Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
Next13 Generaon13 Firewalls13 Top13 913 Revisited13
Miguel13 (Mike)13 O13 Villegas13 13 CISA13 CISSP13 GSEC13 CEH13 PCI13 QSA13 PA-shy‐QSA13
Vice13 President13 K3DES13 LLC13 Core13 Competencies13 ndash13 C3213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Abstract13 Recent13 security13 breaches13 to13 some13 of13 the13 largest13 and13 seemingly13 more13 secure13 environments13 beg13 the13 queson13 whether13 exisng13 protecon13 mechanisms13 are13 sufficient13 to13 deter13 unauthorized13 access13 to13 crical13 assets13 13 Tradional13 firewalls13 an-shy‐virus13 and13 intrusion13 prevenon13 systems13 appear13 to13 have13 lost13 their13 usefulness13 13 In13 reality13 they13 are13 sll13 very13 much13 in13 use13 however13 more13 robust13 and13 effecve13 soluons13 are13 needed13 to13 keep13 up13 with13 those13 that13 threaten13 our13 network13 infrastructures13 13 13 Next-shy‐Generaon13 Firewalls13 are13 integrated13 network13 plaborms13 that13 consist13 of13 in-shy‐line13 deep13 packet13 inspecon13 (DPI)13 firewalls13 Intrusion13 Prevenon13 Systems13 Applicaon13 Inspecon13 and13 Control13 SSLSSH13 inspecon13 website13 filtering13 and13 Quality13 of13 Service13 (QoS)bandwidth13 management13 in13 the13 network13 to13 protect13 the13 network13 against13 latest13 sophiscated13 adacks13 13 This13 session13 will13 cover13 NGFW13 features13 uses13 business13 case13 and13 vendor13 offerings13 13 It13 will13 also13 provide13 the13 parcipant13 with13 a13 roadmap13 on13 how13 to13 audit13 and13 manage13 a13 NGFWs13 Afer13 compleng13 this13 session13 parcipants13 will13 be13 able13 to13 113 Beder13 understand13 what13 is13 a13 Next13 Generaon13 Firewall13 213 Gain13 knowledge13 in13 how13 do13 they13 differ13 from13 UTM13 313 Beder13 understand13 what13 are13 NGFW13 features13 and13 how13 do13 they13 work13 413 Beder13 understand13 how13 to13 make13 a13 business13 case13 for13 a13 NGFW13 513 Gain13 knowledge13 in13 how13 to13 audit13 and13 manage13 a13 NGFW13
213
The13 products13 presented13 in13 this13 session13 are13 for13 informaonal13 purposes13 only13 and13 does13 not13 reflect13 an13 endorsement13 or13 recommendaon13 on13 the13 part13 of13 the13 presenter13 13 Adendees13 are13 advised13 to13 perform13 their13 own13 due13 diligence13 in13 selecng13 the13 right13 soluon13 for13 their13 instuons13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Table13 of13 Contents13
v NGFW13 Primer13 v Need13 for13 NGFW13 v Case13 for13 NGFW13 v NGFW13 Vendors13 v NFGW13 Audit13
313
1111513 413
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 PRIMER13
413
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Primer13
513
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v in-shy‐line13 deep13 packet13 inspecon13 (DPI)13 firewalls13 13 v Intrusion13 Prevenon13 Systems13 (IPS)13 13 v applicaon13 inspecon13 and13 control13 13 v SSLSSH13 inspecon13 13 v website13 filtering13 and13 13 v quality13 of13 service13 (QoS)bandwidth13 management13 The13 presenter13 of13 this13 session13 has13 interviewed13 and13 researched13 NGFWs13 for13 913 NGFW13 vendors13 in13 October13 201413 listed13 in13 the13 201413 Gartner13 Magic13 Quadrant13
v Juniper13 v Cisco13 v Palo13 Alto13 v Checkpoint13 v ForBnet13 v McAfee13 v Dell13 Sonicwall13 v Barracuda13 v HP13 Tippingpoint13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
613
Next Generation firewall
Application Awareness amp Control
User-based Controls
Intrusion Prevention
Unified Threat Management
Anti-virus
WebContent Filtering
Anti-spam
Security Intelligence
Command amp control
GeoIP
Industry feeds
Custom feeds
Foundational elements Stateful Firewall
Management
VPN NAT
Logging amp reporting
Routing
Analytics
Source13 Juniper13 SRX13 ndash13 Next13 Genera5on13 Firewall13 ndash13 November13 201413 13
Next13 GeneraBon13 Firewall13 Primer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
TradiBonal13 Firewalls13 bull Unlike13 NGFWs13 tradional13 packet-shy‐filtering13 firewalls13 only13 provide13
protecon13 at13 Layer13 313 (network)13 and13 Layer13 413 (transport)13 of13 the13 OSI13 model13 13
bull They13 include13 metrics13 to13 allow13 and13 deny13 packets13 by13 discriminang13 the13 source13 IP13 address13 of13 incoming13 packets13 desnaon13 IP13 addresses13 the13 type13 of13 Internet13 protocols13 the13 packet13 may13 contain13 ndash13 eg13 13 ndash normal13 data13 carrying13 IP13 packets13 13 ndash ICMP13 (Internet13 Control13 Message13 Protocol)13 13 ndash ARP13 (Address13 Resoluon13 Protocol)13 13 ndash RARP13 (Reverse13 Address13 Resoluon13 Protocol)13 13 ndash BOOTP13 (Bootstrap13 Protocol)13 and13 13 ndash DHCP13 (Dynamic13 Host13 Configuraon13 Protocol)13 -shy‐-shy‐13 and13 roung13 features13
713
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 FoundaBonal13 Elements13
813
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v Stateful13 Firewall13 v Virtual13 Private13 Network13 (VPN)13 v Network13 Address13 Translaon13 (NAT)13 v Roung13 v Management13 v Logging13 and13 Reporng13 v Analycs13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Abstract13 Recent13 security13 breaches13 to13 some13 of13 the13 largest13 and13 seemingly13 more13 secure13 environments13 beg13 the13 queson13 whether13 exisng13 protecon13 mechanisms13 are13 sufficient13 to13 deter13 unauthorized13 access13 to13 crical13 assets13 13 Tradional13 firewalls13 an-shy‐virus13 and13 intrusion13 prevenon13 systems13 appear13 to13 have13 lost13 their13 usefulness13 13 In13 reality13 they13 are13 sll13 very13 much13 in13 use13 however13 more13 robust13 and13 effecve13 soluons13 are13 needed13 to13 keep13 up13 with13 those13 that13 threaten13 our13 network13 infrastructures13 13 13 Next-shy‐Generaon13 Firewalls13 are13 integrated13 network13 plaborms13 that13 consist13 of13 in-shy‐line13 deep13 packet13 inspecon13 (DPI)13 firewalls13 Intrusion13 Prevenon13 Systems13 Applicaon13 Inspecon13 and13 Control13 SSLSSH13 inspecon13 website13 filtering13 and13 Quality13 of13 Service13 (QoS)bandwidth13 management13 in13 the13 network13 to13 protect13 the13 network13 against13 latest13 sophiscated13 adacks13 13 This13 session13 will13 cover13 NGFW13 features13 uses13 business13 case13 and13 vendor13 offerings13 13 It13 will13 also13 provide13 the13 parcipant13 with13 a13 roadmap13 on13 how13 to13 audit13 and13 manage13 a13 NGFWs13 Afer13 compleng13 this13 session13 parcipants13 will13 be13 able13 to13 113 Beder13 understand13 what13 is13 a13 Next13 Generaon13 Firewall13 213 Gain13 knowledge13 in13 how13 do13 they13 differ13 from13 UTM13 313 Beder13 understand13 what13 are13 NGFW13 features13 and13 how13 do13 they13 work13 413 Beder13 understand13 how13 to13 make13 a13 business13 case13 for13 a13 NGFW13 513 Gain13 knowledge13 in13 how13 to13 audit13 and13 manage13 a13 NGFW13
213
The13 products13 presented13 in13 this13 session13 are13 for13 informaonal13 purposes13 only13 and13 does13 not13 reflect13 an13 endorsement13 or13 recommendaon13 on13 the13 part13 of13 the13 presenter13 13 Adendees13 are13 advised13 to13 perform13 their13 own13 due13 diligence13 in13 selecng13 the13 right13 soluon13 for13 their13 instuons13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Table13 of13 Contents13
v NGFW13 Primer13 v Need13 for13 NGFW13 v Case13 for13 NGFW13 v NGFW13 Vendors13 v NFGW13 Audit13
313
1111513 413
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 PRIMER13
413
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Primer13
513
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v in-shy‐line13 deep13 packet13 inspecon13 (DPI)13 firewalls13 13 v Intrusion13 Prevenon13 Systems13 (IPS)13 13 v applicaon13 inspecon13 and13 control13 13 v SSLSSH13 inspecon13 13 v website13 filtering13 and13 13 v quality13 of13 service13 (QoS)bandwidth13 management13 The13 presenter13 of13 this13 session13 has13 interviewed13 and13 researched13 NGFWs13 for13 913 NGFW13 vendors13 in13 October13 201413 listed13 in13 the13 201413 Gartner13 Magic13 Quadrant13
v Juniper13 v Cisco13 v Palo13 Alto13 v Checkpoint13 v ForBnet13 v McAfee13 v Dell13 Sonicwall13 v Barracuda13 v HP13 Tippingpoint13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
613
Next Generation firewall
Application Awareness amp Control
User-based Controls
Intrusion Prevention
Unified Threat Management
Anti-virus
WebContent Filtering
Anti-spam
Security Intelligence
Command amp control
GeoIP
Industry feeds
Custom feeds
Foundational elements Stateful Firewall
Management
VPN NAT
Logging amp reporting
Routing
Analytics
Source13 Juniper13 SRX13 ndash13 Next13 Genera5on13 Firewall13 ndash13 November13 201413 13
Next13 GeneraBon13 Firewall13 Primer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
TradiBonal13 Firewalls13 bull Unlike13 NGFWs13 tradional13 packet-shy‐filtering13 firewalls13 only13 provide13
protecon13 at13 Layer13 313 (network)13 and13 Layer13 413 (transport)13 of13 the13 OSI13 model13 13
bull They13 include13 metrics13 to13 allow13 and13 deny13 packets13 by13 discriminang13 the13 source13 IP13 address13 of13 incoming13 packets13 desnaon13 IP13 addresses13 the13 type13 of13 Internet13 protocols13 the13 packet13 may13 contain13 ndash13 eg13 13 ndash normal13 data13 carrying13 IP13 packets13 13 ndash ICMP13 (Internet13 Control13 Message13 Protocol)13 13 ndash ARP13 (Address13 Resoluon13 Protocol)13 13 ndash RARP13 (Reverse13 Address13 Resoluon13 Protocol)13 13 ndash BOOTP13 (Bootstrap13 Protocol)13 and13 13 ndash DHCP13 (Dynamic13 Host13 Configuraon13 Protocol)13 -shy‐-shy‐13 and13 roung13 features13
713
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 FoundaBonal13 Elements13
813
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v Stateful13 Firewall13 v Virtual13 Private13 Network13 (VPN)13 v Network13 Address13 Translaon13 (NAT)13 v Roung13 v Management13 v Logging13 and13 Reporng13 v Analycs13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Table13 of13 Contents13
v NGFW13 Primer13 v Need13 for13 NGFW13 v Case13 for13 NGFW13 v NGFW13 Vendors13 v NFGW13 Audit13
313
1111513 413
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 PRIMER13
413
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Primer13
513
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v in-shy‐line13 deep13 packet13 inspecon13 (DPI)13 firewalls13 13 v Intrusion13 Prevenon13 Systems13 (IPS)13 13 v applicaon13 inspecon13 and13 control13 13 v SSLSSH13 inspecon13 13 v website13 filtering13 and13 13 v quality13 of13 service13 (QoS)bandwidth13 management13 The13 presenter13 of13 this13 session13 has13 interviewed13 and13 researched13 NGFWs13 for13 913 NGFW13 vendors13 in13 October13 201413 listed13 in13 the13 201413 Gartner13 Magic13 Quadrant13
v Juniper13 v Cisco13 v Palo13 Alto13 v Checkpoint13 v ForBnet13 v McAfee13 v Dell13 Sonicwall13 v Barracuda13 v HP13 Tippingpoint13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
613
Next Generation firewall
Application Awareness amp Control
User-based Controls
Intrusion Prevention
Unified Threat Management
Anti-virus
WebContent Filtering
Anti-spam
Security Intelligence
Command amp control
GeoIP
Industry feeds
Custom feeds
Foundational elements Stateful Firewall
Management
VPN NAT
Logging amp reporting
Routing
Analytics
Source13 Juniper13 SRX13 ndash13 Next13 Genera5on13 Firewall13 ndash13 November13 201413 13
Next13 GeneraBon13 Firewall13 Primer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
TradiBonal13 Firewalls13 bull Unlike13 NGFWs13 tradional13 packet-shy‐filtering13 firewalls13 only13 provide13
protecon13 at13 Layer13 313 (network)13 and13 Layer13 413 (transport)13 of13 the13 OSI13 model13 13
bull They13 include13 metrics13 to13 allow13 and13 deny13 packets13 by13 discriminang13 the13 source13 IP13 address13 of13 incoming13 packets13 desnaon13 IP13 addresses13 the13 type13 of13 Internet13 protocols13 the13 packet13 may13 contain13 ndash13 eg13 13 ndash normal13 data13 carrying13 IP13 packets13 13 ndash ICMP13 (Internet13 Control13 Message13 Protocol)13 13 ndash ARP13 (Address13 Resoluon13 Protocol)13 13 ndash RARP13 (Reverse13 Address13 Resoluon13 Protocol)13 13 ndash BOOTP13 (Bootstrap13 Protocol)13 and13 13 ndash DHCP13 (Dynamic13 Host13 Configuraon13 Protocol)13 -shy‐-shy‐13 and13 roung13 features13
713
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 FoundaBonal13 Elements13
813
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v Stateful13 Firewall13 v Virtual13 Private13 Network13 (VPN)13 v Network13 Address13 Translaon13 (NAT)13 v Roung13 v Management13 v Logging13 and13 Reporng13 v Analycs13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
1111513 413
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 PRIMER13
413
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Primer13
513
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v in-shy‐line13 deep13 packet13 inspecon13 (DPI)13 firewalls13 13 v Intrusion13 Prevenon13 Systems13 (IPS)13 13 v applicaon13 inspecon13 and13 control13 13 v SSLSSH13 inspecon13 13 v website13 filtering13 and13 13 v quality13 of13 service13 (QoS)bandwidth13 management13 The13 presenter13 of13 this13 session13 has13 interviewed13 and13 researched13 NGFWs13 for13 913 NGFW13 vendors13 in13 October13 201413 listed13 in13 the13 201413 Gartner13 Magic13 Quadrant13
v Juniper13 v Cisco13 v Palo13 Alto13 v Checkpoint13 v ForBnet13 v McAfee13 v Dell13 Sonicwall13 v Barracuda13 v HP13 Tippingpoint13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
613
Next Generation firewall
Application Awareness amp Control
User-based Controls
Intrusion Prevention
Unified Threat Management
Anti-virus
WebContent Filtering
Anti-spam
Security Intelligence
Command amp control
GeoIP
Industry feeds
Custom feeds
Foundational elements Stateful Firewall
Management
VPN NAT
Logging amp reporting
Routing
Analytics
Source13 Juniper13 SRX13 ndash13 Next13 Genera5on13 Firewall13 ndash13 November13 201413 13
Next13 GeneraBon13 Firewall13 Primer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
TradiBonal13 Firewalls13 bull Unlike13 NGFWs13 tradional13 packet-shy‐filtering13 firewalls13 only13 provide13
protecon13 at13 Layer13 313 (network)13 and13 Layer13 413 (transport)13 of13 the13 OSI13 model13 13
bull They13 include13 metrics13 to13 allow13 and13 deny13 packets13 by13 discriminang13 the13 source13 IP13 address13 of13 incoming13 packets13 desnaon13 IP13 addresses13 the13 type13 of13 Internet13 protocols13 the13 packet13 may13 contain13 ndash13 eg13 13 ndash normal13 data13 carrying13 IP13 packets13 13 ndash ICMP13 (Internet13 Control13 Message13 Protocol)13 13 ndash ARP13 (Address13 Resoluon13 Protocol)13 13 ndash RARP13 (Reverse13 Address13 Resoluon13 Protocol)13 13 ndash BOOTP13 (Bootstrap13 Protocol)13 and13 13 ndash DHCP13 (Dynamic13 Host13 Configuraon13 Protocol)13 -shy‐-shy‐13 and13 roung13 features13
713
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 FoundaBonal13 Elements13
813
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v Stateful13 Firewall13 v Virtual13 Private13 Network13 (VPN)13 v Network13 Address13 Translaon13 (NAT)13 v Roung13 v Management13 v Logging13 and13 Reporng13 v Analycs13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Primer13
513
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v in-shy‐line13 deep13 packet13 inspecon13 (DPI)13 firewalls13 13 v Intrusion13 Prevenon13 Systems13 (IPS)13 13 v applicaon13 inspecon13 and13 control13 13 v SSLSSH13 inspecon13 13 v website13 filtering13 and13 13 v quality13 of13 service13 (QoS)bandwidth13 management13 The13 presenter13 of13 this13 session13 has13 interviewed13 and13 researched13 NGFWs13 for13 913 NGFW13 vendors13 in13 October13 201413 listed13 in13 the13 201413 Gartner13 Magic13 Quadrant13
v Juniper13 v Cisco13 v Palo13 Alto13 v Checkpoint13 v ForBnet13 v McAfee13 v Dell13 Sonicwall13 v Barracuda13 v HP13 Tippingpoint13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
613
Next Generation firewall
Application Awareness amp Control
User-based Controls
Intrusion Prevention
Unified Threat Management
Anti-virus
WebContent Filtering
Anti-spam
Security Intelligence
Command amp control
GeoIP
Industry feeds
Custom feeds
Foundational elements Stateful Firewall
Management
VPN NAT
Logging amp reporting
Routing
Analytics
Source13 Juniper13 SRX13 ndash13 Next13 Genera5on13 Firewall13 ndash13 November13 201413 13
Next13 GeneraBon13 Firewall13 Primer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
TradiBonal13 Firewalls13 bull Unlike13 NGFWs13 tradional13 packet-shy‐filtering13 firewalls13 only13 provide13
protecon13 at13 Layer13 313 (network)13 and13 Layer13 413 (transport)13 of13 the13 OSI13 model13 13
bull They13 include13 metrics13 to13 allow13 and13 deny13 packets13 by13 discriminang13 the13 source13 IP13 address13 of13 incoming13 packets13 desnaon13 IP13 addresses13 the13 type13 of13 Internet13 protocols13 the13 packet13 may13 contain13 ndash13 eg13 13 ndash normal13 data13 carrying13 IP13 packets13 13 ndash ICMP13 (Internet13 Control13 Message13 Protocol)13 13 ndash ARP13 (Address13 Resoluon13 Protocol)13 13 ndash RARP13 (Reverse13 Address13 Resoluon13 Protocol)13 13 ndash BOOTP13 (Bootstrap13 Protocol)13 and13 13 ndash DHCP13 (Dynamic13 Host13 Configuraon13 Protocol)13 -shy‐-shy‐13 and13 roung13 features13
713
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 FoundaBonal13 Elements13
813
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v Stateful13 Firewall13 v Virtual13 Private13 Network13 (VPN)13 v Network13 Address13 Translaon13 (NAT)13 v Roung13 v Management13 v Logging13 and13 Reporng13 v Analycs13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
613
Next Generation firewall
Application Awareness amp Control
User-based Controls
Intrusion Prevention
Unified Threat Management
Anti-virus
WebContent Filtering
Anti-spam
Security Intelligence
Command amp control
GeoIP
Industry feeds
Custom feeds
Foundational elements Stateful Firewall
Management
VPN NAT
Logging amp reporting
Routing
Analytics
Source13 Juniper13 SRX13 ndash13 Next13 Genera5on13 Firewall13 ndash13 November13 201413 13
Next13 GeneraBon13 Firewall13 Primer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
TradiBonal13 Firewalls13 bull Unlike13 NGFWs13 tradional13 packet-shy‐filtering13 firewalls13 only13 provide13
protecon13 at13 Layer13 313 (network)13 and13 Layer13 413 (transport)13 of13 the13 OSI13 model13 13
bull They13 include13 metrics13 to13 allow13 and13 deny13 packets13 by13 discriminang13 the13 source13 IP13 address13 of13 incoming13 packets13 desnaon13 IP13 addresses13 the13 type13 of13 Internet13 protocols13 the13 packet13 may13 contain13 ndash13 eg13 13 ndash normal13 data13 carrying13 IP13 packets13 13 ndash ICMP13 (Internet13 Control13 Message13 Protocol)13 13 ndash ARP13 (Address13 Resoluon13 Protocol)13 13 ndash RARP13 (Reverse13 Address13 Resoluon13 Protocol)13 13 ndash BOOTP13 (Bootstrap13 Protocol)13 and13 13 ndash DHCP13 (Dynamic13 Host13 Configuraon13 Protocol)13 -shy‐-shy‐13 and13 roung13 features13
713
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 FoundaBonal13 Elements13
813
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v Stateful13 Firewall13 v Virtual13 Private13 Network13 (VPN)13 v Network13 Address13 Translaon13 (NAT)13 v Roung13 v Management13 v Logging13 and13 Reporng13 v Analycs13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
TradiBonal13 Firewalls13 bull Unlike13 NGFWs13 tradional13 packet-shy‐filtering13 firewalls13 only13 provide13
protecon13 at13 Layer13 313 (network)13 and13 Layer13 413 (transport)13 of13 the13 OSI13 model13 13
bull They13 include13 metrics13 to13 allow13 and13 deny13 packets13 by13 discriminang13 the13 source13 IP13 address13 of13 incoming13 packets13 desnaon13 IP13 addresses13 the13 type13 of13 Internet13 protocols13 the13 packet13 may13 contain13 ndash13 eg13 13 ndash normal13 data13 carrying13 IP13 packets13 13 ndash ICMP13 (Internet13 Control13 Message13 Protocol)13 13 ndash ARP13 (Address13 Resoluon13 Protocol)13 13 ndash RARP13 (Reverse13 Address13 Resoluon13 Protocol)13 13 ndash BOOTP13 (Bootstrap13 Protocol)13 and13 13 ndash DHCP13 (Dynamic13 Host13 Configuraon13 Protocol)13 -shy‐-shy‐13 and13 roung13 features13
713
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 FoundaBonal13 Elements13
813
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v Stateful13 Firewall13 v Virtual13 Private13 Network13 (VPN)13 v Network13 Address13 Translaon13 (NAT)13 v Roung13 v Management13 v Logging13 and13 Reporng13 v Analycs13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 FoundaBonal13 Elements13
813
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 consist13 of13 v Stateful13 Firewall13 v Virtual13 Private13 Network13 (VPN)13 v Network13 Address13 Translaon13 (NAT)13 v Roung13 v Management13 v Logging13 and13 Reporng13 v Analycs13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 AddiBonal13 Elements13
913
NGFWs13 are13 integrated13 network13 security13 plaborms13 that13 also13 consist13 of13 v Applicaon13 Awareness13 and13 Control13 v Intrusion13 Prevenon13 v User13 based13 controls13 v An-shy‐Virus13 v WebContent13 Filtering13 v An-shy‐Spam13 v Two-shy‐factor13 authencaon13 v Acve13 Directory13 Integraon13 v Security13 Intelligence13 13 Threat13 Intelligence13 v Mobile13 Device13 Controls13 v Data13 Loss13 Prevenon13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Threat13 Intelligence13 One13 of13 the13 major13 differenators13 that13 all13 of13 these13 major13 NGFW13 companies13 purport13 to13 be13 working13 on13 is13 threat13 intelligence13 that13 is13 current13 open13 connuous13 adapve13 and13 automac13
1013
hdpwwwzdnetcomarclenew-shy‐threat-shy‐intelligence-shy‐report-shy‐skewers-shy‐industry-shy‐confusion-shy‐charlatans13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1213
Source13 Palo13 Alto13
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
1313 13 13 |13 13 13 1111513
Malware13 also13 called13 malicious13 code13 is13 sofware13 designed13 to13 gain13 access13 to13 targeted13 computer13 systems13 steal13 informaon13 or13 disrupt13 computer13 operaons13 13
bull Worm13 bull Spyware13 bull Virus13 bull Adware13 bull Network13 Worm13 bull Ransomware13 bull Trojan13 Horse13 bull Keylogger13 bull Botnets13 bull Rootkit13
Types13 of13 AKacks13
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
other13 types13 of13 adacks13 13 13 13 13 13
1413 13 13 |13 13 13 1111513
bull Advanced13 persistent13 threats13
bull Social13 engineering13
bull Backdoor13 bull Phishing13 bull Brute13 force13 adack13 bull Spear13 phishing13 bull Buffer13 overflowmdash13 bull Spoofing13 bull Cross-shy‐site13 scripng13 (XSS)13 bull Structure13 Query13
Language13 (SQL)13 injecon13 bull Denial-shy‐of-shy‐service13 (DoS)13 adack13
bull Zero-shy‐day13 exploit13
bull Man-shy‐in-shy‐the-shy‐middle13 adack13
Types13 of13 AKacks13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
UTM13 vs13 NGFW13
1513
Security13 vendors13 ofen13 differ13 in13 their13 definions13 of13 UTM13 and13 NGFWs13 Over13 me13 UTM13 references13 will13 likely13 dissipate13 -shy‐-shy‐13 the13 same13 may13 even13 happen13 for13 NGFWs13 -shy‐-shy‐13 but13 whatrsquos13 certain13 is13 that13 enhancements13 to13 mulfunconal13 security13 soluons13 whatever13 theyrsquore13 called13 will13 connue13
v UTMs13 are13 primarily13 for13 SMB13 v NGFW13 are13 for13 more13 larger13 more13 complex13 IT13 environments13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1613
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1713
Source13 Juniper13 SRX13 Datasheet13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1813
CHALLENGERS13 LEADERS13
NICHE13 PLAYERS13 VISIONARIES13
Gartner13 Magic13 Quadrant13 ndash13 April13 201513
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
1913
October13 713 201513
13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Security13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Performance13 13 1048576104857710485781048579104858010485811048582104858310485841048585104858610485871048588104858910485901048591104859210485931048594104859510485961048597104859810485991048600104860110486021048603104860410486051048606104860710486081048609104861010486111048612104861310486141048615104861610486171048618104861910486201048621104862210486231048624104862510486261048627104862810486291048630104863110486321048633104863410486351048636104863710486381048639104864010486411048642104864310486441048645104864610486471048648104864910486501048651104865210486531048654104865510486561048657104865810486591048660104866110486621048663104866410486651048666104866710486681048669104867010486711048672104867310486741048675104867610486771048678104867910486801048681104868210486831048684104868510486861048687104868810486891048690104869110486921048693104869410486951048696104869710486981048699104870010487011048702104870313 Total13 cost13 of13 ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
2213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
1111513 2313
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NEED13 FOR13 NGFW13
2313
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Do13 we13 really13 need13 a13 NGFW13
2413
bull But13 ldquowersquove13 never13 had13 a13 breachrdquo13 or13 ldquowe13 are13 not13 a13 big13 targetrdquo13
bull Today13 there13 are13 a13 large13 number13 of13 disparate13 standalone13 products13 and13 services13 forced13 to13 work13 together13
bull Although13 effecve13 appear13 architecturally13 desultory13 reacve13 and13 taccal13 in13 nature13
bull NGFWs13 offer13 a13 good13 compliment13 of13 security13 soluons13 in13 one13 appliance13
bull Not13 all13 NGFWs13 are13 created13 equal13 bull 313 factors13 for13 establishing13 a13 need13 for13 a13 NGFW13
bull Is13 the13 investment13 jusfiable13 bull Alignment13 with13 exisng13 IT13 strategies13 bull Total13 Cost13 of13 Ownership13 (TCO)13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Is13 the13 investment13 jusfiable13
2513
bull Basic13 firewall13 services13 regulate13 network13 connecons13 between13 computer13 systems13 of13 differing13 trust13 levels13
bull Most13 enterprises13 need13 bull IPSIDS13 bull Firewall13 (deep13 packet13 inspecon)13 bull An-shy‐virusMalware13 protecon13 bull Applicaon13 controls13 bull VPN13 bull Session13 encrypon13 (TLS13 12)13 bull Wireless13 security13 bull Mobile13 security13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2613
bull Organizaons13 that13 deploy13 NGFWs13 may13 discover13 they13 do13 not13 require13 all13 the13 security13 features13 these13 appliances13 support13
bull Features13 required13 by13 an13 enterprise13 should13 be13 determined13 in13 advance13 as13 this13 will13 influence13 what13 NGFW13 product13 is13 bought13 and13 which13 security13 services13 to13 enable13
bull Some13 NGFWs13 have13 security13 features13 built13 into13 the13 appliance13 at13 no13 addional13 cost13 13
bull Some13 do13 not13 acvate13 feature13 since13 they13 have13 not13 found13 them13 necessary13 or13 because13 they13 do13 not13 fit13 their13 business13 model13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
For13 example13
2713
bull Large13 retail13 companies13 might13 opt13 for13 a13 NGFW13 soluon13 at13 the13 corporate13 headquarters13 but13 go13 with13 point13 soluons13 in13 each13 retail13 store13 -shy‐-shy‐13 whether13 from13 the13 same13 vendor13 or13 not13
bull Online13 retail13 businesses13 that13 do13 not13 have13 brick13 and13 mortar13 locaons13 typically13 require13 robust13 and13 therefore13 increasingly13 integrated13 network13 security13 soluons13 that13 focus13 on13 QoS13 load13 balancing13 IPS13 web13 applicaon13 security13 SSL13 VPN13 and13 strong13 firewalls13 with13 deep13 packet13 inspecon13
bull Enterprises13 that13 are13 heavily13 regulated13 via13 standards13 (eg13 PCI13 HIPAA13 HITECH13 Act13 Sarbanes-shy‐Oxley13 FISMA13 PERC13 etc)13 would13 need13 to13 also13 address13 remote13 access13 controls13 two-shy‐factor13 authencaon13 Acve13 Directory13 integraon13 and13 possibly13 DLP13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Alignment13 with13 exisng13 IT13 strategies13
2813
bull Whatever13 course13 is13 taken13 informaon13 security13 decisions13 need13 to13 integrated13 with13 ITrsquos13 strategic13 goals13 13 13
bull IT13 in13 turn13 exists13 to13 support13 the13 business13 IT13 does13 not13 drive13 the13 business13 13
bull The13 business13 drives13 the13 business13 13 bull ITrsquos13 purpose13 is13 to13 ensure13 the13 IT13 infrastructure13
(perimeter13 and13 core13 deployments)13 exist13 to13 allow13 the13 business13 to13 achieve13 its13 strategic13 goals13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Total13 Cost13 of13 Ownership13 (TCO)13
2913
TCO13 establishes13 the13 right13 complement13 of13 resources13 -shy‐-shy‐13 people13 and13 technology13 bull Total13 cost13 of13 technology13 (TCT)13 The13 cost13 of13 technology13
that13 is13 required13 to13 deploy13 monitor13 and13 report13 on13 the13 state13 of13 informaon13 security13 for13 the13 enterprise13
bull Total13 cost13 of13 risk13 (TCR)13 The13 cost13 to13 esmate13 and13 not13 deploy13 resources13 processes13 or13 technology13 for13 your13 enterprise13 such13 as13 compliance13 risk13 security13 risk13 legal13 risk13 and13 reputaon13 risk13
bull Total13 cost13 of13 maintenance13 (TCM)13 The13 cost13 of13 maintaining13 the13 informaon13 security13 program13 such13 as13 people13 skills13 flexibility13 scalability13 and13 comprehensiveness13 of13 the13 systems13 deployed13
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
1111513 3013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
CASE13 FOR13 A13 NGFW13
3013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Six13 Criteria13 for13 buying13 a13 NGFW13
3113
It13 is13 clear13 that13 regardless13 of13 what13 vendors13 call13 their13 NGFW13 products13 it13 is13 incumbent13 that13 buyers13 understand13 the13 precise13 features13 each13 NGFW13 product13 under13 consideraon13 includes13 Letrsquos13 look13 at13 six13 criteria13 13
bull Plaborm13 Type13 bull Feature13 Set13 bull Performance13 bull Manageability13 bull Price13 bull Support13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Plaborm13 Type13
3213
bull How13 is13 the13 NFGW13 provided13 13 bull Most13 next-shy‐gen13 firewalls13 are13 hardware-shy‐13 (appliance)13
sofware-shy‐13 (downloadable)13 or13 cloud-shy‐based13 (SaaS)13 bull Hardware-shy‐based13 NGFWs13 appeal13 best13 to13 large13 and13
midsize13 enterprises13 bull Sofware-shy‐based13 NGFWs13 to13 small13 companies13 with13 simple13
network13 infrastructures13 bull Cloud-shy‐based13 NGFWs13 to13 highly13 decentralized13 mul-shy‐
locaon13 sites13 or13 enterprises13 where13 the13 required13 skill13 set13 to13 manage13 them13 is13 wanng13 or13 reallocated13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Feature13 Set13
3313
bull Not13 all13 NGFW13 features13 are13 similarly13 available13 by13 vendor13 bull NGFW13 features13 typically13 consist13 of13 13
bull inline13 deep13 packet13 inspecon13 firewalls13 13 bull IDSIPS13 13 bull applicaon13 inspecon13 and13 control13 13 bull SSLSSH13 inspecon13 13 bull website13 filtering13 and13 13 bull QoSbandwidth13 management13 to13 protect13 networks13
against13 the13 latest13 in13 sophiscated13 network13 adacks13 and13 intrusion13 13
bull Addionally13 most13 NGFWs13 offer13 threat13 intelligence13 mobile13 device13 security13 data13 loss13 prevenon13 (DLP)13 Acve13 Directory13 integraon13 and13 an13 open13 architecture13 that13 allows13 clients13 to13 tailor13 applicaon13 control13 and13 even13 some13 firewall13 rule13 definions13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Performance13
3413
bull Because13 NGFWs13 integrate13 many13 features13 into13 a13 single13 appliance13 they13 may13 seem13 adracve13 to13 some13 organizaons13 13
bull However13 enabling13 all13 available13 features13 at13 once13 could13 result13 in13 serious13 performance13 degradaon13 13
bull NGFW13 performance13 metrics13 have13 improved13 over13 the13 years13 but13 the13 buyer13 needs13 to13 seriously13 consider13 performance13 in13 relaonship13 to13 the13 security13 features13 they13 want13 to13 enable13 when13 determining13 the13 vendors13 they13 approach13 and13 the13 model13 of13 NGFW13 they13 choose13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Manageability13
3513
bull This13 criterion13 involves13 system13 configuraon13 requirements13 and13 usability13 of13 the13 management13 console13
bull It13 considers13 how13 the13 NGFW13 manages13 complex13 environments13 with13 many13 firewalls13 and13 users13 and13 very13 narrow13 firewall13 change13 windows13
bull System13 configuraon13 changes13 and13 the13 user13 interface13 of13 the13 management13 console13 should13 be13 1 comprehensive13 -shy‐13 such13 that13 it13 covers13 an13 array13 of13 features13
that13 preclude13 the13 need13 for13 augmentaon13 by13 other13 point13 soluons13 13
2 flexible13 -shy‐13 possible13 to13 exclude13 features13 that13 are13 not13 needed13 in13 the13 enterprise13 environment13 and13 13
3 easy13 to13 use13 -shy‐13 such13 that13 the13 management13 console13 individual13 feature13 dashboards13 and13 reporng13 are13 intuive13 and13 incisive13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Price13
3613
bull NGFW13 appliance13 sofware13 and13 cloud13 service13 pricing13 varies13 considerably13 by13 vendor13 and13 model13
bull Prices13 range13 from13 $59913 to13 $80000+13 per13 device13 bull Some13 are13 even13 priced13 by13 number13 of13 users13 (eg13 $110013
for13 1-shy‐9913 users13 to13 $10000013 for13 500013 users+)13 13 bull All13 meanwhile13 have13 separate13 pricing13 for13 service13
contracts13 bull If13 possible13 do13 not13 pay13 retail13 prices13 13 bull Most13 vendors13 will13 provide13 volume13 discounts13 (the13 more13
users13 supported13 the13 less13 it13 costs13 per13 user13 for13 example)13 or13 discounts13 with13 viable13 prospects13 of13 further13 purchases13
bull Purchase13 at13 month-shy‐end13 and13 quarter-shy‐end13 Sales13 people13 have13 goals13 that13 can13 be13 leveraged13 for13 pricing13 to13 your13 advantage13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Support13
3713
bull The13 201513 Gartner13 Magic13 Quadrant13 on13 NGFW13 also13 rated13 support13 -shy‐-shy‐13 with13 quality13 breadth13 and13 value13 of13 NGFW13 offerings13 viewed13 from13 the13 vantage13 point13 of13 enterprise13 needs13 13
bull Given13 the13 crical13 nature13 of13 NGFWs13 mely13 and13 accurate13 support13 is13 essenal13 Obtain13 references13 and13 ask13 to13 speak13 with13 vendor13 clients13 without13 the13 vendor13 present13
bull Support13 criteria13 for13 NGFWs13 should13 address13 responsiveness13 ranked13 by13 type13 of13 service13 request13 quality13 and13 accuracy13 of13 the13 service13 response13 currency13 of13 product13 updates13 and13 customer13 educaon13 and13 awareness13 of13 current13 events13
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
1111513 3813
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 VENDORS13
3813
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
NGFW13 Players13
3913
The13 top13 nine13 NGFW13 vendors13 are13 13 bull Checkpoint13 bull Dell13 Sonicwall13 13 bull Palo13 Alto13 bull Cisco13 bull Fornet13 13 bull HP13 TippingPoint13 13 bull McAfee13 13 bull Barracuda13 13 There13 are13 other13 NGFW13 vendors13 but13 these13 are13 the13 top13 913
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Quesons13 to13 consider13
4013
Quesons13 to13 consider13 when13 comparing13 these13 and13 other13 NGFW13 products13 include13 13
bull What13 is13 their13 product13 line13 13 bull Is13 their13 NGFW13 for13 cloud13 service13 providers13 large13
enterprises13 SMBs13 or13 small13 companies13 13 bull What13 are13 the13 NGFW13 features13 that13 come13 with13 the13
base13 product13 13 bull What13 features13 need13 an13 extra13 license(s)13 13 bull How13 is13 the13 NGFW13 sold13 and13 priced13 13 bull What13 differenates13 their13 NFGW13 from13 other13 vendor13
NGFW13 products13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4113
Non-shy‐common13 NGFW13 features13 vary13 by13 vendor13 So13 this13 is13 where13 organizaons13 can13 start13 to13 differenate13 which13 NGFWs13 will13 work13 for13 them13 and13 which13 wonrsquot13 For13 example13 bull Dell13 SonicWall13 provides13 security13 services13 such13 as13 gateway13
an-shy‐malware13 content13 filtering13 and13 client13 anvirus13 and13 anspyware13 that13 are13 licensed13 on13 an13 annual13 subscripon13 contract13 Dell13 SecureWorks13 premium13 Global13 Threat13 Intelligence13 service13 is13 an13 addional13 subscripon13
bull Cisco13 provides13 Applicaon13 Visibility13 and13 Control13 as13 part13 of13 the13 base13 configuraon13 at13 no13 cost13 but13 separate13 licenses13 are13 required13 for13 Next13 Generaon13 Intrusion13 Prevenon13 Systems13 (NGIPS)13 Advanced13 Malware13 Protecon13 and13 URL13 filtering13
bull McAfee13 provides13 clustering13 and13 mul-shy‐Link13 as13 standard13 features13 with13 McAfee13 Next13 Generaon13 Firewall13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4213
bull Barracuda13 requires13 an13 oponal13 subscripon13 for13 malware13 protecon13 (AV13 engine13 by13 Avira)13 threat13 intelligence13 and13 for13 advanced13 client13 Network13 Access13 Control13 (NAC)13 VPNSSL13 VPN13 features13
bull Juniper13 offers13 advanced13 sofware13 security13 services13 (NGFWUTMIPSThreat13 Intelligence13 Service)13 shipped13 with13 its13 SRX13 Series13 Services13 Gateways13 13 that13 can13 be13 turned13 on13 with13 the13 purchase13 of13 an13 addional13 license13 which13 can13 be13 subscripon-shy‐based13 or13 perpetual13 No13 addional13 components13 are13 required13 to13 turn13 services13 onoff13
bull Checkpoint13 provides13 a13 full13 NGFW13 soluon13 package13 13 with13 all13 of13 its13 sofware13 blades13 included13 under13 one13 license13 However13 it13 does13 not13 provide13 mobile13 device13 controls13 or13 Wi-shy‐Fi13 network13 control13 without13 purchasing13 a13 different13 Checkpoint13 product13
13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4313
The13 key13 message13 in13 this13 comparison13 is13 that13 in13 addion13 to13 the13 common13 features13 one13 needs13 to13 carefully13 review13 those13 features13 that13 require13 addional13 licenses13 and13 whether13 they13 are13 significant13 enough13 to13 decide13 on13 a13 specific13 products13 procurement13 13 13 bull For13 example13 if13 you13 need13 a13 DLP13 feature13 those13 NGFWs13
that13 provide13 it13 such13 as13 Checkpoint13 although13 offered13 with13 over13 60013 types13 you13 might13 determine13 that13 a13 full-shy‐featured13 DLP13 soluon13 might13 sll13 be13 required13 if13 the13 Checkpoint13 is13 not13 sufficient13 13
bull The13 same13 would13 apply13 to13 web13 applicaon13 firewalls13 (WAF)13 such13 as13 the13 Dell13 Sonicwall13 but13 again13 is13 not13 a13 full-shy‐featured13 WAF13 13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
What13 features13 are13 available13 in13 the13 NGFW13
4413
bull Another13 example13 would13 be13 Cisco13 although13 malware13 protecon13 is13 available13 with13 their13 network13 an-shy‐virusmalware13 soluon13 but13 an13 addional13 licenses13 would13 be13 required13 for13 their13 Advanced13 Malware13 Protecon13 NGIPS13 and13 URL13 filtering13 13
bull Barracuda13 NG13 Firewall13 also13 requires13 an13 addional13 license13 for13 Malware13 Protecon13 (An-shy‐Virus13 engine13 by13 Avira)13
bull There13 are13 some13 vendors13 that13 provide13 threat13 intelligence13 services13 as13 part13 of13 the13 NGFW13 offering13 such13 as13 Fornet13 McAfee13 and13 HP13 TippingPoint13 13
bull Juniperrsquos13 Threat13 Intelligence13 Service13 is13 shipped13 with13 the13 SRX13 but13 needs13 to13 be13 acvated13 with13 the13 purchase13 of13 an13 addional13 license13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 is13 the13 NGFW13 sold13 licensed13 and13 priced13
4513
bull All13 NGFW13 products13 are13 licensed13 per13 physical13 device13 Addional13 licenses13 are13 required13 for13 the13 non-shy‐common13 features13 stated13 above13 13 13 13
bull Read13 the13 TampCs13 to13 determine13 what13 services13 are13 available13 in13 the13 base13 NGFW13 produce13 and13 what13 services13 require13 an13 addional13 license13
bull All13 NGFW13 products13 are13 priced13 by13 scale13 based13 on13 the13 type13 of13 hardware13 ulized13 and13 service13 contract13
bull While13 pricing13 structure13 appears13 disparate13 similaries13 do13 exist13 in13 the13 lower-shy‐end13 product13 lines13 (in13 other13 words13 the13 smaller13 the13 NGFW13 need13 the13 simpler13 the13 pricing)13 13 13
bull The13 larger13 the13 enterprise13 and13 volume13 purchase13 potenal13 the13 greater13 the13 disparity13 but13 also13 the13 greater13 the13 bargaining13 power13 on13 the13 part13 of13 the13 customer13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4613
bull Checkpoint13 is13 the13 inventor13 of13 stateful13 firewalls13 It13 has13 the13 highest13 block13 rate13 of13 IPS13 among13 its13 competors13 largest13 applicaon13 library13 (over13 5000)13 than13 any13 other13 data13 loss13 prevenon13 (DLP)13 with13 over13 60013 file13 types13 change13 management13 13 (ie13 configuraon13 and13 rule13 changes)13 that13 no13 one13 else13 has13 and13 Acve13 Directory13 integraon13 agent-shy‐based13 or13 agentless13
bull Dell13 SonicWall13 has13 patented13 Reassembly-shy‐Free13 Deep13 Inspecon13 (RFDPI)13 13 which13 allows13 for13 centralized13 management13 for13 users13 to13 deploy13 manage13 and13 monitor13 many13 thousands13 of13 firewalls13 through13 a13 single-shy‐pane13 of13 glass13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4713
bull Cisco13 ASA13 with13 FirePower13 Services13 provides13 an13 integrated13 defense13 soluon13 with13 greater13 firewall13 features13 detecon13 and13 protecon13 threat13 services13 than13 other13 vendors13
bull Fornet13 lauds13 its13 11-shy‐year13 old13 in-shy‐house13 dedicated13 security13 research13 team13 -shy‐-shy‐13 ForGuard13 Labs13 -shy‐-shy‐13 one13 of13 the13 few13 NGFW13 vendors13 that13 have13 its13 own13 since13 most13 OEM13 this13 acvity13 Fornet13 also13 purports13 to13 have13 NGFW13 ForGate13 that13 can13 deliver13 five13 mes13 beder13 performance13 of13 comparavely13 priced13 competor13 products13
bull HP13 TippingPoint13 is13 known13 for13 its13 NGFWrsquos13 simple13 effecve13 and13 reliable13 implementaon13 The13 security13 effecveness13 coverage13 is13 high13 with13 over13 820013 filters13 that13 block13 known13 and13 unknown13 threats13 and13 over13 38313 zero-shy‐day13 filters13 in13 201413 alone13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Key13 differenators13 between13 NGFW13 products13
4813
bull McAfee13 NGFW13 provides13 ldquointelligence13 awarerdquo13 security13 controls13 advanced13 evasion13 prevenon13 and13 a13 unified13 sofware13 core13 design13
bull Barracuda13 purports13 the13 lowest13 total13 cost13 of13 ownership13 (TCO)13 in13 the13 industry13 due13 to13 advanced13 troubleshoong13 capabilies13 and13 smart13 lifecycle13 management13 features13 built13 into13 large13 scaling13 central13 management13 server13 The13 NGFW13 is13 also13 the13 only13 one13 that13 provides13 NGFW13 applicaon13 control13 and13 user13 identy13 funcons13 for13 SMBs13
bull Juniper13 SRX13 is13 the13 first13 NGFW13 to13 offer13 customers13 validated13 (Telcordia)13 99999913 availability13 of13 the13 SRX13 500013 line13 The13 SRX13 Series13 are13 also13 the13 first13 NGFW13 to13 deliver13 automaon13 of13 firewall13 funcons13 via13 JunoScript13 and13 open13 API13 to13 programming13 tools13 Open13 adack13 signatures13 in13 the13 IPS13 also13 allow13 customers13 to13 add13 or13 customize13 signatures13 tailored13 for13 their13 network13
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
How13 to13 select13 the13 right13 NGFW13
4913
Consider13 the13 following13 criteria13 in13 selecng13 the13 NGFW13 vendor13 and13 model13 for13 your13 enterprise13 13
(1) idenfy13 the13 players13 13 (2) develop13 a13 short13 list13 13 (3) perform13 a13 proof13 of13 concept13 ndash13 POC13 13 (4) make13 reference13 calls13 13 (5) consider13 cost13 13 (6) obtain13 management13 buy-shy‐in13 and13 13 (7) work13 out13 contract13 negoaons13 13 (8) Total13 cost13 of13 ownership13 (TCO)13 is13 also13 crical13 13
Lastly13 but13 no13 less13 important13 consider13 the13 skill13 set13 of13 your13 staff13 and13 the13 business13 model13 and13 growth13 expectaon13 for13 your13 enterprise13 -shy‐-shy‐13 all-shy‐important13 factors13 in13 making13 your13 decision13
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
1111513 5013
CRISC CGEIT CISM CISA 201313 Fall13 Conference13 ndash13 ldquoSail13 to13 Successrdquo13
NGFW13 AUDIT13
5013
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
EvaluaBon13 and13 Audit13 of13 NGFW13
v Plaborm13 Based13 ndash13 appliancesofwareSaaS13 v Feature13 Set13 ndash13 baseline13 and13 add-shy‐ons13 v Performance13 ndash13 NSS13 Labs13 results13 v Manageability13 ndash13 comprehensiveeasy13 to13 use13 v Threat13 Intelligence13 ndash13 currencyaccuracycompleteness13 v TCO13 ndash13 total13 cost13 of13 ownership13 v Risk13 ndash13 consider13 the13 business13 model13 and13 objecves13 v Price13 ndash13 you13 get13 what13 you13 pay13 for13 v Support13 ndash13 what13 is13 support13 experience13 v Differenators13 ndash13 what13 sets13 them13 apart13 13
5113
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213
201513 Fall13 Conference13 ndash13 ldquoCyberSizeITrdquo13 November13 913 ndash13 1113 201513
13
Miguel13 (Mike)13 O13 Villegas13 is13 a13 Vice13 President13 for13 K3DES13 LLC13 13 He13 performs13 and13 QArsquos13 PCI-shy‐DSS13 and13 PA-shy‐DSS13 assessments13 for13 K3DES13 clients13 13 He13 also13 manages13 the13 K3DES13 13 ISOIEC13 27001200513 program13 13 Mike13 was13 previously13 Director13 of13 Informaon13 Security13 at13 Newegg13 Inc13 for13 five13 years13 Mike13 is13 currently13 a13 contribung13 writer13 for13 SearchSecurity13 ndash13 TechTarget13 13 Mike13 has13 over13 3013 years13 of13 Informaon13 Systems13 security13 and13 IT13 audit13 experience13 Mike13 was13 previously13 Vice13 President13 amp13 Technology13 Risk13 Manager13 for13 Wells13 Fargo13 Services13 responsible13 for13 IT13 Regulatory13 Compliance13 and13 was13 previously13 a13 partner13 at13 Arthur13 Andersen13 and13 Ernst13 amp13 Young13 for13 their13 informaon13 systems13 security13 and13 IS13 audit13 groups13 over13 a13 span13 of13 nine13 years13 Mike13 is13 a13 CISA13 CISSP13 GSEC13 and13 CEH13 13 He13 is13 also13 a13 QSA13 and13 13 PA-shy‐QSA13 as13 VP13 for13 K3DES13 13 13 Mike13 was13 president13 of13 the13 LA13 ISACA13 Chapter13 during13 2010-shy‐201213 and13 president13 of13 the13 SF13 ISACA13 Chapter13 during13 2005-shy‐200613 He13 was13 the13 SF13 Fall13 Conference13 Co-shy‐Chair13 from13 2002ndash200713 and13 also13 served13 for13 two13 years13 as13 Vice13 President13 on13 the13 Board13 of13 Directors13 for13 ISACA13 Internaonal13 Mike13 has13 taught13 CISA13 review13 courses13 for13 over13 1813 years13 13 13
BIO13
5213