Next-Generation Firewalls: (And Other Really Cool Security Products) Results from the Lab Robert Smithers CEO, Miercom About Us • Networking Team and Test Alliance • Publish Media Testing Lab Affiliation • Vendor Agnostic - No Undue Influence • Belief Editorial Integrity and Excellence • Reports For the Community License Free • 30 Years Security Consulting and Testing • Always Improving and Learning About Us • Networking Team and Test Alliance • Publish Media Testing Lab Affiliation • Vendor Agnostic - No Undue Influence • Belief Editorial Integrity and Excellence • Reports For the Community License Free • 30 Years Security Consulting and Testing • Always Improving and Learning Agenda • Vendors and Products • How We Did It • Categories of Products Tested • About the Technology – Secure Web Gateway – Next-Generation – Unified Threat Management – Sandbox – Spam Filtering Agenda • High Risk High Visibility Events – Advanced Persistent Threat Exploits – CryptoLocker – Outbound Botnet – Worm and Trojans • Industry Average Comparisons – Layer 3 Firewall Throughput – Malicious Files Legacy – Malicious URLs: Blended Malicious Threats – Malicious Files Wild Agenda

• Industry Average Comparisons – Malicious URLs Wild: Malc0de – Layer 7 Firewall Throughput Max – Layer 7 Firewall Throughput Mixed – Application Control “Participating” Vendors and Products • All vendors / products have opportunity to represent before, during and after review • No pay to play – Costs vendors nothing • We do not claim affiliation or partnership with any vendor • Participation does not imply relationship Miercom and vendor • Some are unwilling participants • Some vendors don’t like us  Vendors and Products • Blue Coat ProxySG 300-5 • Check Point 4210 NGFW • Check Point SWG-12600 • Check Point 4800 • Cisco ASA 5545-X • Cisco ISA550W • Cyberoam CR100iNG • Dell SonicWALL NSA 2600 Vendors and Products • Dell SonicWALL TZ 105 (Cloud) • Dell SonicWALL TZ 105 (Appliance) • FireEye MPS 1310 • Fortinet FortiGate 20-C • Fortinet FortiGate 800-C • Fortinet FortiGate 100-D • Juniper SRX650 Services Gateway Vendors and Products • UTM 220 • WatchGuard XTM 525 • Websense Web Security Gateway How We Did It

Test equipment included: – Ixia XG12 and BreakingPoint FireStorm – Spirent Studio Security – Apposite Linktropy 7500 PRO – WildPackets OmniPeek for Windows – Windows 7 and Windows XP Clients/Endpoints – Monitoring Tools Test Tools and Scripts Categories of Products Tested

• Secure Web Gateway • Next-Generation Firewall • Unified Threat Management • Sandbox – Threat Emulation • Spam Filtering Secure Web Gateway (SWG)

• Edge security platform against Web-borne threats that can invade enterprise network via Internet browsing; enforces organization’s policies for Internet usage and regulatory compliance

• Essential functionality: URL filtering, malicious code detection/filtering and application control

• Products with real-time, cloud-based content analysis tend to outperform those that look up URLs and/or threat signatures in static database Secure Web Gateway (SWG)

• Class of product for organizations of all sizes: SMB and Enterprise • Essential functionality: URL filtering, malicious code detection/filtering and application control – SMB: protects against basic threats, easy to implement/manage – Enterprise: protection extended to advanced and targeted threats, requires more skill and resources to implement/manage • On-premises appliance most popular with , virtual, cloud (SWG as a Service) and on-premises / cloud hybrid versions also available Next-Generation Firewall (NGFW)

• Evolutionary type of network edge security device • Possesses combination of functionality of basic firewall and enhancements – Traffic inspection enables detection and blocking of malicious activity – Application awareness enables identification of attacks directed at network as well as enforcement of organization’s Internet usage and regulatory compliance policies Next-Generation Firewall (NGFW)

• Available for organizations of all sizes • Can be deployed as appliance, virtual appliance or software- based solution • Inline “bump in the wire” deployment: enabling functionality does result in reduced network performance • Next-generation firewall arguably has caused basic firewall to go the way of video cassette recorders and VHS tapes, into obsolescence Unified Threat Management (UTM)

• Just as Next-Generation Firewall, an evolutionary class of network edge security platform • Combination of firewall and VPN of basic firewall plus… • Intrusion Prevention System also found in Next-Generation Firewall, URL filtering and antivirus also found in Secure Web Gateway, and anti-spam and mail antivirus also found in Spam Filtering products • Primarily aimed at small and mid-sized businesses Unified Threat Management (UTM)

• Available as appliance, virtual appliance, software and cloud-based • Network administrator must find balance between security and network performance – Individual packets examined by each security function enabled, adding to latency/detracting from throughput Sandbox

• Security technique for protecting enterprise network from by running applications and visiting Websites in a controlled environment • FireEye leads market with competitors including AhnLab, Blue Coat, Check Point, Damballa, McAfee, Palo Alto Networks and Sourcefire (acquired by Cisco in October 2013) • Sandbox appliance or cloud-based service is part of a multi-layered security system Sandbox

• Botnets, zero-day attacks and corporate espionage among factors that fueled advent of sandbox; virtualization has facilitated utilization of sandbox • Small percentage of malware has written-in capability to try to defeat sandbox – Check environment to determine if it is in a sandbox – Seek to be allowed to pass by attempting to time out the sandbox, stalling by performing meaningless calculations Spam Filtering • Class of device that safeguard against unwanted inbound and outbound Email: spam – Inbound: protect networked computers against dangerous forms of spam such as phishing attempts and Emails containing viruses – Outbound: protect against networked computers from being compromised and used as a zombie in a botnet to generate spam Spam Filtering

• Spam is no small problem: estimated 50-60% of enterprise Email • Key functionality: protect against inbound, targeted phishing attacks • Functionality growing in importance: ability to re-evaluate URL link(s) in Email at the time of end user click • Available as appliance, software, managed service • Based on Gartner 2013 Magic Quadrant: – Product leaders are Cisco, Proofpoint, Symantec, Microsoft and McAfee High Risk Event High Visibility Events

• Specific High Risk Events – Advanced Persistent Threat – CryptoLocker – Outbound Botnet – Worm/Trojan Advanced Persistent Threats

• Home Depot, Target, etc. (is ____mart next?) • Initial access and presence seemingly benign • Takes advantage of underlying weekness in network defenses, complacency, and performance limit on DPI, behavioral analytics • OPFOR has a patient strategy and awaits some long term gain • All were 100 percent avoidable, “BUT” • Designed to steal customer PII, and credit card information CryptoLocker

• Ransomware trojan • Encrypts specific types of files using RSA public-key cryptography • Message displays an offer to decrypt the data if payment is made Outbound Botnet

• Botnet is a network of compromised computers under control of a third party whose purpose is to invade the network • Remains inactive until they get orders from their command and control hosts • Designed to steal the most valuable information on a network • Outbound botnet defense protects corporate data from leaving the network Worms

• Computer worms are a type of malware that replicates functional copies of themselves to cause damage to data or software • Host program or human help is not needed for them to propagate • Worm enters a computer through a system vulnerability and uses a file- or information-transport feature to allow it to travel independently Trojans

• A Trojan is another type of malware that appears as legitimate software • Users are tricked into loading and executing it • Trojans can achieve a variety of attacks on the host – from distractions (pop-up windows) to major damage (deleting files, activating and spreading other malware) on the host • Can also create back doors to give malevolent users access to the system Industry Average Comparisons • Layer 3 Firewall Throughput • Layer 7 Firewall Throughput Mixed • Layer 7 Firewall Throughput Max • NGFW Throughput Security Features Enabled • Malicious URLs: Blended Malicious Threats • Malicious Files Wild • Malicious Files Wild: Malc0de • Application Control • ATP Threat Emulation Catch Rate Industry Average Comparison Layer 3 Firewall Throughput 3000

) s p b 2500 2678 Industry Average ( M t u 2,057.3 Mbps p h 2000 g 2029 u 1884 1886 r o h T 1500 l a w 1322 e i r 1000 F 3 r e y a 500 655 L

0

SonicWALL FortiGate UTM 220 XTM 525 ISA550W CR100iNG NSA 2600 100-D Industry Average Comparison Layer 7 Firewall Throughput Mixed 2500 ) s p b ( M2000 2170 t Industry Average u p 1,742.0 Mbps 1970 h g u 1500 r o h T l a w 1000 1120 e 1072 1020 i r F 7 r 500 e y a L 0

SonicWALL FortiGate UTM 220 XTM525 CR100iNG NSA 2600 100-D Industry Average Comparison Layer 7 Firewall Throughput Max 2500 ) s Industry Average p b 2260 1,966.3 Mbps 2230 2000 ( M t u p h g u 1500 1590 r o h T 1400 l a w 1000 e 1078 i r F 7 r e 500 y a L

0

SonicWALL FortiGate UTM2 20 XTM525 CR100iNG Industry Average Comparison NGFW Throughput Security Features Enabled 40 39.59 35 36.69 ) 33.62 s 30 McAfee p b NGFW ( G 25 5206 t 26.13 u p 20 h g Industry u 15 Average r o h T 10 12.11 5 5.10 0 DPI DPI+AV DPI+AV+ AppCtrl Industry Average Comparison Malicious URLs: Blended Malicious Threats 100.0 ) ( % d e 80.0 k c l o 71.4 B 60.0 s L R Industry Average U 40.0 32.1 s 25.1 Blocking % u 37.6 i o c l i 20.0 a 6.3 M 16.7 4.8 4.8 0.0 C A 4210 MPS FortiGate SRX650 Web Security Gateway NGFW 1310 800-C Services Gateway Industry Average Comparison Malicious Files Wild 100.0 ) Industry Average 97.5 % ( 93.0 90.3 d 80.0 73.5 Blocking % e 83.8 k 82.0 c l o B 60.0 s 62.0 e i l F 50.0 s 40.0 47.5 u o i 34.0 i c 30.3 l 20.0 a 9.5 M 4.2 0.0 C A Industry Average Comparison Malicious URLs Wild: Malc0de 100.0 ) 97.5 ( % d 80.0 83.8 e 82.0 k c o l 60.0 B Industry Average s 47.5 L R 41.6 Blocking % U 40.0 s u i o c l i 30.3 a 20.0 M 9.5 4.2 0.0 C A 4210 MPS FortiGate SRX650 Web NGFW 1310 800-C Services Security Gateway Gateway Industry Average Comparison Application Control / URL Filtering 100.0 d e k c 90.0 97.1 l o Industry Average B 80.0 s 73.3 Blocking % n o 70.0 t i a i n 60.0 65.9 b m 56.9 o 50.0 C p 40.0 p A l / 30.0 o c t o 20.0 r o P 10.0 % 0.0

ProxySG SWG-12600 Web Security 300-5 Gateway Industry Average Comparison ATP Threat Emulation Catch Rate 100

90

80 Legacy

70 ) BotNet ( % t e 60 a R t APT c t e 50 e D t n Malicious e 40 Documents r c e P RATS 30

Zero Day 20

10