BUILDING A NEXT-GENERATION FIREWALL

Similar documents
Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Network Security Protection Alternatives for the Cloud

10 Steps to Virtualization

Cisco ASA Next-Generation Firewall Services

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Medigate and Palo Alto Networks Integration

The Top 6 WAF Essentials to Achieve Application Security Efficacy

SRX als NGFW. Michel Tepper Consultant

Pulse Secure Application Delivery

Business Strategy Theatre

AKAMAI CLOUD SECURITY SOLUTIONS

Security: The Key to Affordable Unmanned Aircraft Systems

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Deploying a Next-Generation IPS Infrastructure

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Deploying a Next-Generation IPS Infrastructure

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Beyond Firewalls: The Future Of Network Security

Achieve deeper network security

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

WIND RIVER TITANIUM CLOUD FOR TELECOMMUNICATIONS

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Service Mesh and Microservices Networking

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

Requirements for Virtualization in Next-Generation Industrial Control Systems

SECURING DEVICES IN THE INTERNET OF THINGS

SECURING DEVICES IN THE INTERNET OF THINGS

Agile Security Solutions

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Snort: The World s Most Widely Deployed IPS Technology

IBM Security Network Protection Solutions

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Managed Endpoint Defense

Securing Devices in the Internet of Things

JUST WHAT THE DOCTOR ORDERED: A SOLUTION FOR SMARTER THERAPEUTIC DEVICES PLACEHOLDER IMAGE INNOVATORS START HERE.

Managing Network Bandwidth to Maximize Performance

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Protection - Before, During And After Attack

Cato Cloud. Global SD-WAN with Built-in Network Security. Solution Brief. Cato Cloud Solution Brief. The Future of SD-WAN. Today.

Securing Your Microsoft Azure Virtual Networks

DDoS MITIGATION BEST PRACTICES

How can we gain the insights and control we need to optimize the performance of applications running on our network?

Securing Your Amazon Web Services Virtual Networks

Comprehensive Database Security

WHITE PAPER A10 SSL INSIGHT & FIREWALL LOAD BALANCING WITH SONICWALL NEXT-GEN FIREWALLS

Symantec Endpoint Protection

Extending Enterprise Security to Public and Hybrid Clouds

Enterasys K-Series. Benefits. Product Overview. There is nothing more important than our customers. DATASHEET. Operational Efficiency.

WatchGuard Total Security Complete network protection in a single, easy-to-deploy solution.

align security instill confidence

A Guide to Closing All Potential VDI Security Gaps

Voice, Video and Data Convergence:

Symantec Endpoint Protection 14

WIND RIVER NETWORKING SOLUTIONS

1110 Cool Things Your Firewall Should Do. Extend beyond blocking network threats to protect, manage and control application traffic

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

Managing SonicWall Gateway Anti Virus Service

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Information Security Specialist. IPS effectiveness

SD-WAN Transform Your Agency

PrecisionAccess Trusted Access Control

SteelConnect. The Future of Networking is here. It s Application-Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Brocade Application Delivery

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Reduce Your Network's Attack Surface

Cisco Firepower NGFW. Anticipate, block, and respond to threats

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Brocade Virtual Traffic Manager and Parallels Remote Application Server

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Rethinking Security: The Need For A Security Delivery Platform

10 ways to securely optimize your network. Integrate WAN acceleration with next-gen firewalls to enhance performance, security and control

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

A Firewall Architecture to Enhance Performance of Enterprise Network

Simplifying WAN Architecture

Features. HDX WAN optimization. QoS

Real-time, Unified Endpoint Protection

Future-ready security for small and mid-size enterprises

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Cloud for Government: A Transformative Digital Tool to Better Serve Communities

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

Cisco Next Generation Firewall Services

Security Gap Analysis: Aggregrated Results

Application Intelligence and Integrated Security Using Cisco Catalyst 6500 Supervisor Engine 32 PISA

Mitigating Branch Office Risks with SD-WAN

Cloud Security: Constant Innovation

SteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Enable IoT Solutions using Azure

Security by Default: Enabling Transformation Through Cyber Resilience

Defence, Intelligence and Secure Communications Solutions

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

CIO INSIGHTS Boosting Agility and Performance on the Evolving Internet

Transcription:

How to Add Network Intelligence, Security, and Speed While Getting to Market Faster INNOVATORS START HERE.

EXECUTIVE SUMMARY Your clients are on the front line of cyberspace and they need your help. Faced with new threats every day, their job is to keep their networks safe, secure, and fast. They look to you to help them accomplish their goal. That s why you need to make sure you are providing them with the tools to be successful when they need them. A next-generation firewall (NGFW) is one of those tools. Generally speaking, an NGFW needs to offer security and flexibility at a granular level with uncompromised performance to keep up with today s network needs. This means an NGFW needs to do more than execute instructions to block ports and specify which IP addresses you do and do not want to allow. Plus, including the NGFW in a dedicated device may not provide the agility needed to meet your client s demands, which is why deploying in software allows your solution to be more flexible and robust. In today s world, security needs to be much more sophisticated than ever before. The NGFW needs to be able to perform deep packet inspection (DPI) on all necessary packets, and not only recognize the applications driving the traffic (Skype, Netflix, etc.) but also look for complex patterns. With this information it must prioritize and in some cases deny access based on things like user, location, and packet signature. The NGFW also needs to be able to learn what to allow and what to block in the future. On top of all this, it needs to be fast, and be able to scale. Even though the level of data inspection required is significant, the network must still be able to maintain high performance. TABLE OF CONTENTS Executive Summary... 2 Match the Pattern, Adjust the Flow... 3 Fewer Steps for Higher Performance.... 3 Additional Functions and Considerations.... 4 Wind River Intelligent Network Platform.... 4 Conclusion... 5 2 White Paper

So how do you accomplish all this? To add security and intelligence to your client s network without compromising performance, your system needs to allow for the following: Consolidation of services and applications for the benefit of having a more comprehensive solution Consolidation of technologies for the benefit of better overall performance Integrated policy enforcement Ability to scale In addition to the elements above, time-to-market is critical. An important question network security appliance providers need to ask themselves is, What do I make and what do I buy? And how do you keep it current, in this ever-changing landscape? This paper discusses these issues and offers a solution for a technology stack to achieve these benefits. MATCH THE PATTERN, ADJUST THE FLOW In addition to performing all the functions of a traditional firewall, some of the key features of an NGFW as defined by Gartner are integrated deep packet inspection, intrusion detection, application identification, and granular control. An NGFW needs DPI capabilities to extract huge amounts of data, quickly, in order to make informed decisions and take action. Some of the things the appliance needs to know are: What application is this? What user is this? What website is the user visiting? What can I learn about the individual packets? As part of the DPI process, the data will go through a pattern matching function. Effective pattern matching is the ability to match large groups of regular expressions against blocks or streams of data; in this case, to identify malware. The data is matched against a rules database provided by DPI and security experts in order to conclude whether the flow is good or malicious. If it s malicious, the NGFW will block it, reroute it to a trusted zone, or forcefully terminate it. If it s good, the NGFW will determine and apply quality of service (QoS) policies to the block or stream as needed (e.g., bandwidth issue, service guarantee). This process of data extraction, analysis, and pattern matching is where the heavy lifting will occur in your device, so the DPI tool needs to be robust and efficient. Almost every security tool built for specific functions such as intrusion prevention systems (IPS), stateful firewalls, data loss prevention, antivirus, web application firewalls (WAF), and so on requires pattern matching. Many still suffer from a significant overhead, which compromises performance. FEWER STEPS FOR HIGHER PERFORMANCE Beyond pattern matching, your appliance needs to have awareness of what applications are flowing or attempting to flow through your system. For that you must have a way to compare the traffic flows with known sites, applications, and protocols such as http, https, and tcp. With this awareness, your appliance can understand data coming through and can then systematically take action, such as dropping certain packet types once they are identified, or cutting off a flow completely if malware is discovered, without the need for further DPI. It s important to ensure your tool is referencing a comprehensive list of applications and actively updating to stay current. By learning the behavior of the network, you can better handle advanced persistent threats (APTs) through tracking and being aware of anomalies. But trouble occurs when you have multiple checkpoints along the way to extract, analyze, and take action on this data. The DPI function described above, when deployed in traditional systems, may involve examining each packet multiple times using different engines. This sort of inefficient flow requires multiple cycles, adds latency, and causes a severe bottleneck. For example, you may have a QoS entity go through all the QoS algorithms and determine you need to apply x amount of bandwidth for that flow, only to discover you need to drop that flow once it runs through the IPS. But it doesn t have to be that way. A better approach is to consolidate the logic, and combine outputs from several services into a single-pass architecture to increase the performance. By consolidating the logic and applying a cascading mechanism, a security company could apply its signature databases (for application awareness, malware identification, and partially even for APTs, Zero Day attacks, network abnormalities, etc.) all at once 3 White Paper

to a pattern matching engine, an application ID engine, and other plugins, depending on what you elect to put in the cascade. In order to maximize performance, you accumulate information relating to multiple security functions, and then analyze all the results together and provide comprehensive contextual security (i.e., enforcement) by dropping flows, blocking applications, prioritizing data streams, and so on. Extensibility: Cyber crime is anything but static. And in response to the ever-evolving methods used by cyber criminals, new security services appear all the time. You must be able to frequently, and seamlessly, augment an existing security service chain with new services as they become available. What about denial of service attempts? The appliance can t protect the network if it succumbs to an attack. So as much as the NGFW needs to protect the network, it also needs to protect itself. Ingress Network Traffic Classifier Flow 1 Flow 2 Flow 3 Flow 4 Flow 5 Protocol Identifier HTTPS IM VoIP Proprietary Video Decrypt HTTP Application Identification Web Email P2P Flow Analysis Engine Classification Protocol ID Application ID Content Inspection Engine Pattern Matching - Fixed String; RegEx; Signature DB Application Acceleration Engine Throughput Security Latency Figure 1: Network acceleration, deep packet inspection, and packet identification in one system ADDITIONAL FUNCTIONS AND CONSIDERATIONS In addition to the core DPI capabilities discussed above, there are a few more supporting functions that are worth mentioning: Encryption and decryption: Some traffic is sensitive and therefore needs to go through a process of encryption and/or decryption, depending on the flow direction and the data. Whether the data needs to be encrypted so those who are unauthorized cannot understand it, or it needs to be decrypted back to its original form, this process needs to happen quickly. Ideally you would be able to accelerate the offloading of the tasks of encrypting and decrypting sensitive traffic. Hitless updates: Updating the security database on the fly is key to any security system. Chances are your clients can t afford to take their systems offline in order to install an upgrade. Pluggable architecture not only is straightforward and dependable, but also makes the task of updating the database amount to replacing one plugin instance with another one. And where is the ideal place to put it? And how do you design your solution once, and leverage it across multiple products, large or small? By implementing DPI in software, you can put it anywhere, and scale it to the size you need. Whether you are creating a dedicated physical device or are putting your services in the cloud, software is flexible enough to go where you need it. WIND RIVER INTELLIGENT NETWORK PLATFORM Clearly there is much to consider when building an NGFW. Building a robust DPI tool that can perform the functions described in this paper takes time and considerable expertise. The question is, how do you want to differentiate your product based on the DPI infrastructure? Or is your secret sauce in the business intelligence in your application layer? In other words, does it make sense for you to spend your time fine-tuning a DPI engine, or could you focus your efforts on your innovative, transformative business intelligence apps and get your product on the market much sooner by using an existing, extensible framework that provides the tools you need? 4 White Paper

Wind River Intelligent Network Platform is a DPI and packet acceleration framework that provides security, intelligence, and performance to next-generation physical or virtual network security appliances. It is a fully scalable, software-based platform that can be used as a separate virtual network function with or without service chaining. DPI comes in two forms: communications DPI (flow classification), and security DPI (pattern matching). Most DPI implementations provide one or the other. Intelligent Network Platform has them both, integrated into one solution that also includes packet acceleration. Wind River Application Acceleration Engine leverages the Intel Data Plane Development Kit (Intel DPDK) to accelerate networking applications, protocols, and security components such as DPI. Intelligent Network Platform s unique combination of DPI and packet acceleration capabilities offers multiple benefits, including substantial performance gains for layer 3 packet throughput and layer 4 protocol over the native Linux network stack. Using best-of-breed tools, our software is optimized for real-life scenarios where you may have millions of concurrent flows and high volumes of traffic and make no mistake, software does TCP Performance QoS Performance IP-forwarding not equal slow. In fact, we provide the means for processing the traffic, extracting data, and matching the enormous number of conditions you need to match against the traffic, five times faster than standard Linux-based in-house alternatives. Your code is then responsible for taking this data and applying the security rules to arrive at a conclusion. Once that conclusion is made, you translate the conclusion into policy enforcement (e.g., block pass, regulate.) From there, it comes back to our tools to direct the traffic as needed. In addition to an NGFW, Intelligent Network Platform integrates into a broad array of security devices, including those built on dedicated hardware or deployed in the cloud. Integrating Intelligent Network Platform into your security device gives you a one-of-a-kind DPI solution that offers maximum flexibility and future-readiness through a pluggable architecture and servicechaining support. And our best-in-class infrastructural algorithms ensure that we achieve this while maintaining high performance. CONCLUSION The needs of your clients are evolving. This means you need to evolve with them by offering sophisticated tools to help them keep their networks secure, while maintaining optimal performance. Wind River Intelligent Network Platform gives you a comprehensive, high-performance DPI and packet acceleration solution that is ready to deploy today. Leveraging Intelligent Network Platform allows you to focus on your unique value, which means you can meet your clients needs by getting a higher quality product to market faster. To learn more about Wind River Intelligent Network Platform, please visit www.windriver.com/products/platforms/intelligentnetwork/ or call 800-545-WIND (800-545-9463). 0% 200% 400% 600% 800% 1000% 1200% Figure 2: Percent improvement vs. native Linux Wind River is a world leader in embedded software for intelligent connected systems. The company has been pioneering computing inside embedded devices since 1981, and its technology is found in more than 1 billion products. To learn more, visit Wind River at www.windriver.com 2014 Wind River Systems, Inc. The Wind River logo is a trademark of Wind River Systems, Inc., and Wind River and VxWorks are registered trademarks of Wind River Systems, Inc. Rev. 05/2014

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback