Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Â
A NEW SET OF NETWORK SECURITY CHALLENGES
1. TECH DOSSIER | NEXT GENERATION FIREWALLS
A NEW SET
OF NETWORK
SECURITY
CHALLENGES
A new IDG survey reveals
optimism about the ability of nextgeneration firewalls to help IT
balance productivity and security
ALSO INSIDE
+WHY PROTECTION & PERFORMANCE MATTER +
>
2. >
A NEW SET OF NETWORK SECURITY CHALLENGES
2
With two issues becoming increasingly crucial, IT faces conflicting mandates from
EMPLOYEES AT WORK, AND PLAY
the business. On one hand, employees demand access from devices beyond the
>
IT is stuck in an untenable position between the
firewallâsmartphones, tablets, home PCs and laptops. On the other hand, risk man-
company and its employees. Companies love to have
employees stretch their hours by signing into corporate
agement dictates corporate data must remain protected. The overarching challenge:
systems from home; employees are used to the idea of
balance productivity and security.
time-shifting. The survey results show the upshot.
Within that mandate, however, lie several other challenges, according to a new survey
conducted by IDG Research Services on behalf of Dell. The survey was conducted in
October of 2012 and reflects the insight of more than 250 IT professionals at companies with more than 500 employees. It reveals the depth with which network administrators must juggle these competing factors. The issues facing IT go beyond security
to encompass network bandwidth as well.
For instance, 52 percent of IT professionals report that
employees tend to âfrequentlyâ or âvery frequentlyâ
perform tasks unrelated to their work on the Internet
or in other applications. Almost 40 percent report that
the creation and management of customized access or
use policies is difficult, and one-third believe that users
working on personal devices are exposed to increased
security threats. The latter problem stems from the
frequent inability of IT to monitor what happens on a
Just as technology has caused these problems, technology may also be the solution.
userâs home device.
A new generation of firewall technology, designed with current security and network-
In many cases, IT can install an agent on specific home
ing issues in mind, promises to give IT a way to solve its multisided puzzle.
machines to ensure adequate security software is
3. A NEW SET OF NETWORK SECURITY CHALLENGES
installed, as well as VPN software that allows users
they visiting LinkedIn to catch up on old friends, or to
mitted securely but still be malware.
>
tional videos that relate to improving their skills? Are
through a VPN doesnât mean itâs safe. It can be trans-
3
YouTube to watch cat videos, or to download educa-
to connect securely. But just because traffic comes
>
identify the next crucial addition to their team? Are they
visiting Facebook to play games or to discover whatâs
Survey respondents arenât antediluvian about how they
being said on social media about the companyâs prod-
allow users to access corporate data. More than half of
ucts? As a result, many respondents report they are not
those who indicate the amount of work employees do on
regulating the use of Web sites that may or may not be
personally owned devices is on the rise also believe this
work-related and focusing their resources elsewhere.
is a positive trend. The company benefits from 24-hour
Given that most firewalls only offer a binary on/off
employee access to email, but there still must be some
method of allowing Web site access, this seems logical.
security policies in placeâsuch as the ability to erase
corporate data from a personal device if itâs lost or stolen.
4000% data growth at the edge? Learn how SonicWALL
saved U.S. Cellular operational costs while expanding services.
There may, of course, be unseen security implications.
Many Facebook users have been exposed to malware;
these same security issues, 30 percent deemed them
Security of personal devices is not the only issue. Given
itâs not that Facebook itself is to blame, but its adver-
âsomewhatâ or âextremelyâ ineffective. For instance,
that employees frequently must log on from remote
tising may have been compromised. In the light of ITâs
even if an enterprise deployed Gigabit Ethernet, earlier
locations, two-thirds of IT professionals view as âhighly
inability to control access, and occasional orders to favor
generation firewalls could only deal with much slower
importantâ their ability to provide adequate bandwidth
productivity over security, IT may feel it has no choice.
speedsâperhaps as low as 50 megabits per second.
to ensure employees stay productive, no matter where
This slows down all the traffic on the network.
they are. Respondents also tend to view their organizaSimilarly, a traditional firewall doesnât have the ability
and as enablingârather than stiflingâfor productivity.
A NEW TOOL IN THE ARSENAL:
NEXT-GENERATION FIREWALLS
More often than not, respondents tend to believe their
The fact is, though, that IT does have a choice. Firewall
application from accessing the firewall, but the appli-
organizationâs security technologies and policies are
technology has advanced sufficiently that the issues
cation developers could just as easily route it to port
a tactical necessity or a strategic enabler. More than
IT faces can now be addressed by next-generation
80, which handles basic Web traffic, or port 84, which
80 percent think such policies positively contribute to
firewalls (NGFs). These devices are designed to filter
handles Web browsing. NGFs allow IT to filter not just by
productivity. And itâs not just employees getting more
network and Internet traffic based upon the applications
IP address, or by port or protocol, but also by looking at
work doneâitâs also their ability to avoid system down-
or traffic types using specific ports. They help IT detect
layer 7 dataâactual application information.
time after they unintentionally access malware, whether
application-specific attacks, giving network and security
on an unauthorized Web site or through email.
administrators the potential to catch more malicious
Consider this analogy to explain the difference between
activity than traditional firewalls.
traditional and next-generation firewalls. A traditional
tionâs security technologies and policies as necessary
The question of what constitutes an âunauthorizedâ
to filter specific parts of applications. IT could block an
firewall is like an airport baggage handler, who makes
Web site adds to ITâs conundrum regarding security,
IT understands the limitations of traditional firewalls.
sure that a piece of luggage (representing data) gets on
bandwidth and productivity. Are employees accessing
When asked about their effectiveness in addressing
the correct plane to the correct destination. A next-
4. >
A NEW SET OF NETWORK SECURITY CHALLENGES
4
>
concentrators no longer require a VPN agent on a client
research firm Gartner confirms this: it estimates that
device, but can instead accommodate VPN through
less than 5 percent of Internet connections are secured
a browser. This allows for broader support of mobile
by NGFs, but by 2014, the rate will jump to 40 percent.
clients that use browsers, whether on smartphones,
tablets or laptops, from any manufacturer.
Even though survey respondents associate certain
challenges with the deployment of next-generation
firewallsâspecifically cost, increased complexity and
INCREASED AWARENESS,
INCREASED DEPLOYMENT
lack of staff resourcesâissues that face any new
Based on the survey results, IT administrators are
because they incorporate featuresâsuch as VPN and
increasingly aware of next-generation firewalls; only 25
intrusion protectionâcurrently handled by multiple
percent of respondents were unaware of their capa-
devices or not at all. They also feature more robust
bilities. When discussing the technologyâs features,
reporting capabilities than traditional firewalls. Itâs easy
generation firewall is like the airport security agent who
respondents cite NGFsâ most important capabilities
for administrators to see which users are accessing
opens the luggage, inspects its contents and makes a
as intrusion prevention, antimalware/URL filtering and
which applications, rather than sifting through logs.
decision about whether it allows the contents to travel.
basic firewall features. More than half of respondents
The decision is even more granular, based on the ability
indicate their organizations have either deployed, or
The majority of those familiar with next-generation
of NGFs to filter content within Web sites and between
plan to deploy an NGF in the next few years. Data from
firewall capabilities consider the technology effective
Learn how the industry leader in sales and lease-ownership
market leveraged Dell SonicWALL to assure secure growth.
technology. In fact, NGFs reduce cost and complexity
destinations; it may allow HR employees and managers
addressing a variety of security issues. Faced with
to visit LinkedIn, marketing to visit Facebook and techni-
multiple security scenarios, a majority of respondents
cians to visit YouTube, but not everyone.
cited NGFs as more effective than traditional firewall
technology. Given respondents also believe remote work
By instituting highly granular rules for applications, IT
now has the ability to either prioritize or throttle traffic
based on business need. It can also allow some functions within applications but not others; for instance,
allowing an IM application like Yahoo Messenger, but
not allowing attachments to messages. The result:
employees that need certain applications still have
access to them, but others are not unnecessarily
degrading bandwidth and putting data at risk.
NGFs also address the BYOD issue, through a capability
known as SSL VPN concentrators. Simply put, these
A NEXT-GENERATION
FIREWALL IS LIKE THE
AIRPORT SECURITY
AGENT WHO OPENS THE
LUGGAGE, INSPECTS ITS
CONTENTS AND MAKES
A DECISION ABOUT
WHETHER IT ALLOWS THE
CONTENTS TO TRAVEL.
arrangements will only increase in the future, the importance of having the capabilities of NGFs only increases.
The key to the value of NGFs is that they have the ability
to increase productivity all around. Itâs not just the
productivity of employees using mobile devices. Itâs also
the ability of the network to handle more mission-critical
activities without bandwidth constraint. And finally,
NGFs aid the productivity of IT administrators, who can
take advantage of an integrated device that outperforms
traditional firewalls in mitigating risks associated with
trends on the upswing. n
5. >
A NEW SET OF NETWORK SECURITY CHALLENGES
ADDITIONAL READING: WHY
5
>
PROTECTION & PERFORMANCE MATTER
By Daniel Ayoub, CISSP, CISA
Next-Generation Firewalls combine multi-core architecture with
real-time Deep Packet Inspection to fulfill the protection and
performance demands of todayâs enterprise network
Abstract
Protection and performance go hand-in-hand for NextGeneration Firewalls (NGFWs). Organizations should not have
to sacrifice throughput and productivity for security. Outdated
firewalls pose a serious security risk to organizations since
they fail to inspect data payload of network packets. Many
vendors tout Stateful Packet Inspection (SPI) speeds only, but
the real measure of security and performance is deep packet
inspection throughput and effectiveness. To address this
deficiency, many firewall vendors adopted the malware inspection approach used by traditional desktop anti-virus: buffer
downloaded files, then inspect for malware. This method not
only introduces significant latency and but also poses significant security risks since temporary memory storage can limit
the maximum file size. Independent NSS Lab tests demonstrate
that the Dell⢠SonicWALL⢠SuperMassive⢠E10800 NextGeneration Firewall incorporating multi-core architecture and
Reassembly-Free Deep Packet InspectionÂŽ (RFDPI) overcome
these limitations to provide enterprises with both extremely
high-levels of protection and performance that they require.
Defining Next-Generation Firewall
In basic terms, a Next-Generation Firewall (NGFW) leverages
deep packet inspection (DPI) firewall technology by integrating
intrusion prevention systems (IPS), and application intelligence
and control.
Industry definitions
Gartner defines an NGFW as âa wire-speed integrated network
platform that performs deep inspection of traffic and blocking
of attacks.â1 At minimum, Gartner states that an NGFW should
provide:
⢠Non-disruptive in-line bump-in-the-wire configuration
⢠Standard first-generation firewall capabilities, e.g., network-
address translation (NAT), stateful protocol inspection (SPI),
virtual private networking (VPN), etc.
⢠Integrated signature based IPS engine
⢠Application awareness, full stack visibility and granular
control
⢠Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
⢠Upgrade path to include future information feeds and
security threats
⢠SSL decryption to enable identifying undesirable encrypted
applications
The evolution of Next-Generation Firewalls
Earlier-generation firewalls
First generation firewalls of the 1980s provided packet filtering
based upon criteria such as port, protocol and MAC/IP address,
and operated at layer 2 and 3 of the OSI model. Second generation firewalls of the 1990s incorporated stateful packet inspection (SPI), which verified that the state of inbound and outbound
traffic based upon state tables, and operated at layers 2, 3 and
4 of the OSI model. Third-generation firewalls of the past decade
have more processing power and broader capabilities, including
deep packet inspection (DPI) of the entire packet payload,
intrusion prevention, malware detection, gateway anti-virus,
traffic analytics, application control, IPSec and SSL VPN. Unified
Threat Management (UTM) represented the next trend in the
evolution of the traditional firewall into a product that not only
guards against intrusion, but also performs content filtering, data
leakage protection, intrusion detection and anti-malware duties
typically handled by multiple systems.
Next-Generation Firewalls
Web 2.0 applications (e.g., Salesforce.com, SharePoint, and
Farmville) now run all over TCP port 80 as well as encrypted
SSL (TCP port 443). Todayâs NGFWs inspect the payload of
packets and match signatures for nefarious activities such as
known vulnerabilities, exploit attacks, viruses and malware all
on the fly. DPI also means that administrators can create very
granular permit and deny rules for controlling specific applica-
tions and web sites (example: Yahoo instant messenger-chat
is allowed but not file transfers). Since the contents of packets
are inspected, exporting all sorts of statistical information is
also possible, meaning administrators can now easily mine the
traffic analytics to perform capacity planning, troubleshoot
problems or monitor what individual employees are doing
throughout the day. Todayâs firewalls operate at layers, 2, 3, 4,
5, 6 and 7 of the OSI model.
NGFW feature requirements
The following are feature requirements for Next-Generation
Firewalls:
Legacy features
An NGFW includes all standard capabilities found in a firstgeneration firewall; i.e., packet filtering, stateful packet
inspection (SPI), network address translation (NAT), and high
availability (HA).
Integrated IPS
Effective intrusion prevention systems require advanced
capabilities to combat evasion techniques and enable scanning
and inspection of inbound and outbound communications to
identify malicious or suspicious communications and protocols.
For effective threat protection as well as intrusion prevention,
organizations need best-in-class firewall and intrusion prevention, without the complexity of managing separate appliances,
GUIâs, and deployments. NGFWs with IPS capabilities deliver
enterprise class resistance to evasion, powerful context and
content protection capabilities as well as comprehensive threat
protection and application control in a single integrated device.
Application intelligence and control
Application awareness and control includes protocollevel
enforcement, full-stack visibility with granular application
control, and the ability to identify applications regardless of
port, or protocol being utilized.
1
âDefining the Next-Generation Firewall,â Gartner RAS Core Research
Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210
04102010
6. >
A NEW SET OF NETWORK SECURITY CHALLENGES
ADDITIONAL READING: WHY
6
PROTECTION & PERFORMANCE MATTER continued
Extra-firewall input
User-ID awareness enables administrators to enforce application policies based on AD user/group (without having to trace
IP address to user ID), adding insight into usage and traffic.
wall vendors incorporated traditional malware protection and
methods that were used on file servers and PCs. The technique
was a band-aid fix to add malware protection on an SPI firewall,
as it had two significant flaws: latency and complexity.
Adaptability
Another important capability of NGFWs is the dynamic adaptation to changing threats. Dell SonicWALL constantly updates
their devices with new signatures to stop threats and stay on
top of the evolving malware landscape.
The first flaw was the introduction of latency while the file is
buffered with file size limitations. Firewall vendors have worked
around this issue by sending keep-alive packets to prevent this,
yet the overall effect is the introduction of latency. The use of
memory to buffer files for inspection causes not only additional
latency but also a space issue which is addressed by limiting the
overall file size to a preset amount (generally 100MB). The use of
the Internet is growing and sharing of larger files is increasing;
hybrid SPI/malware detection technology does not scale.
Payload scanning and performance
All of the above requirements demand full payload scanning at
optimal throughput rates in order to avoid having to sacrifice
security for performance.
Performance
In order to achieve the highest return on investment (ROI) for
bandwidth services and optimize an organizationâs productivity
level, while still ensuring maximum security, IT needs to make
sure that traffic is thoroughly scanned with minimal latency
for optimal throughput. To meet these requirements, multigigabit throughput rates have become standard for NGFWs.
Dell SonicWALL NGFW solutions can improve performance
significantly by applying patented Dell SonicWALL RFDPI2 technology to enable DPI without buffering and packet reassembly.
From a hardware perspective, Dell SonicWALL NGFWs can also
maximize throughput by incorporating parallel processing over
advanced multi-core architecture.
Why you need a Next-Generation Firewall
The SPI generation of firewalls addressed security in a world
where malware was not a major issue and web pages were
just documents to be read. Ports, IP addresses, and protocols were the key factors to be managed. But as the Internet
evolved, the ability to deliver dynamic content from the server
and client browsers introduced a wealth of applications we
now call Web 2.0.
SPI does not inspect the data portion of the packet and hackers
effectively exploit this fact. To address the new threats, SPI fire-
The second flaw was that traditional point solutions were
difficult to deploy, manage and update, increasing operating
complexity and overhead costs. Sophisticated malicious
attacks penetrate traditional stateful packet inspection products. These solutions simply do not provide sufficient, timely
and unified protection against increasingly complex threats.
To overcome these flaws, Dell SonicWALL offers the most
effective, highest-performance NGFW solutions available today.
Recently, NSS Labs conducted independent testing of the Dell
SonicWALLâs Next-Generation Firewall at their labs facility in
Austin, Texas.
Dell SonicWALLâs SuperMassive E10800 running SonicOS 6.0 is the
highest overall protection Next-Generation Firewall to earn the
NSS Labs âRecommendâ rating. This proven SonicOS architecture
is at the core of every Dell SonicWALL firewall. The results of
those tests are explored further at the end of this paper.
What the enterprise requires
Organizations are suffering from application chaos. Network
communications no longer rely simply on store-and-forward
applications like email, but have expanded to include real-time
collaboration tools, Web 2.0 applications, instant messenger (IM)
and peer-topeer applications, Voice over IP (VoIP), streaming
media and teleconferencing, each presenting conduits for potential attack. Many organizations cannot differentiate applications
in use on their networks or legitimate business purposes from
those that are potentially wasteful or dangerous.
Today, organizations need to deliver critical business solutions,
while also contending with employee use of wasteful and often
dangerous web-based applications. Critical applications need
bandwidth prioritization while social media and gaming applications need to be throttled or completely blocked. Moreover,
organizations can face fines, penalties and loss of business if they
are in noncompliance with security mandates and regulations.
Protection and performance
In todayâs enterprise organizations, protection and performance go hand-in-hand. Organizations can no longer tolerate
the reduced security provided by legacy SPI firewalls, nor can
they tolerate the network bottlenecks associated with the
some NGFWs. Any delays in firewall or network performance
can degrade quality in latency-sensitive and collaborative applications, which in turn can negatively affect service levels and
productivity. To make matters worse, some IT organizations
even disable functionality in their network security solutions to
avoid slowdowns in network performance.
Scanning and controlling all content
Organizations large and small, in both the public and private
sector, face new threats from vulnerabilities in commonly-used
applications. Malware lurks in social networks. Meanwhile,
workers use business and home office computers for online
blogging, socializing, messaging, videos, music, games, shopping and email.
Application intelligence and control
Applications such as streaming video, peer-to-peer (P2P), and
hosted or cloud-based applications expose organizations to
potential infiltration, data leakage and downtime. In addition to
introducing security threats, these applications drain bandwidth
and productivity, and compete with mission-critical applications
for precious bandwidth. Importantly, enterprises need tools
to guarantee bandwidth for critical business relevant applications and need application intelligence and control to protect
both inbound and outbound flows of traffic, while ensuring the
velocity and security to provide a productive work environment.
Read the full article