Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Next Generation Firewalls:
Ready or Not
David Strom
AITP St. Louis March 2014
david@strom.com
1
Who am I?
• Long time tech journalist, product reviewer
and speaker
• IT manager from the dawn of the PC era
• Former edit...
Agenda
•
•
•
•

Next Gen distinguishing characteristics
Issues with next gen deployment
UTM pro and con
Advanced persisten...
The older firewall generation

4
Cisco ASA: what it used to be like

5
Next Gen distinguishing characteristics
•
•
•
•

Applications granularity and awareness
Integrated IPS
IP Reputation manag...
7
Cisco ASA applications granularity

8
New Cisco ASA Dashboard

9
And another Cisco view

10
Palo Alto Networks “Applipedia”

11
12
Reputation management

13
14
McAfee Enterprise Firewall geolocation feature

15
Deployment issues
• Next gen does things differently from old
school:
– NAT
– QoS
– Outbound vs. inbound rule focus

16
17
Understanding app ID implications for
users

18
One obstacle to switching to next-gen

19
Network documentation isn’t current

20
Handling VMs still an issue

21
Lots of VM security products…

22
Catbird’s compliance radar graph

23
24
Infrastructure misuse

25
What about UTMs?
• Pro:
– A lot of protection for the $ nowadays
(Juniper/Check Point)
– One box does it all

• Con:
– Com...
Juniper SRX dashboard

27
SonicWall

28
29
Watchguard UTM

30
APT tools
• Try to catch the bad guys before they actually
deploy their payloads, such as from Norse
Corp. (local boys) an...
32
For more info
•
•
•
•
•

david@strom.com
Twitter: @dstrom
http://strominator.com
TechTarget article: http://bit.ly/1dISmx4...
Upcoming SlideShare
Loading in …5
×

Next generation firewalls: ready or not

705 views

Published on

Speech for AITP St Louis chapter March 2014

Published in: Technology
  • Be the first to comment

Next generation firewalls: ready or not

  1. 1. Next Generation Firewalls: Ready or Not David Strom AITP St. Louis March 2014 david@strom.com 1
  2. 2. Who am I? • Long time tech journalist, product reviewer and speaker • IT manager from the dawn of the PC era • Former editor-in-chief at Network Computing, Tom’s Hardware.com • Author of two books on computer networking • Based here 2
  3. 3. Agenda • • • • Next Gen distinguishing characteristics Issues with next gen deployment UTM pro and con Advanced persistent threat tools 3
  4. 4. The older firewall generation 4
  5. 5. Cisco ASA: what it used to be like 5
  6. 6. Next Gen distinguishing characteristics • • • • Applications granularity and awareness Integrated IPS IP Reputation management Geolocation 6
  7. 7. 7
  8. 8. Cisco ASA applications granularity 8
  9. 9. New Cisco ASA Dashboard 9
  10. 10. And another Cisco view 10
  11. 11. Palo Alto Networks “Applipedia” 11
  12. 12. 12
  13. 13. Reputation management 13
  14. 14. 14
  15. 15. McAfee Enterprise Firewall geolocation feature 15
  16. 16. Deployment issues • Next gen does things differently from old school: – NAT – QoS – Outbound vs. inbound rule focus 16
  17. 17. 17
  18. 18. Understanding app ID implications for users 18
  19. 19. One obstacle to switching to next-gen 19
  20. 20. Network documentation isn’t current 20
  21. 21. Handling VMs still an issue 21
  22. 22. Lots of VM security products… 22
  23. 23. Catbird’s compliance radar graph 23
  24. 24. 24
  25. 25. Infrastructure misuse 25
  26. 26. What about UTMs? • Pro: – A lot of protection for the $ nowadays (Juniper/Check Point) – One box does it all • Con: – Complex licensing issues – Can get expensive if you have high bandwidth needs – Latency can kill you if you turn on Anti-Virus 26
  27. 27. Juniper SRX dashboard 27
  28. 28. SonicWall 28
  29. 29. 29
  30. 30. Watchguard UTM 30
  31. 31. APT tools • Try to catch the bad guys before they actually deploy their payloads, such as from Norse Corp. (local boys) and Cyphort 31
  32. 32. 32
  33. 33. For more info • • • • • david@strom.com Twitter: @dstrom http://strominator.com TechTarget article: http://bit.ly/1dISmx4 Network World review ofUTMs: http://bit.ly/1fJtmHE 33

×