NGFW for Education the Education IT Environment with NGFW Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Hardening the Education

IT Environment IT Environment

with NGFW

Narongveth Yutithammanurak

Business Development Manager 23 Feb 2012

Technology Trends

� Security

� Performance

Security-as-a-ServicePage 2

� Bandwidth

� Efficiency

� Manageability

What are Students and Staffs doing?

� Web surfing

� Twitter, Facebook

� Downloading files

� Instant messaging


� Instant messaging

� Streaming video

� Streaming audio

� Playing game online

� Personal email

These things we know?

User Port Protocol Application

� Port 80 is much more than Web browsing– 203.12.145.34 80 HTTP Web Browsing?

– Anna Stand 80 IM Yahoo-IM

� Port 443 is an encrypted mystery


� Port 443 is an encrypted mystery– 124.50.13.45 443 HTTPS Secure banking?

– Paul Donson 443 Email Google Gmail

� Other ports are being exploited– 224.100.30.6 5060 SIP VoIP?

– John Buly 20129 P2P Orbit downloader

Beyond Threats

� Most traffic is not a threat-based but is

application and data

� Application can be good, bad or in-between

– Good: saleforce.com

– Bad: badworm.exe


– Bad: badworm.exe

– In-between: P2P, Streaming video & audio

Common Question… to Admin

� Where is this TRAFFIC coming from?

� What APPLICATIONS are really on network?

� Where is ALL my BANDWIDTH going?

� What are the THREATS?


� What are the THREATS?

?

Device Expectation

� Application Awareness and visibility

� Integrated full IPS with out compromising

performance

� Intelligent to identify Users


� Standard Firewall capabilities

� Multiple option deployments

Next Generation Firewall

Page 8

NGFW Definition

� Stateful Inspection

� Intrusion Prevention

� Application Control

� SSL Decryption/Inspection


� SSL Decryption/Inspection

“By year-end 2014 [Next-Generation Firewall]

will rise to 35% of the installed base, with 60%

of new purchases being NGFWs.”

Source : Gartner NGFW Research note

What NGFW should do…

� Identify application/users regardless

– Ports =/ Applications

– IP Addresses =/ Users

– Packets =/ Content

� Protect in real-time against threats


� Protect in real-time against threats

� Granular visibility and policy control

– Application access / Functionality

� Multi-gigabit with no performance Degraded

Control Network, Users & Traffic

� Bandwidth Manage OR Block

� By User or Group with Exception

� By Schedule

� By App (Category, App, Function)


� By App (Category, App, Function)

Architecture and Engine

Page 12

Architecture makes a difference


NGFW Technology

Solution Features

� Consolidated & Integrated Security Technology

� Application Visibility - Inspection of Real-time & Latency Sensitive

Multi-Tiered Protection Technology

Next Generation Requirements


of Real-time & Latency Sensitive Applications/Traffic

� Scalable & High Performing Enough to Protect Against Perimeter and Internal Network Challenges

Patented Re-Assembly Free DPI (RFDPI)

Multi-Core High Perf. Architecture

RFDPI Engine


Dynamic Security Architecture


1. DPI protect against network risks

2. Multi core scan in real-time

3. Dynamic network protections

Procedures


NGFW Features

� Application intelligent control

� Gateway Security

– Intrusion Protection Service (IPS)

– Anti-Virus and Anti-Spyware

� URL Filtering Service


� URL Filtering Service

� Bandwidth Management (QoS)

� User Authentication

Application intelligent control

Page 19

Application Visibility


Unimportant AppsImportant Apps

Powerful Application Policy Creation

� “Allow IM, but block File Transfer”

� “Allow Facebook, but block Farmville”

� “Allow Facebook, but block all Facebookapplications”


Application Use Enforcement

� Policy: need all staffs use IE 9.0

� Mission: Ensure all PCs are using IE 9.0

� Solution:

– Create a policy to looks for User Agent = MSIE 9.0


– Create a policy to looks for User Agent = MSIE 9.0

in HTTP

– Allows IE 9.0 traffic and block other browsers

Deny FTP Upload

� Need to make sure the authorized staff can

upload file and on one can upload

� Create a policy to allow only certain people

FTP PUT


Block Forbidden Files and Notify

� An EXE file

– from being downloaded

– as an email attachment

– from being transferred via FTP

� Create a policy to block forbidden file


� Create a policy to block forbidden file

extension

Keep P2P Under Control

� P2P applications steal bandwidth and bring with malicious file

� P2P application simple changes a version number

� Create a policy to detect P2P application


Application Flows


Application Flows (Table View)


User Flows


Gateway Security

Page 29

Gateway Security


Intrusion Protection Service (IPS)

� Application vulnerabilities, Buffer overflows

� Scanning (worms, Trojans, software

vulnerabilities, backdoor exploits, and other

types of malicious attacks)

� Utilizing a comprehensive signature database


� Utilizing a comprehensive signature database

� Focusing on

– known malicious traffic

– decreases false positives

– increasing network reliability and performance.

Gateway Anti-Virus and Anti-Spyware

� High-performance engine scans

– viruses, spyware, worms, Trojans

and application exploits

� Continually updated database

threat signatures


threat signatures

� Inter-zone scanning delivers

protection also between internal

network zones

Content Filtering Service

Page 33




� Granular content filtering

� Dynamically updated rating architecture

� Application traffic analytics

� Easy-to-use web-based management


� Easy-to-use web-based management

� High-performance web caching and rating

architecture

� IP-based HTTPS content filtering

� Scalable, cost-effective solution

Bandwidth Management

Page 36

Managing Streaming Video

� The site such as “Youtube”

– block the site might work but the best answer

could be to limit the bandwidth

� Create a policy to limit streaming video


Control Bandwidth


User Authentication

Page 39

Directory Integration

� Users no longer defined solely by IP address

� Manage and enforce policy based on user

and/or AD group

� Understand user application and threat

behavior based on AD, LDAP


behavior based on AD, LDAP

Internal DB/Single Sign-on Users


Protection Visions

Page 42

Topology#1: Many-to-One Datacenter


� Protect servers from outside

� IPS feature performed

� Focusing on known malicious traffic

Topology#2: Many-to-Many External


� Protect users from surfing internet

� Outbound Protection

� Control application usages

� Shape user bandwidth

Topology#3: Many-to-Many Internal LAN


� Concept for Internal protection

� Users to Datacenter / Server Farms

� Protect malware infect to servers

� Restrict user access

Solutions

Page 46

Best Practices

� First, identify and block all “bad” applications

� Second, safely enable all “good” applications

� Solid research and support – fast deployment

of new protections


� Sustained high performance firewall + IPS

platform

Buyer Models


Customer Premise Equipment (CPE)

As-a-Service

Providers


System Integrator

MSSP

System Integrator

� Hardware Ownership

– CPE

� One-Time Implement

� MA provided

MSSP

� Low cost of Ownership

– As-a-Service

� One-Time Implement

� Device Management

Difference


� MA provided

� Admin Maintenance

� Device Management

� Security Monitoring

� Security Analyst

� Proactive Maintenance

� Align with SLA

Summary Benefits of NGFW

� All-in-one functionality

� Greater visibility and control

� Simplified management

� Better security


� Better security

� Lower total cost of ownership

Questions

www.i-secure.co.th

Questions

Documents

NGFW for Education the Education IT Environment with NGFW Narongveth Yutithammanurak Business Development Manager 23 Feb 2012