Evaluating Firewalls in the 21st Century

Joel Snyder Opus One jms@opus1.com

TechTarget

Feeling that rip-and-replace urge on your old firewall?

TechTarget

While You Were Out Firewalls Have Been Rocking and Rolling

Enterprise Firewall

Application Firewall

TechTarget

Tip #1 Pay No Attention To The Buzzword

Remember:
No One Wants A Quarter-Inch Drill Bit!

You dont want a UTM or an NGFW or a WSG or an MFA or Youre not buying a buzzword, youre solving a problem
TechTarget 4

Tip #2 Whatever It Is, It Has To Be A Firewall, First.

Every Enterprise Firewall Should Have
 Firewall policies (SIP/DIP/DP/Proto + Allow/Block)  NAT (Network Address Translation)  Site-to-site VPN using IPSec  Basic CoS/QoS bandwidth management features  Enterprise Network Integration: VLANs, link aggregation  High Availability  Speed

You Should Also Look For

- Dynamic routing with OSPF and/or BGP - IPv6 Support - Global management
TechTarget 5

Evaluation Hint Old Firewalls Probably Do This Pretty Well

The Old Guard
Astaro (Sophos) Check Point Cisco Fortinet Juniper Secure Computing (McAfee) SonicWALL Stonesoft WatchGuard Palo Alto Phion (Barracuda) Sourcefire

The New Guys

3COM/H3C (HP)

TechTarget

Tip #3 Short-list Your Threat Mitigation Features

Things That Turned Out To Be A Good Idea (Winning Features) Anti-Malware Intrusion Prevention URL Filtering Things Someone Thought Would Be A Good Idea (Not-so-Winning Features) Anti-Spam DLP/Content Filtering DDoS Blocking

TechTarget

Evaluation Hint Its not Efficacy; its Problem Solving

Intrusion Prevention Efficacy Hint: firewall IPS is not as good as dedicated IPS URL Filtering Anti-Malware Efficacy Hint: We all Efficacy Hint: Firewalls know that this only works can help, but end-point most of the time protection is the most important defense Filtering: Differentiate users by group? By interface? Different policies?

A/M: Does it cover the protocols you care about? HTTP? What else?

IPS: Differentiate between clients and servers? Manage dynamic profiles ( e.g., high priority)
TechTarget 8

Tip #4 Next Generation is about Widening the Tuple

Before:

After:

Application and Authentication are two possibilities. NGFW vendors are still trying to figure out what we want!
TechTarget 9

Evaluation Hint Divide VISIBILITY from CONTROL

Visibility Control Crack the traffic open (SSL Decryption) Identify the Traffic Control the Traffic

Visibility is so much more important in NGFW/Application Control because you must match vocabularies!
TechTarget 10

Tip #5 SSL Decryption is a Must

Before After

TechTarget

11

Evaluation Hint Speeds and Feeds! Speeds and Feeds!

Does it work? Can the firewall actually decrypt SSL traffic
on all ports ? normal SSL ? Connect (Proxy) ? STARTTLS (SMTP) ?

Is it fast? When the firewall is decrypting SSL traffic, how fast does it go?

Remember: Application Control (NGFW) is a User Protective feature, and only user traffic will be affected!

TechTarget

12

Tip #6 Application Identification Is Hard

Thats Facebook, right?

Is the status being updated ?

Or is that Facebook Mail?

Wait, is there chatting? Or not?

TechTarget

13

Evaluation Hint Build Your Policy and Test Your Policy

Efficacy Testing Considered Harmful Your Word of the Day Sisyphean Actual Testing Actually Useful
I dont care about 1314 applications. I just want to block Peer-to-Peer

TechTarget

14

Firewall Testing: Same as it Ever Was, Only Different

Six Tips to Success 1: You're not buying a buzzword, you're solving a problem. 2: Firewalls still need to be firewalls, only faster 3: Threat mitigation isn't a question of efficacy, but of meeting your needs (and check performance!) 4: Visibility into applications is important for next generation features 5: Bite the bullet on SSL Decryption (and check performance!) 6: Application Identification is not a race to get the biggest numbers
TechTarget 15

Joel Snyder Opus One jms@opus1.com

Evaluating Firewalls in the 21st Century

TechTarget

16