Hardening the Education IT Environment with NGFW Narongveth Yutithammanurak Business Development Manager 23 Feb 2012
Technology Trends Security Performance Bandwidth Efficiency Manageability Page 2
What are Students and Staffs doing? Web surfing Twitter, Facebook Downloading files Instant messaging Streaming video Streaming audio Playing game online Personal email Page 3
These things we know? User Port Protocol Application Port 80 is much more than Web browsing 203.12.145.34 80 HTTP Web Browsing? Anna Stand 80 IM Yahoo-IM Port 443 is an encrypted mystery 124.50.13.45 443 HTTPS Secure banking? Paul Donson 443 Email Google Gmail Other ports are being exploited 224.100.30.6 5060 SIP VoIP? John Buly 20129 P2P Orbit downloader Page 4
Beyond Threats Most traffic is not a threat-based but is application and data Application can be good, bad or in-between Good: saleforce.com Bad: badworm.exe In-between: P2P, Streaming video & audio Page 5
Common Question to Admin Where is this TRAFFICcoming from? What APPLICATIONS are really on network? Where is ALL my BANDWIDTHgoing? What are the THREATS?? Page 6
Device Expectation Application Awareness and visibility Integrated full IPS with out compromising performance Intelligent to identify Users Standard Firewall capabilities Multiple option deployments Page 7
Next Generation Firewall Page 8
NGFW Definition Stateful Inspection Intrusion Prevention Application Control SSL Decryption/Inspection By year-end 2014[Next-Generation Firewall] will rise to 35%of the installed base, with 60% of new purchases being NGFWs. Source : Gartner NGFW Research note Page 9
What NGFW should do Identify application/users regardless Ports =/ Applications IP Addresses =/ Users Packets =/ Content Protect in real-time against threats Granular visibility and policy control Application access / Functionality Multi-gigabit with no performance Degraded Page 10
Control Network, Users & Traffic Bandwidth Manage OR Block By User or Group with Exception By Schedule By App (Category, App, Function) Page 11
Architecture and Engine Page 12
Architecture makes a difference Page 13
NGFW Technology Next Generation Requirements Consolidated & Integrated Security Technology Application Visibility -Inspection of Real-time & Latency Sensitive Applications/Traffic Scalable & High Performing Enough to Protect Against Perimeter and Internal Network Challenges Solution Features Multi-Tiered Protection Technology Patented Re-Assembly Free DPI (RFDPI) Multi-Core High Perf. Architecture Page 14
RFDPI Engine Page 15
Dynamic Security Architecture 1. DPI protect against network risks 2. Multi core scan in real-time 3. Dynamic network protections Page 16
Procedures Page 17
NGFW Features Application intelligent control Gateway Security Intrusion Protection Service (IPS) Anti-Virus and Anti-Spyware URL Filtering Service Bandwidth Management (QoS) User Authentication Page 18
Application intelligent control Page 19
Application Visibility Important Apps Unimportant Apps Page 20
Powerful Application Policy Creation Allow IM, but block File Transfer Allow Facebook, but block Farmville Allow Facebook, but block all Facebook applications Page 21
Application Use Enforcement Policy: need all staffs use IE 9.0 Mission: Ensure all PCs are using IE 9.0 Solution: Create a policy to looks for User Agent = MSIE 9.0 in HTTP Allows IE 9.0 traffic and block other browsers Page 22
Deny FTP Upload Need to make sure the authorized staff can upload file and on one can upload Create a policy to allow only certain people FTP PUT Page 23
Block Forbidden Files and Notify An EXE file from being downloaded as an email attachment from being transferred via FTP Create a policy to block forbidden file extension Page 24
Keep P2P Under Control P2P applications steal bandwidth and bring with malicious file P2P application simple changes a version number Create a policy to detect P2P application Page 25
Application Flows Page 26
Application Flows (Table View) Page 27
User Flows Page 28
Gateway Security Page 29
Gateway Security Page 30
Intrusion Protection Service (IPS) Application vulnerabilities, Buffer overflows Scanning (worms, Trojans, software vulnerabilities, backdoor exploits, and other types of malicious attacks) Utilizing a comprehensive signature database Focusing on known malicious traffic decreases false positives increasing network reliability and performance. Page 31
Gateway Anti-Virus and Anti-Spyware High-performance engine scans viruses, spyware, worms, Trojans and application exploits Continually updated database threat signatures Inter-zone scanning delivers protection also between internal network zones Page 32
Content Filtering Service Page 33
Content Filtering Service Page 34
Content Filtering Service Granular content filtering Dynamically updated rating architecture Application traffic analytics Easy-to-use web-based management High-performance web caching and rating architecture IP-based HTTPS content filtering Scalable, cost-effective solution Page 35
Bandwidth Management Page 36
Managing Streaming Video The site such as Youtube block the site might work but the best answer could be to limit the bandwidth Create a policy to limit streaming video Page 37
Control Bandwidth Page 38
User Authentication Page 39
Directory Integration Users no longer defined solely by IP address Manage and enforce policy based on user and/or AD group Understand user application and threat behavior based on AD, LDAP Page 40
Internal DB/Single Sign-on Users Page 41
Protection Visions Page 42
Topology#1: Many-to-One Datacenter Protect servers from outside IPS feature performed Focusing on known malicious traffic Page 43
Topology#2: Many-to-Many External Protect users from surfing internet Outbound Protection Control application usages Shape user bandwidth Page 44
Topology#3: Many-to-Many Internal LAN Concept for Internal protection Users to Datacenter / Server Farms Protect malware infect to servers Restrict user access Page 45
Solutions Page 46
Best Practices First, identify and block all bad applications Second, safely enable all good applications Solid research and support fast deployment of new protections Sustained high performance firewall + IPS platform Page 47
Buyer Models Customer Premise Equipment (CPE) As-a-Service Page 48
Providers System Integrator MSSP Page 49
Difference System Integrator Hardware Ownership CPE One-Time Implement MA provided Admin Maintenance MSSP Low cost of Ownership As-a-Service One-Time Implement Device Management Security Monitoring Security Analyst Proactive Maintenance Align with SLA Page 50
Summary Benefits of NGFW All-in-one functionality Greater visibility and control Simplified management Better security Lower total cost of ownership Page 51
Questions www.i-secure.co.th