (Enterprise Firewall Certification) and the IPv6 Forum, are critical for any Next-Generation Firewall. Additional certifications, such as FIPS and Common Criteria, will also be required for government deployments. 11. Company stability, maturity and support. Finally, the stability and maturity of the vendor is crucial for any long-term purchase. Company performance, financial backing and customer account base are all key factors for the health of any vendor. In addition, for larger deployments, options like 24x7 support, native language technician and partner/ professional service offerings are all factors in any successful implementation and deployment. Automatic updates = lower administration costs Next-Generation Firewalls provide automated signature updates for applications, IPS and malware. This means that network administrators do not have to spend any time researching and loading new updates. 2 Evaluation criteria for Next-Generation Firewalls Tested NGFW appliance: NGFW appliance version: Date tested: 4

5 3 Stateful packet inspection features Highly flexible access control rules and other key features should form the base for the Stateful Packet Inspection features of any Next-Generation Firewall under consideration. Stateful package inspection features 3.1 Zone-based policy control Security zones, either physical or virtual, provide an additional, more flexible layer of security for the firewall. With zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. 3.2 Default deny rules By default, the solution should deny access from the LAN to the Internet, and block or deny all access from the WAN or DMZ to the private LAN network. 3.3 Bandwidth management Bandwidth management capability should allow administrators to assign guaranteed and maximum bandwidth to services, and prioritize traffic across all firewall interfaces. Using access control rules, bandwidth management can be applied to specific network traffic. 3.4 Connection limiting Connection Limiting offers an additional layer of security and control to throttle connections through the firewall via Access Control Rules. This feature can be used to mitigate Denial-of-Service (DoS) conditions or the spread of certain classes of malware that propagate by initiating connections to random addresses at atypically high rates. 3.5 Detection prevention Solution should provide various methods of avoiding various firewall detection tools. 3.6 Dynamic ports Support dynamic port transformations for applications that may use non-standard ports like FTP, Oracle SQLNET and RSTP. 3.7 IP Checksum enforcement Option to enforce header checksums for IP headers and UDP packets. 3.8 Flood protection SYN/RST/FIN Flood protection helps to protect hosts behind a firewall from DoS or Distributed DoS attacks that attempt to consume the host s available resources. 3.9 Multicast support Support for IP multicasting to allow one IP packet to be sent simultaneously to multiple hosts for use in multimedia applications and video conferencing QoS support Quality of Service (QoS) mechanism should be available, including bi-directional support for DSCP and 802.1p SSL control The firewall should have the ability to provide visibility into the handshake of SSL sessions and a method for constructing policies to control the establishment of SSL connections Flexible SPI rules Firewall rules should support the use of time-based scheduling, user/group inclusion and exclusion, bandwidth management, connection limiting, Geo-IP control, and QoS mapping with address objects that can define hosts, networks, ranges of IPs, and FQDN and MAC addresses. 5

6 4 VPN Support Support for VPNs, either site-to-site or client-to-site, is a critical component of any Next-Generation Firewall. Site-to-site VPNs support using IPSec is the industry standard, while both IPSec and SSL VPN are used for client-to-site access. 4.1 Site-to-site VPN support Third party interoperability Does the solution interoperate with other firewall vendors to support multi-vendor operations? DHCP over VPN DHCP over VPN allows the firewall to obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels Route-based VPN Route-based VPN uses a static or dynamic route configuration for VPNs instead of fixed policy configuration. This makes configuring and maintaining VPN policy simpler, and also allows for the definition of multiple paths for redundancy and backup purposes. 4.2 Client VPN support IPSec client An IPSec client should be available that supports both Windows and Mac OS, and provides strong authentication capabilities (e.g., two-factor authentication) SSL VPN client A SSL VPN client should be available that supports both Windows and Mac OS and provides strong authentication capabilities and granular access control Mobile devices Mobile Devices using the Android or ios operating systems should also be supported L2TP termination L2TP is an optional VPN method that should also be available on the firewall platform Virtual Assist Virtual Assist technology allows for remote user troubleshooting and assistance. This capability serves as a significant timesaver for support personnel, while adding flexibility in how they can respond to support needs. Users can allow or invite customers to join a queue to receive support, then virtually assist each customer by remotely taking control of a customer s computer to diagnose and remedy technical issues. 6

7 5 VoIP Support A Next-Generation Firewall should provide full support for Voice over IP (VoIP) services. Due to the complexities of VoIP signaling and protocols, as well as inconsistencies that are introduced when a firewall modifies source address and source port information with Network Address Translation (NAT), it is difficult for VoIP to effectively traverse a standard firewall. 5.1 VoIP features SIP and H.323 Full support for SIP and H.323 is required for VoIP functionality Traffic legitimacy Stateful inspection of every VoIP signaling and media packet traversing the firewall should take place to ensure all traffic is legitimate Application layer protection for VoIP protocols Full protection from application-level exploits should be provided via VoIP-specific signatures designed to prevent malicious traffic from reaching protected VoIP phones and servers DoS and DDoS attack prevention Prevention of DoS and DDoS attacks, such as the SYN Flood, Ping of Death, and LAND (IP) attack, which are designed to disable a network or service Stateful monitoring Ensures that packets, even though valid themselves, are appropriate for the current state of their associated VoIP connection Encrypted device support The device should be capable of using encryption to protect media exchange within a VoIP conversation or secure VoIP devices that do not support encrypted transport Application layer protection The Deep Packet Inspection engine should detect and prevent attacks from application-level VoIP exploits Call tracking and quality monitoring Call status table should be visible to the administrator to display information about active VoIP connections Control unauthorized or spam calls Ensure that incoming calls are authorized and authenticated by the H.323 Gatekeeper or SIP Proxy and that the device can block unauthorized and spam calls. 7

8 6 Security A Next-Generation Firewall should provide a variety of integrated security and Deep Packet Inspection capabilities. The best solution can protect a network against modern attack vectors and exploits. 6.1 Deep packet inspection SIP and H.323 Full support for SIP and H.323 is required for VoIP functionality Flow-based packet processing Solution should have a flow-based or reassembly-free architecture that does not involve the proxying of packets for scanning file size limitations The Deep Packet Inspection engine should have no file size limitations in that it can scan any size file over any protocol with no buffering of packets Intrusion prevention Bi-directional IPS protection across key network services, such as web, , file transfers, Windows services and DNS Gateway anti-virus Real-time virus protection that inspects all traffic that traverses the firewall in a bi-directional manner. This support should include multiple application protocols as well as generic TCP streams and compressed traffic Gateway anti-spyware Solution should provide protection from intrusive spyware by cutting off spyware installations and delivery at the firewall and denying previously installed spyware from communicating collected information outbound Content filtering/url filtering Enforce policies to block objectionable, inappropriate, or unproductive web content by selected category or custom definition SSL inspection Decryption and inspection of all SSL traffic in both inbound and outbound directions SSO integration Solution provides support for monitoring Windows domain log-ins to capture user ID information for reporting and analysis. This should include: Support for Windows, Mac and Linux Agent-based SSO NTLM browser-based authentication SSO Browser-based manual authentication 8

9 6 Security (continued) 6.2 Additional security services DNS rebinding attack prevention Solution should prevent DNS Rebinding attacks that register a domain to an attacker s DNS server, thus subverting a browser s same-origin policy MAC-IP anti-spoof protection MAC-IP Anti-Spoof protection should be provided to eliminate spoofing attacks at OSI Layers 2 and 3. This should be accomplished by providing both admission control capabilities and the elimination of spoofing attacks Integrated client anti-virus The firewall should have the ability to constantly monitor each endpoint to check the version of the virus definition file, and automatically trigger the download and installation of a new virus definition files if necessary. In addition, user access to the Internet can be blocked until the endpoint is in compliance with the company virus protection policy Real-time black lists RBL filtering is a requirement for anti-spam capabilities on the Next-Generation Firewall Geo-IP filter Filtering capabilities should be available to control connections to or from a geographic location Botnet filter Botnet filtering allows the blocking of connections to or from botnet command-and-control servers DLP Data leak prevention should be provided to scan all outbound packets for confidential markings, bookmarks, or patterns using a regular expression processor. 6.3 Security Research Team Company controlled research Next-Generation Firewall vendor should have an integrated Security Research Team using company employees and intellectual property Automated sandbox environment Security Research Team should have an automated sandbox environment and processes to collect, analyze and create signatures for new malware within minutes of detection Dynamic updating Signature updates should be pushed out automatically to the Next-Generation Firewall with no administrative intervention Cloud-based signatures A cloud-based security offering should be available to provide an unlimited number of signatures that can be scanned in realtime from the firewall Real-time statistics Real-time statistics should be available from the firewall showing active threats, viruses, intrusions and spyware as determined by the Security Research Team Sample submission An easy method should be provided to submit malware samples or network traces to the Security Research Team for signature creation. 9

10 7 Complete support for application intelligence Next-Generation Firewalls should provide for compete application control, around the areas of Application Intelligence, Control, and Visualization. 7.1 Application intelligence, visualization and control SIP and H.323 Full support for SIP and H.323 is required for VoIP functionality Real-time monitoring Real-time Monitoring of applications flowing through the Next-Generation Firewall in addition to ingress/ egress bandwidth, packet rates, packet size and connection rates Data analysis Integrated data analysis features to allow for easy reporting of application data or filtering by specific user or application Data exporting Easy method of exporting data for quick reporting in CSV format Detailed reporting Detailed summary report of all collected data should be easily accessible from the management console or external reporting mechanism Tabular/pie charts Linear tables, pie charts or graphs of all collected data should be available for easy visual analysis Easy application rule setting To enable quick policy changes, rule creation should be allowed to block or bandwidth-manage a particular application Application control Beyond just identifying and controlling an application, specific features within an application should also be controllable (e.g., allowing Yahoo IM, but not file transfers through IM). 10

11 8 Miscellaneous important features The best solution should have a number of other features required for best-of-class deployments. 8.1 Important features IPv6 Support for IPv6 that is certified by the IPv6 Forum Multi-WAN Ability to support two or more WAN connections without additional cost or licenses WAN failover Automated failover to backup WAN interfaces in the event of a primary WAN failure WAN Load balancing Support for outbound load balancing across multiple WAN links is another important feature Dynamic DNS Dynamic DNS support for WAN links High availability Support for both Active/Passive, Active/Active, and clustered high availability configurations with stateful synchronization. In addition, leading Next-Generation Firewalls offer Active/Active UTM where connections are handled by a primary node while the CPU cores of the both nodes are utilized for Deep Packet Inspection G/4G modem failover In the event of a primary WAN failure, built-in 3G/4G Modem backup is provided to allow a seamless transition to a cellular network provider WAN acceleration integration Integrated WAN acceleration offerings are available that are deployed in one-arm mode off the Next Generation Firewall. Full Deep Packet Inspection security services are provided for all accelerated traffic passing through the firewall GbE support 10 GbE support is imperative to meet core and upcoming edge network requirements. The presence of 10 GbE ports is not sufficient, as the Next-Generation Firewall must be able to support 10 GbE throughput with all security services enabled Central Management Console For distributed environments, a centralized management console must be available for central monitoring, management, logging and reporting. 11

12 9 Easy to configure and manage The best solution provides an intuitive interface to configure the Next-Generation Firewall appliance, and ongoing management provides information the administrator needs easily and efficiently. 9.1 Ease of configuration Setup wizards Setup can be performed quickly and easily leveraging a web-based setup wizard that walks the administrator through the common configuration tasks Object-based architecture Administrative objects can be created and grouped for easier administration to avoid repetitive tasks Safemode configuration Ability to place the Next-Generation Firewall in a safe mode to quickly recover from uncertain configuration states. 9.2 Ease of management Web-based management Administrative tasks handled via web-based interface with no need for additional hardware or software clients and agents Simple upgrades Simple upgrades are built into the management console, with fail-safe rollback capabilities Import/export utility Solution provides an import/export utility to synchronize configuration information across multiple Next- Generation appliances. 9.3 Ease of monitoring/logging Log viewer Solution should support a log viewer that makes it easy to view and filter log files Log export A one-button export of filtered log files, or export entire log files using syslog, should be available Enterprise MIB A product-specific MIB to provide metrics to third-party management tools should be available Graphical monitoring Solution should support system metrics displayed graphically from the main management console to make it quick and easy for the administrator to view and analyze key data Flow reporting Solution should support both NetFlow and IPFIX standards for application flow and Deep Packet Inspection reporting to external third party collectors. 12

13 10 Wireless features The best solution provides support for wireless deployments with full security services available for wireless users Wireless support Integrated wireless Wireless support for the latest generation wireless protocols that is integrated into the Next-Generation Firewall for remote, small office deployments Distributed wireless Next-Generation Firewall acts as a wireless controller for distributed wireless access point deployments Multiple SSIDs Capability to provide multiple isolated SSID s for internal and external wireless traffic Guest access Ability to provide customized guest authentication via internal and/or external repositories Wireless security Deep Packet Inspection and application control for all wireless traffic, wireless IDS, and MAC enforcement Fairnet Ability to ensure that all wireless users receive an equal amount of available bandwidth (wireless client load balancing). 11 Company stability and maturity The best solution is built by an established technology vendor with strong customer support and analyst recognition. Company stability and maturity 11.1 Reference customers Company provides easy access to customer references and case studies Patents Company has a strong patent portfolio protecting key technologies used in their Next-Generation Firewall Analyst recognition Company receives ongoing validation for product vision and overall execution by recognizable analysts Industry certifications Company has industry certifications on Next-Generation Firewall technology from reputable sources like ICSA Global support Company provides global support options staffed by knowledgeable technicians 24x7. Copyright 2012 Dell, Inc. All rights reserved. Dell SonicWALL is a trademark of Dell, Inc. and all other Dell SonicWALL product and service names and slogans are trademarks of Dell, Inc. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective owners. 07/12 DSNWL 0215TM