advertisement

A NEW SET OF NETWORK SECURITY CHALLENGES

50 %
50 %
advertisement
Information about A NEW SET OF NETWORK SECURITY CHALLENGES
Business & Mgmt

Published on February 17, 2014

Author: IcommTechnologies

Source: slideshare.net

Description

A new IDG survey reveals optimism about the ability of next-generation firewalls to help IT balance productivity and security
advertisement

TECH DOSSIER | NEXT GENERATION FIREWALLS A NEW SET OF NETWORK SECURITY CHALLENGES A new IDG survey reveals optimism about the ability of nextgeneration firewalls to help IT balance productivity and security ALSO INSIDE +WHY PROTECTION & PERFORMANCE MATTER + >

> A NEW SET OF NETWORK SECURITY CHALLENGES 2 With two issues becoming increasingly crucial, IT faces conflicting mandates from EMPLOYEES AT WORK, AND PLAY the business. On one hand, employees demand access from devices beyond the > IT is stuck in an untenable position between the firewall—smartphones, tablets, home PCs and laptops. On the other hand, risk man- company and its employees. Companies love to have employees stretch their hours by signing into corporate agement dictates corporate data must remain protected. The overarching challenge: systems from home; employees are used to the idea of balance productivity and security. time-shifting. The survey results show the upshot. Within that mandate, however, lie several other challenges, according to a new survey conducted by IDG Research Services on behalf of Dell. The survey was conducted in October of 2012 and reflects the insight of more than 250 IT professionals at companies with more than 500 employees. It reveals the depth with which network administrators must juggle these competing factors. The issues facing IT go beyond security to encompass network bandwidth as well. For instance, 52 percent of IT professionals report that employees tend to “frequently” or “very frequently” perform tasks unrelated to their work on the Internet or in other applications. Almost 40 percent report that the creation and management of customized access or use policies is difficult, and one-third believe that users working on personal devices are exposed to increased security threats. The latter problem stems from the frequent inability of IT to monitor what happens on a Just as technology has caused these problems, technology may also be the solution. user’s home device. A new generation of firewall technology, designed with current security and network- In many cases, IT can install an agent on specific home ing issues in mind, promises to give IT a way to solve its multisided puzzle. machines to ensure adequate security software is

A NEW SET OF NETWORK SECURITY CHALLENGES installed, as well as VPN software that allows users they visiting LinkedIn to catch up on old friends, or to mitted securely but still be malware. > tional videos that relate to improving their skills? Are through a VPN doesn’t mean it’s safe. It can be trans- 3 YouTube to watch cat videos, or to download educa- to connect securely. But just because traffic comes > identify the next crucial addition to their team? Are they visiting Facebook to play games or to discover what’s Survey respondents aren’t antediluvian about how they being said on social media about the company’s prod- allow users to access corporate data. More than half of ucts? As a result, many respondents report they are not those who indicate the amount of work employees do on regulating the use of Web sites that may or may not be personally owned devices is on the rise also believe this work-related and focusing their resources elsewhere. is a positive trend. The company benefits from 24-hour Given that most firewalls only offer a binary on/off employee access to email, but there still must be some method of allowing Web site access, this seems logical. security policies in place—such as the ability to erase corporate data from a personal device if it’s lost or stolen. 4000% data growth at the edge? Learn how SonicWALL saved U.S. Cellular operational costs while expanding services. There may, of course, be unseen security implications. Many Facebook users have been exposed to malware; these same security issues, 30 percent deemed them Security of personal devices is not the only issue. Given it’s not that Facebook itself is to blame, but its adver- “somewhat” or “extremely” ineffective. For instance, that employees frequently must log on from remote tising may have been compromised. In the light of IT’s even if an enterprise deployed Gigabit Ethernet, earlier locations, two-thirds of IT professionals view as “highly inability to control access, and occasional orders to favor generation firewalls could only deal with much slower important” their ability to provide adequate bandwidth productivity over security, IT may feel it has no choice. speeds—perhaps as low as 50 megabits per second. to ensure employees stay productive, no matter where This slows down all the traffic on the network. they are. Respondents also tend to view their organizaSimilarly, a traditional firewall doesn’t have the ability and as enabling—rather than stifling—for productivity. A NEW TOOL IN THE ARSENAL: NEXT-GENERATION FIREWALLS More often than not, respondents tend to believe their The fact is, though, that IT does have a choice. Firewall application from accessing the firewall, but the appli- organization’s security technologies and policies are technology has advanced sufficiently that the issues cation developers could just as easily route it to port a tactical necessity or a strategic enabler. More than IT faces can now be addressed by next-generation 80, which handles basic Web traffic, or port 84, which 80 percent think such policies positively contribute to firewalls (NGFs). These devices are designed to filter handles Web browsing. NGFs allow IT to filter not just by productivity. And it’s not just employees getting more network and Internet traffic based upon the applications IP address, or by port or protocol, but also by looking at work done—it’s also their ability to avoid system down- or traffic types using specific ports. They help IT detect layer 7 data—actual application information. time after they unintentionally access malware, whether application-specific attacks, giving network and security on an unauthorized Web site or through email. administrators the potential to catch more malicious Consider this analogy to explain the difference between activity than traditional firewalls. traditional and next-generation firewalls. A traditional tion’s security technologies and policies as necessary The question of what constitutes an “unauthorized” to filter specific parts of applications. IT could block an firewall is like an airport baggage handler, who makes Web site adds to IT’s conundrum regarding security, IT understands the limitations of traditional firewalls. sure that a piece of luggage (representing data) gets on bandwidth and productivity. Are employees accessing When asked about their effectiveness in addressing the correct plane to the correct destination. A next-

> A NEW SET OF NETWORK SECURITY CHALLENGES 4 > concentrators no longer require a VPN agent on a client research firm Gartner confirms this: it estimates that device, but can instead accommodate VPN through less than 5 percent of Internet connections are secured a browser. This allows for broader support of mobile by NGFs, but by 2014, the rate will jump to 40 percent. clients that use browsers, whether on smartphones, tablets or laptops, from any manufacturer. Even though survey respondents associate certain challenges with the deployment of next-generation firewalls—specifically cost, increased complexity and INCREASED AWARENESS, INCREASED DEPLOYMENT lack of staff resources—issues that face any new Based on the survey results, IT administrators are because they incorporate features—such as VPN and increasingly aware of next-generation firewalls; only 25 intrusion protection—currently handled by multiple percent of respondents were unaware of their capa- devices or not at all. They also feature more robust bilities. When discussing the technology’s features, reporting capabilities than traditional firewalls. It’s easy generation firewall is like the airport security agent who respondents cite NGFs’ most important capabilities for administrators to see which users are accessing opens the luggage, inspects its contents and makes a as intrusion prevention, antimalware/URL filtering and which applications, rather than sifting through logs. decision about whether it allows the contents to travel. basic firewall features. More than half of respondents The decision is even more granular, based on the ability indicate their organizations have either deployed, or The majority of those familiar with next-generation of NGFs to filter content within Web sites and between plan to deploy an NGF in the next few years. Data from firewall capabilities consider the technology effective Learn how the industry leader in sales and lease-ownership market leveraged Dell SonicWALL to assure secure growth. technology. In fact, NGFs reduce cost and complexity destinations; it may allow HR employees and managers addressing a variety of security issues. Faced with to visit LinkedIn, marketing to visit Facebook and techni- multiple security scenarios, a majority of respondents cians to visit YouTube, but not everyone. cited NGFs as more effective than traditional firewall technology. Given respondents also believe remote work By instituting highly granular rules for applications, IT now has the ability to either prioritize or throttle traffic based on business need. It can also allow some functions within applications but not others; for instance, allowing an IM application like Yahoo Messenger, but not allowing attachments to messages. The result: employees that need certain applications still have access to them, but others are not unnecessarily degrading bandwidth and putting data at risk. NGFs also address the BYOD issue, through a capability known as SSL VPN concentrators. Simply put, these A NEXT-GENERATION FIREWALL IS LIKE THE AIRPORT SECURITY AGENT WHO OPENS THE LUGGAGE, INSPECTS ITS CONTENTS AND MAKES A DECISION ABOUT WHETHER IT ALLOWS THE CONTENTS TO TRAVEL. arrangements will only increase in the future, the importance of having the capabilities of NGFs only increases. The key to the value of NGFs is that they have the ability to increase productivity all around. It’s not just the productivity of employees using mobile devices. It’s also the ability of the network to handle more mission-critical activities without bandwidth constraint. And finally, NGFs aid the productivity of IT administrators, who can take advantage of an integrated device that outperforms traditional firewalls in mitigating risks associated with trends on the upswing. n

> A NEW SET OF NETWORK SECURITY CHALLENGES ADDITIONAL READING: WHY 5 > PROTECTION & PERFORMANCE MATTER By Daniel Ayoub, CISSP, CISA Next-Generation Firewalls combine multi-core architecture with real-time Deep Packet Inspection to fulfill the protection and performance demands of today’s enterprise network Abstract Protection and performance go hand-in-hand for NextGeneration Firewalls (NGFWs). Organizations should not have to sacrifice throughput and productivity for security. Outdated firewalls pose a serious security risk to organizations since they fail to inspect data payload of network packets. Many vendors tout Stateful Packet Inspection (SPI) speeds only, but the real measure of security and performance is deep packet inspection throughput and effectiveness. To address this deficiency, many firewall vendors adopted the malware inspection approach used by traditional desktop anti-virus: buffer downloaded files, then inspect for malware. This method not only introduces significant latency and but also poses significant security risks since temporary memory storage can limit the maximum file size. Independent NSS Lab tests demonstrate that the Dell™ SonicWALL™ SuperMassive™ E10800 NextGeneration Firewall incorporating multi-core architecture and Reassembly-Free Deep Packet Inspection® (RFDPI) overcome these limitations to provide enterprises with both extremely high-levels of protection and performance that they require. Defining Next-Generation Firewall In basic terms, a Next-Generation Firewall (NGFW) leverages deep packet inspection (DPI) firewall technology by integrating intrusion prevention systems (IPS), and application intelligence and control. Industry definitions Gartner defines an NGFW as “a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks.”1 At minimum, Gartner states that an NGFW should provide: • Non-disruptive in-line bump-in-the-wire configuration • Standard first-generation firewall capabilities, e.g., network- address translation (NAT), stateful protocol inspection (SPI), virtual private networking (VPN), etc. • Integrated signature based IPS engine • Application awareness, full stack visibility and granular control • Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc. • Upgrade path to include future information feeds and security threats • SSL decryption to enable identifying undesirable encrypted applications The evolution of Next-Generation Firewalls Earlier-generation firewalls First generation firewalls of the 1980s provided packet filtering based upon criteria such as port, protocol and MAC/IP address, and operated at layer 2 and 3 of the OSI model. Second generation firewalls of the 1990s incorporated stateful packet inspection (SPI), which verified that the state of inbound and outbound traffic based upon state tables, and operated at layers 2, 3 and 4 of the OSI model. Third-generation firewalls of the past decade have more processing power and broader capabilities, including deep packet inspection (DPI) of the entire packet payload, intrusion prevention, malware detection, gateway anti-virus, traffic analytics, application control, IPSec and SSL VPN. Unified Threat Management (UTM) represented the next trend in the evolution of the traditional firewall into a product that not only guards against intrusion, but also performs content filtering, data leakage protection, intrusion detection and anti-malware duties typically handled by multiple systems. Next-Generation Firewalls Web 2.0 applications (e.g., Salesforce.com, SharePoint, and Farmville) now run all over TCP port 80 as well as encrypted SSL (TCP port 443). Today’s NGFWs inspect the payload of packets and match signatures for nefarious activities such as known vulnerabilities, exploit attacks, viruses and malware all on the fly. DPI also means that administrators can create very granular permit and deny rules for controlling specific applica- tions and web sites (example: Yahoo instant messenger-chat is allowed but not file transfers). Since the contents of packets are inspected, exporting all sorts of statistical information is also possible, meaning administrators can now easily mine the traffic analytics to perform capacity planning, troubleshoot problems or monitor what individual employees are doing throughout the day. Today’s firewalls operate at layers, 2, 3, 4, 5, 6 and 7 of the OSI model. NGFW feature requirements The following are feature requirements for Next-Generation Firewalls: Legacy features An NGFW includes all standard capabilities found in a firstgeneration firewall; i.e., packet filtering, stateful packet inspection (SPI), network address translation (NAT), and high availability (HA). Integrated IPS Effective intrusion prevention systems require advanced capabilities to combat evasion techniques and enable scanning and inspection of inbound and outbound communications to identify malicious or suspicious communications and protocols. For effective threat protection as well as intrusion prevention, organizations need best-in-class firewall and intrusion prevention, without the complexity of managing separate appliances, GUI’s, and deployments. NGFWs with IPS capabilities deliver enterprise class resistance to evasion, powerful context and content protection capabilities as well as comprehensive threat protection and application control in a single integrated device. Application intelligence and control Application awareness and control includes protocollevel enforcement, full-stack visibility with granular application control, and the ability to identify applications regardless of port, or protocol being utilized. 1 “Defining the Next-Generation Firewall,” Gartner RAS Core Research Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210 04102010

> A NEW SET OF NETWORK SECURITY CHALLENGES ADDITIONAL READING: WHY 6 PROTECTION & PERFORMANCE MATTER continued Extra-firewall input User-ID awareness enables administrators to enforce application policies based on AD user/group (without having to trace IP address to user ID), adding insight into usage and traffic. wall vendors incorporated traditional malware protection and methods that were used on file servers and PCs. The technique was a band-aid fix to add malware protection on an SPI firewall, as it had two significant flaws: latency and complexity. Adaptability Another important capability of NGFWs is the dynamic adaptation to changing threats. Dell SonicWALL constantly updates their devices with new signatures to stop threats and stay on top of the evolving malware landscape. The first flaw was the introduction of latency while the file is buffered with file size limitations. Firewall vendors have worked around this issue by sending keep-alive packets to prevent this, yet the overall effect is the introduction of latency. The use of memory to buffer files for inspection causes not only additional latency but also a space issue which is addressed by limiting the overall file size to a preset amount (generally 100MB). The use of the Internet is growing and sharing of larger files is increasing; hybrid SPI/malware detection technology does not scale. Payload scanning and performance All of the above requirements demand full payload scanning at optimal throughput rates in order to avoid having to sacrifice security for performance. Performance In order to achieve the highest return on investment (ROI) for bandwidth services and optimize an organization’s productivity level, while still ensuring maximum security, IT needs to make sure that traffic is thoroughly scanned with minimal latency for optimal throughput. To meet these requirements, multigigabit throughput rates have become standard for NGFWs. Dell SonicWALL NGFW solutions can improve performance significantly by applying patented Dell SonicWALL RFDPI2 technology to enable DPI without buffering and packet reassembly. From a hardware perspective, Dell SonicWALL NGFWs can also maximize throughput by incorporating parallel processing over advanced multi-core architecture. Why you need a Next-Generation Firewall The SPI generation of firewalls addressed security in a world where malware was not a major issue and web pages were just documents to be read. Ports, IP addresses, and protocols were the key factors to be managed. But as the Internet evolved, the ability to deliver dynamic content from the server and client browsers introduced a wealth of applications we now call Web 2.0. SPI does not inspect the data portion of the packet and hackers effectively exploit this fact. To address the new threats, SPI fire- The second flaw was that traditional point solutions were difficult to deploy, manage and update, increasing operating complexity and overhead costs. Sophisticated malicious attacks penetrate traditional stateful packet inspection products. These solutions simply do not provide sufficient, timely and unified protection against increasingly complex threats. To overcome these flaws, Dell SonicWALL offers the most effective, highest-performance NGFW solutions available today. Recently, NSS Labs conducted independent testing of the Dell SonicWALL’s Next-Generation Firewall at their labs facility in Austin, Texas. Dell SonicWALL’s SuperMassive E10800 running SonicOS 6.0 is the highest overall protection Next-Generation Firewall to earn the NSS Labs “Recommend” rating. This proven SonicOS architecture is at the core of every Dell SonicWALL firewall. The results of those tests are explored further at the end of this paper. What the enterprise requires Organizations are suffering from application chaos. Network communications no longer rely simply on store-and-forward applications like email, but have expanded to include real-time collaboration tools, Web 2.0 applications, instant messenger (IM) and peer-topeer applications, Voice over IP (VoIP), streaming media and teleconferencing, each presenting conduits for potential attack. Many organizations cannot differentiate applications in use on their networks or legitimate business purposes from those that are potentially wasteful or dangerous. Today, organizations need to deliver critical business solutions, while also contending with employee use of wasteful and often dangerous web-based applications. Critical applications need bandwidth prioritization while social media and gaming applications need to be throttled or completely blocked. Moreover, organizations can face fines, penalties and loss of business if they are in noncompliance with security mandates and regulations. Protection and performance In today’s enterprise organizations, protection and performance go hand-in-hand. Organizations can no longer tolerate the reduced security provided by legacy SPI firewalls, nor can they tolerate the network bottlenecks associated with the some NGFWs. Any delays in firewall or network performance can degrade quality in latency-sensitive and collaborative applications, which in turn can negatively affect service levels and productivity. To make matters worse, some IT organizations even disable functionality in their network security solutions to avoid slowdowns in network performance. Scanning and controlling all content Organizations large and small, in both the public and private sector, face new threats from vulnerabilities in commonly-used applications. Malware lurks in social networks. Meanwhile, workers use business and home office computers for online blogging, socializing, messaging, videos, music, games, shopping and email. Application intelligence and control Applications such as streaming video, peer-to-peer (P2P), and hosted or cloud-based applications expose organizations to potential infiltration, data leakage and downtime. In addition to introducing security threats, these applications drain bandwidth and productivity, and compete with mission-critical applications for precious bandwidth. Importantly, enterprises need tools to guarantee bandwidth for critical business relevant applications and need application intelligence and control to protect both inbound and outbound flows of traffic, while ensuring the velocity and security to provide a productive work environment. Read the full article

Add a comment

Related presentations

Canvas Prints at Affordable Prices make you smile.Visit http://www.shopcanvasprint...

30 Días en Bici en Gijón organiza un recorrido por los comercios históricos de la ...

Con el fin de conocer mejor el rol que juega internet en el proceso de compra en E...

With three established projects across the country and seven more in the pipeline,...

Retailing is not a rocket science, neither it's walk-in-the-park. In this presenta...

What is research??

What is research??

April 2, 2014

Explanatory definitions of research in depth...

Related pages

New Set of Network Security Challenges - BrightTALK

With two issues becoming increasingly crucial, IT faces conflicting mandates from the business. On one hand, employees demand access from devices beyond ...
Read more

A New Set of Network Security Challenges

Download In this eBook, IDG discusses a new set of network security challenges as companies try to balance productivity and security. Download your copy today.
Read more

A new set of network security challenges (Dell) - Spiceworks

Discover how next-generation firewalls help IT address security and networking challenges without sacrificing productivity.
Read more

A New Set Of Network Security Challenges: Networkworld ...

A New Set Of Network Security Challenges. Discover how next-generation firewalls help IT address security and networking challenges without sacrificing ...
Read more

Counter a new set of network security challenges with Dell ...

Enable your workforce to connect from anywhere and support BYOD initiatives, while ensuring the highest levels of protection and performance with SonicWALL ...
Read more

A new set of network security challenges. - TechRepublic

Discover how next-generation firewalls help IT address security and networking challenges without sacrificing productivity.
Read more

Counter a new set of network security challenges with Dell ...

Counter a new set of network security challenges with Dell SonicWALL ... Network security threats explained: ... Try something new! Loading...
Read more

Counter a new set of network security challenges with Dell ...

Want to watch this again later? Sign in to add this video to a playlist. T: 01482 210999 E: info@genesisIT.co.uk W: www.genesisIT.co.uk Genesis ...
Read more

5 Key Computer Network Security Challenges For 2013

Guest post written by Tom Cross Tom Cross is director of security research ... the security threats facing computer networks have become more ...
Read more

A new set of network security challenges | Dell Italia

eBook, Security, Identify ... With two issues becoming increasingly crucial, IT faces conflicting mandates from the business.
Read more