SlideShare a Scribd company logo
Next Generation Firewalls:
Ready or Not
David Strom
AITP St. Louis March 2014
david@strom.com
1
Who am I?
• Long time tech journalist, product reviewer
and speaker
• IT manager from the dawn of the PC era
• Former editor-in-chief at Network Computing,
Tom’s Hardware.com
• Author of two books on
computer networking
• Based here
2
Agenda
•
•
•
•

Next Gen distinguishing characteristics
Issues with next gen deployment
UTM pro and con
Advanced persistent threat tools

3
The older firewall generation

4
Cisco ASA: what it used to be like

5
Next Gen distinguishing characteristics
•
•
•
•

Applications granularity and awareness
Integrated IPS
IP Reputation management
Geolocation

6
7
Cisco ASA applications granularity

8
New Cisco ASA Dashboard

9
And another Cisco view

10
Palo Alto Networks “Applipedia”

11
12
Reputation management

13
14
McAfee Enterprise Firewall geolocation feature

15
Deployment issues
• Next gen does things differently from old
school:
– NAT
– QoS
– Outbound vs. inbound rule focus

16
17
Understanding app ID implications for
users

18
One obstacle to switching to next-gen

19
Network documentation isn’t current

20
Handling VMs still an issue

21
Lots of VM security products…

22
Catbird’s compliance radar graph

23
24
Infrastructure misuse

25
What about UTMs?
• Pro:
– A lot of protection for the $ nowadays
(Juniper/Check Point)
– One box does it all

• Con:
– Complex licensing issues
– Can get expensive if you have high bandwidth
needs
– Latency can kill you if you turn on Anti-Virus
26
Juniper SRX dashboard

27
SonicWall

28
29
Watchguard UTM

30
APT tools
• Try to catch the bad guys before they actually
deploy their payloads, such as from Norse
Corp. (local boys) and Cyphort

31
32
For more info
•
•
•
•
•

david@strom.com
Twitter: @dstrom
http://strominator.com
TechTarget article: http://bit.ly/1dISmx4
Network World review ofUTMs:
http://bit.ly/1fJtmHE

33

More Related Content

What's hot

New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016
Cyd Isaak Francisco
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Codiax
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
nitayart
 

What's hot (20)

What is micro segmentation?
What is micro segmentation?What is micro segmentation?
What is micro segmentation?
 
New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Introduction to Trusted Virtual Client
Introduction to Trusted Virtual ClientIntroduction to Trusted Virtual Client
Introduction to Trusted Virtual Client
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
The Rise of Microservices
The Rise of MicroservicesThe Rise of Microservices
The Rise of Microservices
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
 
Sangfor ngfw 修订版
Sangfor ngfw 修订版Sangfor ngfw 修订版
Sangfor ngfw 修订版
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV Deployments
 
Blackhat USA Mobile Security Panel 2011
Blackhat USA Mobile Security Panel 2011Blackhat USA Mobile Security Panel 2011
Blackhat USA Mobile Security Panel 2011
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
 
CipherGraph Cloud VPN
CipherGraph Cloud VPNCipherGraph Cloud VPN
CipherGraph Cloud VPN
 
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
 
Next Generation Firewalls
Next Generation FirewallsNext Generation Firewalls
Next Generation Firewalls
 
W8 client management
W8 client managementW8 client management
W8 client management
 
Intune 2012
Intune 2012Intune 2012
Intune 2012
 
Enterprise firewalls feature and benefits
Enterprise firewalls feature and benefitsEnterprise firewalls feature and benefits
Enterprise firewalls feature and benefits
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
 

Viewers also liked

Viewers also liked (10)

How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computing
 
Keeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco'sKeeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco's
 
WIndows 7 Migration tools for Nashville AITP
WIndows 7 Migration tools for Nashville AITPWIndows 7 Migration tools for Nashville AITP
WIndows 7 Migration tools for Nashville AITP
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM Chaos
 
Big data analytics
Big data analyticsBig data analytics
Big data analytics
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter fails
 
Social Media Research at Comms Service Providers
Social Media Research at Comms Service ProvidersSocial Media Research at Comms Service Providers
Social Media Research at Comms Service Providers
 
Dell social media
Dell social mediaDell social media
Dell social media
 
Picking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkPicking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your network
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better Support
 

Similar to Advanced Firewalls Progress Report

Minal Wankhede
Minal WankhedeMinal Wankhede
Minal Wankhede
mpatke
 

Similar to Advanced Firewalls Progress Report (20)

How Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITHow Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run IT
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Interop 2006: Evolution of the Networking Industry
Interop 2006: Evolution of the Networking IndustryInterop 2006: Evolution of the Networking Industry
Interop 2006: Evolution of the Networking Industry
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Minal Wankhede
Minal WankhedeMinal Wankhede
Minal Wankhede
 
infraxstructure: Emil Gągała "Ludzie, procesy, technika – czy wirtualizacja ...
infraxstructure: Emil Gągała  "Ludzie, procesy, technika – czy wirtualizacja ...infraxstructure: Emil Gągała  "Ludzie, procesy, technika – czy wirtualizacja ...
infraxstructure: Emil Gągała "Ludzie, procesy, technika – czy wirtualizacja ...
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Design Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsDesign Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise Solutions
 
Design Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsDesign Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise Solutions
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
RESUME_JAIDEEP_MOHITE
RESUME_JAIDEEP_MOHITERESUME_JAIDEEP_MOHITE
RESUME_JAIDEEP_MOHITE
 
Sambit kumar nayak resume
Sambit kumar nayak resumeSambit kumar nayak resume
Sambit kumar nayak resume
 
Anil Info
Anil InfoAnil Info
Anil Info
 
Industry breakout focus on education open_dns_andy logan
Industry breakout focus on education open_dns_andy loganIndustry breakout focus on education open_dns_andy logan
Industry breakout focus on education open_dns_andy logan
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y Chan
 
Ankit Vakil (1)
Ankit Vakil (1)Ankit Vakil (1)
Ankit Vakil (1)
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
 
kapil mehandiratta_CV
kapil mehandiratta_CVkapil mehandiratta_CV
kapil mehandiratta_CV
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
BOSNOG NAC stack 2018
BOSNOG NAC stack 2018BOSNOG NAC stack 2018
BOSNOG NAC stack 2018
 

More from David Strom Inc.

BounceBack Workshop Day 1 Slides
BounceBack Workshop Day 1 SlidesBounceBack Workshop Day 1 Slides
BounceBack Workshop Day 1 Slides
David Strom Inc.
 
How To Find Your Next Job - Day 1
How To Find Your Next Job - Day 1How To Find Your Next Job - Day 1
How To Find Your Next Job - Day 1
David Strom Inc.
 

More from David Strom Inc. (20)

Spark Twitter fails Nov2022
Spark Twitter fails Nov2022Spark Twitter fails Nov2022
Spark Twitter fails Nov2022
 
Notable social media fails and lessons learned
Notable social media fails and lessons learnedNotable social media fails and lessons learned
Notable social media fails and lessons learned
 
Using NetGalley to promote your book launch
Using NetGalley to promote your book launchUsing NetGalley to promote your book launch
Using NetGalley to promote your book launch
 
using netgalley to promote your book launch
 using netgalley to promote your book launch using netgalley to promote your book launch
using netgalley to promote your book launch
 
Big data analytics
Big data analyticsBig data analytics
Big data analytics
 
Cloud Integration Tools
Cloud Integration ToolsCloud Integration Tools
Cloud Integration Tools
 
Perspectives of Professionals Changing Careers
Perspectives of Professionals Changing CareersPerspectives of Professionals Changing Careers
Perspectives of Professionals Changing Careers
 
How to Find Your Next Job Workshop - Day 2
How to Find Your Next Job Workshop - Day 2How to Find Your Next Job Workshop - Day 2
How to Find Your Next Job Workshop - Day 2
 
How to Find Your Next Job Workshop - Day 1
How to Find Your Next Job Workshop - Day 1How to Find Your Next Job Workshop - Day 1
How to Find Your Next Job Workshop - Day 1
 
UMSL College of Business 2010 Skills Gap
UMSL College of Business 2010 Skills GapUMSL College of Business 2010 Skills Gap
UMSL College of Business 2010 Skills Gap
 
How To Find Your Next Job - Day 2 slides
How To Find Your Next Job - Day 2 slidesHow To Find Your Next Job - Day 2 slides
How To Find Your Next Job - Day 2 slides
 
How To Find Your Next Job Day 1 Slides
How To Find Your Next Job Day 1 SlidesHow To Find Your Next Job Day 1 Slides
How To Find Your Next Job Day 1 Slides
 
BounceBack Workshop Day 1 Slides
BounceBack Workshop Day 1 SlidesBounceBack Workshop Day 1 Slides
BounceBack Workshop Day 1 Slides
 
How To Find Your Next Job - Day 1
How To Find Your Next Job - Day 1How To Find Your Next Job - Day 1
How To Find Your Next Job - Day 1
 
How to create your electronic resume using LinkedIn
How to create your electronic resume using LinkedInHow to create your electronic resume using LinkedIn
How to create your electronic resume using LinkedIn
 
How to create a wining paper-based resume
How to create a wining paper-based resumeHow to create a wining paper-based resume
How to create a wining paper-based resume
 
Networking tips and techniques
Networking tips and techniquesNetworking tips and techniques
Networking tips and techniques
 
How to doing interviews
How to doing interviewsHow to doing interviews
How to doing interviews
 
How to use email newsletters
How to use email newsletters How to use email newsletters
How to use email newsletters
 
How to create a blog and use a Web site for your personal brand
How to create a blog and use a Web site for your personal brandHow to create a blog and use a Web site for your personal brand
How to create a blog and use a Web site for your personal brand
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 

Advanced Firewalls Progress Report

Editor's Notes

  1. Add Norse Corp Cyphort,
  2. Firewalls have been labeled "next generation" for as long as the Star Trek TV series have been so designated. And while many of us have a preference for the classic firewall, we should at least consider what the next generation brings to the party. One issue is that labels don't describe the whole range of issues involved in migrating and supporting next gen firewalls. We will talk about some of them here.
  3. Cisco’s Adaptive Security Appliance, what they call their firewall, used to have a tired user interface shown here. It was a Windows application (not Web), and based on the traditional ports and protocols approach.
  4. So let’s look at some of the more important characteristics of next gen firewalls, we will touch on these topics in more depth.
  5. First is applications granularity. Here is what the Cisco Prime, which is their next generation interface, looks like now. You can see all the various Facebook applications controls here and they can get very nitty-gritty into how you allow or block games or sports or other aspects of the popular social networking service.
  6. Cisco ASA Next Gen application awareness allows you to set these various slider switches, you can see they have come a long way from their older interface. And this is all available via the Web too! We start out by choosing Facebook messaging to focus our policy on. We then come to the screen below where you can use simple slider controls to enable various aspects of our policy and its various components, such as to allow attachments to be uploaded or downloaded, or to block the posting of photos to anyone's Facebook account. With the older firewalls, you typically had to experiment with rules through mostly trial and error before you could be sure that they were blocking or allowing particular behaviors.
  7. Most of the next gen firewalls operate similarly to what we have shown with the Cisco ASA line and have easier-to-use graphical interfaces. As another example, here is a dashboard that shows you at a glance what kinds of exploits have been reported across your network. A lot nicer than that old crusty Cisco ASA interface!
  8. Palo Alto Networks takes things a step further with its online Applipedia which lists over a 1000 different applications and characterizes them by risk, ports that they use, and whether they are prone to particular exploits. Here you see the details for the Facebook chat application.
  9. A second aspect of next gen firewalls is their ability to handle reputation management of incoming domains. You can lookup the history of a domain and how active it has been and whether it has been party to sending spam or other malware. Cisco's SenderBase and McAfee's TrustedSource –which is what we are looking at here-- have similar databases that are also freely available for browsing and education purposes and also serve as the basis for their next gen application awareness engines.
  10. Complementing applications awareness is the ability to add domain or IP reputation management to the firewall actions. This is done through a combination of sensors that are placed across the Internet and whitelist and blacklist particular domains or IP source addresses as potential malware. As part of the reputation management feature, you can create individual profiles for particular domains. Here we are using the Cisco ASA firewall reputation scoring and tagging feature to segregate out particular traffic from domains. BYU-Hawaii uses a different take on domain reputation. After getting severely hacked last year, the university wanted something that could isolate its servers into separate security zones, and looked at several next gen firewalls for this feature. "This way the database server and application server are in separate zones and they can only talk to each other. If our servers are compromised, our databases are still intact,”
  11. The McAfee Enterprise Firewall is an example of a new breed of applications-aware tools where the colored bubbles indicate the volume of events and firewall actions between a source (who) and a destination (where).The bigger the bubble the more traffic. This is an example of the integrated IPS that is part of the firewalls, where you can start to have intelligence to what is happening across your network as part of the firewall console and configuraiton.
  12. Another aspect is to add geo-location intelligence to the standard firewall package. Here we are looking at the McAfee Enterprise Firewall and you can see we can block traffic from particular export-limited countries such as Cuba from entering our network.
  13. But deploying next gen firewalls isn’t very simple. The problem is that the next gen products operate differently when it comes to NAT and QoS deployment. Also, most traditional firewall administrators are used to thinking of blocking incoming threats, whereas for next generation admins, "you look at the outbound interface more closely," he said. One example of this is how "some companies use an IPS as a way to monitor the health and well being of their firewalls, so they have evolved with separate staffs to handle each device. This makes for a less compelling case for integrating them,"
  14. This infographic is very depressing, and shows you how much original content is uploaded to these various Internet sites every minute. If there ever was an argument for having better firewalls, this should be in your slide deck too.
  15. You need a full understanding of when to use applications IDs in your firewall rule sets. You need to know what protocols are being used by which apps and when using a classic port/protocol approach is appropriate and when it isn't.The issue with application control isn't a technical issue, but that IT managers have to understand its implications and consequences. You could inadvertently block your employees' access to Facebook games. Ideally, IT should coordinate closely with human resources and management to ensure that the intended policies are deployed correctly
  16. Inertia is probably the biggest sticking point for why people haven't upgraded their firewalls and could be one reason that many stick with Cisco. The IT Director oat Houston-based Texas Heart Institute did with his Cisco ASA firewalls. He moved to the CX models because he trusted Cisco and "didn't want any downtime. Plus, we aren't adding a new piece of gear to our existing Cisco infrastructure such as switches and VPNs, and we have staff that are already trained how to use them," he said. "There isn't much of a learning curve to come up to speed on the CX next gen features."
  17. One IT manager told me It took him four months to do the migration, with most of the time related to issues involving having a large group of people coordinating their efforts because each was responsible for a different part of their network. He also had outdated documentation of our network that didn't help matters. Like many businesses, they grew organically over time and our documentation had lagged behind. So make sure you update this before you start any migration process, and get your house in order.
  18. the more virtualized environments of today's networks adds to the complexity of their information security structure. The traditional firewall technologies simply don't scale to the cloud
  19. This is just a partial list of them, I have found 20 of them, and have tested 6 or 7 for Network World. You can find the links to these on my strominator.com blog.
  20. This is Catbird’s vCenter configuration, you see that they use a separate virtual network interface for the management of the VMs that are running on that particular hypervisor.
  21. Another issue is how existing firewalls are used, or more accurately, misused. In some cases, business have come to rely too heavily on their firewalls, often as their sole piece of network routing infrastructure with no edge routers in place. "This makes it difficult to rip and replace them," said Hubbard.
  22. In recent years, UTMs from Juniper (Which we are looking at here), Check Point Software and others have gotten better, incorporating the same security features that used to be only found on the most expensive models across their entire UTM lines.
  23. Sonicwall wireless settings which is one reason to choose their box if you want to have better integration of wireless and wired protection
  24. Check Point UTM licensing details showing that UTMs can be difficult to get all the various modules installed and figuring out pricing can be complex. But the next gen FWs can save money -- , depending on your own licensing requirements, it could actually cost less: at BYU-Hawaii, replacing their older firewall and anti-malware licenses actually ended up being cheaper. "We are saving a bundle on maintenance fees now."
  25. Here is another example of a popular UTM box from Watchguard and its control console.
  26. Cyphort has this scanner that you can download for free, along with other tools. Norse displays the actual attacks they are seeing in real time.
  27. This is from Norse and shows you the activity of a particular IP address