Combat Cyber Espionage with New SonicWall TZ Wireless Firewalls

How many times have you heard the phrase, “Your data is your most valuable possession?” Pretty often I bet. And it’s true. The information your organization keeps is extremely important not only to you, but to your customers as well.

I was thinking about this the other day while watching a scene from the movie “The Incredibles” where the superhero mom tells her daughter, “Your identity is your most valuable possession. Protect it.” That’s good advice, whether it’s data, records or even the identity of your employees or your customers. Protecting the things that are valuable to your organization from the seemingly relentless onslaught of theft is critical in today’s world.

Every day we are all potential victims of cyber-espionage. It doesn’t matter what size your organization is. Sure, the bigger the victim the larger the headline. To safeguard our customers against attack, today SonicWall has announced the new SonicWall TZ Wireless firewall series which combines enterprise-grade security, deep packet inspection of SSL-encrypted traffic and integrated high-speed 802.11ac wireless for small and medium-sized businesses and distributed enterprises.

Back in April we announced our new lineup of secure, high-performance SonicWall TZ series firewalls that help both small and medium-sized businesses (SMBs) and large distributed enterprises protect their most valuable assets. The TZ series allows SoincWall to offer market-leading security solutions to its customers at a price that fits under even the tightest budgets. With these new firewalls, small organizations can afford the same security effectiveness as large enterprises.

One of our premier partners, Western NRG, has already experienced the incredible benefits of the new TZ wireless firewalls.

“Since I upgraded my remote office from a TZ 105 Wireless to the new TZ500 Wireless I have noticed a substantial increase in my Internet speeds! I am truly taking advantage of the 100Mb download offering from my ISP. In addition, I have also added the new SonicPoint ACi to the network. The boys at NRG configured the TZ500 Wireless and the SonicPoint ACi to use the 5GHz radio and a single SSID which allows me to connect anywhere in the multi-story 3400 square foot facility and have seamless wireless access to networking resources now with amazing speeds!” said Tim Martinez, president of Western NRG, Inc.

The TZ Wireless series takes security and performance another giant step forward with built-in secure WiFi connectivity. And not just any WiFi. With these new firewalls, our customers can have the same level of protection and performance on their wireless networks as they do on their wired networks.

If you’re familiar with the benefits of 802.11ac, good for you. If you’re not, there are plenty of articles you can read on the subject. Even better, check out Scott Grebe’s blog titled “Three Reasons to Make the Jump to 802.11ac.”If you don’t have the time, here is the abbreviated version.

  • 802.11ac is really fast. It’s about 3x faster than its predecessor 802.11n. Faster speed means greater employee productivity and a better user experience.
  • 802.11ac enhances the quality of the wireless signal. Ever have a poor WiFi or cellular connection? How did that make you feel?
  • 802.11ac plays well with earlier wireless standards. In other words, it’s backward compatible with WiFi devices that use the 802.11n, b, g or a standards like your mobile phone, tablet and laptop so you can continue to use them to connect to the wireless network if you want.

The integration of high-speed wireless into our TZ series firewalls is good news for SonicWall customers. It enables us to offer them a complete security solution for wired and wireless networks of all sizes. SMBs love the highly integrated nature of the TZ series along with the simplified setup and management. Configuration of the LAN and wireless LAN and accompanying security is all done through the appliance’s GUI. So is the management. Distributed enterprises also enjoy these same benefits, however many take things a step further by adding our award-winning Global Management System (GMS) to enable centralized management and reporting of multiple TZ series firewalls deployed in different locations.

With the introduction of our new TZ Wireless series we have our strongest lineup ever of wired and wireless firewall solutions for SMBs and distributed enterprises. Whether it’s our customers’ data, their records or even their superhero identities, we’re able to protect it like no one else. If you want to learn more about the TZ series including our new wireless models featuring 802.11ac, check out the TZ series page on our website.

Five Essentials for Best of Breed Next Gen Firewalls

Beyond basic network firewall testing scenarios, the specialized firewall testing tools needed to accurately assess next-generation firewall (NGFW) security effective remain out of reach to any but the largest IT department budgets. Therefore, most organizations look to independent hands-on test results from respected research laboratories such as NSS Labs. NSS Labs uses a very specific testing methodology that is run on each of the NGFWs being tested. Their Next-Generation Firewall Product Analysis Report provides detailed information on how a specific firewall scored when tested in these key essential areas:

  • Security Effectiveness
  • Performance
  • Stability and Reliability
  • Management and Configuration
  • Total Cost of Ownership

Security Effectiveness

Security effectiveness verifies that the firewall being tested is capable of enforcing the security policy effectively. Security effectiveness tests include:

Firewall Policy enforcement

Incremental tests that build configuration from simple to complex real world policy consisting of many addresses, policies, applications, inspection engines, protection from DoS attacks, IP spoofing.

Application Control

Firewall is tested to see if it can correctly determine application regardless of ports/protocols used and enforce appropriate application policy granularity.

User/Group ID aware policies

Correctly determine user/group from deep packet inspection and enforce policy with user awareness.

Intrusion Prevention

Correctly block malicious traffic “out of the box” using the default policy (for this test no IPS tuning is allowed).
EvasionDecode/Block basic obfuscated exploits and provide accurate alert based on the actual attack not be fooled by the evasion technique itself.

How did SonicWall next-generation firewalls do? Passed all criteria. Noteworthy SonicWall results included a 97.9 percent exploit block rate. No NGFW tested achieved 100 percent exploit block rate due to constantly changing NSS Labs test suite. However, over the last three years SonicWall has consistently been rated in the leaders quadrant and has demonstrated consistent improved block rate year over year.

Performance

Measures how well a given NGFW performs when subjected to various traffic conditions. No two networks will have the exact same characteristics but this test does provide metrics to gauge if a given NGFW is appropriate in a given environment.

Raw Packet Processing Performance (UDP packets of various sizes are tested)Measures raw packet processing capability of each of the NGFWs in-line port pairs, packet forwarding rate is measured for highest performance /lowest latency.
Latency (packet loss/average latency)Determine the effect the NGFW has on traffic passing through it under various loads. Traffic passes through all port pairs simultaneously.
Maximum Capacity ( generates TCP session based connections and HTTP transactions)Stress the inspection engine with Multi-Gigabit “Real World” traffic generated to determine expected user response times, max connections per second, concurrent open connections, application transaction per second on a backdrop of a heavily utilized network.
HTTP Capacity ““ No Transaction Delay (uses HTTP GET request)How much HTTP traffic can be passed of varying packet sizes and various connection per second loads.
Application average response time ““ HTTP (across all in-line port pairs simultaneously)Measures average HTTP latency using various packet sizes at 90 percent of max load.
HTTP Capacity with Transaction DelaySame as above except introduces 5 second server response delay, forces a high number of open connections.
Real World Traffic (generates protocol mix usually seen by industry verticals, i.e. Financial, education, Data Center, Mobile Carrier, etc”¦ )Same as previous test, excepts adds additional protocols and real content.

Stability and Reliability

These tests measure how well a next-generation firewall passes legitimate traffic while under attack. To pass, the NGFW must be able to block and alert on 100 percent of the attacks previously blocked while remaining operational.

Blocking under Extended AttackMeasures consistency of Blocking. Sends continuous policy violations at 100Mbps over 8 hours.
Passing Legitimate Traffic Under Extended AttackSame as previous test except legitimate traffic is sent in addition. NGFW must pass all legitimate traffic.
Behavior of State Engine Under Load (Can the NGFW preserve state across large number of connections over extended time. Must not exhaust resources allocated to state tables or “˜leak’ connections through after theoretical max concurrent connection is reached.
Protocol Fuzzing and MutationSends random, unexpected, or invalid data to the NGFW, verifies NGFW remains operational and detects/blocks exploit throughout the test.
Power FailPower is turned off while passing traffic, NGFW should fail closed after power is cut.
Persistence of DataMeasures if NGFW retains policy, configuration, log data when restored from power failure.

Total Cost of Ownership and Value

Measures overall costs over of deployment, maintenance and upkeep over the useful life of the product.

Product PurchaseCost of acquisition
Product MaintenanceFees paid to vendor (hardware maintenance, subscription services, etc”¦)
InstallationTime required to make the NGFW operational out of the box.
UpkeepTime required to apply vendor supplied firmware, updates, patches.

How Next Gen Firewalls are Increasing Your Business Profitability

Shrinking or flat IT security budgets and personnel; this is what many organizations of any size are facing daily. However, the security threats and compliance requirements continue to grow and become even more complex.

In response, many companies have implemented single security solutions on a reactive basis. For example, they might have started with a traditional firewall to protect their network, then implemented a web content filtering gateway and then added a dedicated intrusion prevention system (IPS/IDS) solution. Nevertheless, each of these solutions can come at a high cost and requires a single specialist to administer and manage; the overall total cost of ownership (TCO) goes through the roof! And these pain point solutions can leave gaping holes between them, exposing the business to potential security breaches and compliance violations, instead of helping mitigate the risks: this can’t be!

The advent of faster hardware and cores has allowed for the consolidation of once stand alone security solutions into a single appliance – Next Generation Firewalls (NGFWs). They provide dramatic improvements in protection versus traditional firewalls, particularly in dealing with today’s more sophisticated and rapidly changing threat landscape. They allow organizations of all size to do more with less and therefore save money!

In the UK, BskyB’s mobile Wi-Fi service, The Cloud, needed to upgrade the content filtering it provided, as it was becoming increasingly difficult to scale the service, and the performance was at risk. The Cloud selected SonicWall NGFW (SuperMassive 9000 series) with its content filtering service, which reduced upgrade work by 75 percent and ensured cost-effective WiFi service performance, delivering twice the capability at a quarter of the cost. Going forward, The Cloud can also use the additional NGFW security capabilities at no additional costs, and benefit from a more straightforward CapEx forecasting.

In Spain, Benetton looked to enhance store operation and productivity across the country by gaining better control of network connections between its stores and its head office. Efficiency is at the forefront of the company’s goals to deliver enhanced customer services at a lower cost.

The company chose SonicWall NGFW to connect and protect its stores and achieve its business goals. By replacing a traditional firewall with a NGFW technology, Benetton Spain ensures the complete protection of their network, while spending 39 percent less compared to their legacy solution; this is very critical to them, as they are able to fund new IT projects from the savings. Another key benefit of implementing a NGFW is in-store personnel productivity, thanks to the content filtering service and application firewall functionality; now shop assistants can access the Benetton Spain website and other sites that helps them deliver a better service to customers. At the same time, users from the marketing department have access to a full range of sites, including social media, which they need for their job, while protecting the network from potential cyber attacks. Also, as a retailer, Benetton Spain has to comply with numerous safeguards like PCI DSS to protect consumer data and credit card details. Because SonicWall NGFW provides IPsec VPN and a gateway AV service, Benetton Spain can tick the PCI DSS compliance box.

As these two particular examples demonstrate, the financial benefits of the NGFW technology are real and very much tangible, from improving employees’ productivity, to better customer service, operational cost savings and allocating budget to other IT projects, and meeting compliance requirements.

The threat landscape is changing rapidly with new types of malware, cybercriminals have become increasingly sophisticated and coordinated in their attacks. They are out to exploit every vulnerability, and if your organization is not taking advantage of the advanced protection offered by NGFWs, then you are at increased risk of a successful attack. Deploying a NGFW will provide the network protection you need, but will also help you to improve efficiency and save up some money you can re-invest into your business!

The Future Looks Bright for Mobile Worker Productivity

Managing and securing mobile data is about to get a whole lot easier. Mobile platform providers, historically focused on the consumer, are now investing heavily in new OS features that will seamlessly integrate with mobile management and security solutions and allow businesses to more easily enable mobile access to more data and resources without compromising security.

Historically, IT departments protected corporate networks and data by only allowing trusted devices and users to connect to the network. IT could limit the threat of data loss and malware by controlling and managing PC and laptop and software images and configurations. In the new mobile era, IT has limited control or management over devices. Workers are often independently choosing their smart-phones and tablets as well as the apps and services they use to address business and personal needs.

So, with limited mobile device control and management, how can IT keep company data secure while enabling mobile worker productivity?

The leading mobile platform providers recognize the challenge businesses face and are adding new features to make it easier to secure and manage business apps and data on devices, whether corporate or personally owned. And they’re partnering with third party mobile management and security providers to help give IT control to secure and manage the mobile data workflow. Key mobile platform features enabling mobile for business include:

1. Managed separation of business and personal apps and data

Mobile OS’s are architected to allow data to be easily shared by apps. While this ease-of-use and transparent interaction and sharing between apps is beneficial for personal use, it can be problematic for businesses that want to protect data. For example, many social apps mine contact lists from other apps and invite contacts to join their service. With this, confidential customer contact information stored in a business app could unintentionally be “shared” to a personal social app, leaking customer contact information and potentially damaging a business’s reputation or violating regulatory rules. Another risk, if a rogue app is downloaded to a device, mobile malware or vulnerabilities may be present that can steal data or provide an entry point for a cyber-attack.

To address these issues, the new generation of mobile operating systems is adding features that, with third party mobile management tools, will help better secure business apps and data on mobile devices. IT, with mobile user permission, will be able to more easily deploy and manage trusted mobile apps for business and enforce security policy to protect company data, while personal apps and data will be isolated from business apps, preventing data leakage. To meet mobile user demands for personal app and data privacy, IT will be restricted to only manage business apps and data. With these new built-in OS features, today’s proprietary secure containers that isolate and secure business apps and data on mobile devices, will be less necessary, helping to reduce IT cost and complexity.

2. Managed apps

To further support mobile for business, mobile platform providers are making it easier for app developers to build “managed apps”, apps that can be configured and managed by mobile management tools. For these apps, IT will be able to use third party mobile management tools to configure app level policies that affect the actions an app may take. For example, a managed email app implemented with the new mobile management control protocol could be remotely configured to only allow email and attachments to be viewed from the email app, and disallow copy, cut and print functionality to keep business data secure and encrypted within the app and not allow sharing with other apps.

3. App level VPN

Businesses today often deploy VPNs to securely connect mobile and remote workers with company networks and resources, a necessity to encrypt data in-flight and protect from data theft. However, when a device is used for business and personal use, if the VPN is enabled, personal traffic also uses the corporate VPN which can impact network bandwidth and contaminate backend resources. Ideally, to preserve corporate network bandwidth, only business apps and data should use the corporate VPN.

To address this need, mobile OS, security and management technologies are evolving to allow per app VPN capabilities. With per app VPN, security and management technology may be configured with policies to initiate a VPN whenever a business app launches such that business traffic from the mobile device travels through the VPN while personal traffic does not.

So, with these new mobile management and security capabilities, what should businesses do to accelerate mobile adoption and productivity?

Get ready for the next wave of mobile technology. For information on the management and security solutions you need to help enable mobile workers productivity while protecting from threats, read our eBook, Secure Mobile Access.

How to Make Your Network Security Infrastructure Future-Ready

It is clear that today’s businesses require reliable network connectivity, and access to both corporate and Internet resources. Connections to and from business units, external customers and SOHOs are all equally important to ensure continuity. Business runs all day, every day, even in off hours. Most companies run operations around the clock, seven days a week, so it is important to realize that solid business continuity strategy and redundancy technology should be considered and implemented.

To enable business productivity, Internet access must be operating and available all of the time. This is sometimes referred to five nines (99.999) uptime. Because things break, and unforeseen events do occur, we need to create an architecture that is ‘highly available’ or up as much as possible, with failures foreseen ahead of time, and the only downtime is for planned maintenance.

Redundancy means different things to different people, but to SonicWall, it means having no single (or in some cases tertiary) point of failure from Layer 2 to Layer 7.

In this exercise at SonicWall World Software User Forum, in Austin, TX, we will dive into the new Firewall Sandwich design that combines the best of breed SonicWall next-gen firewall and SonicWall Networking switch technologies. In this architecture, we will create redundancy in your core/edge network, and review how to properly design and implement this technology in case of a disaster. We will also briefly discuss the failover and failback operation, which may be needed if or when any of the components within our SonicWall solution fail.

We invite you to attend this exclusive SonicWall “How to make your network security infrastructure future-ready” technical training session. Upon completion of this course, you will have in-depth knowledge and a clear understanding of how to implement your future-proofed, network-based scale-out security layer architecture. This is a highly resilient design that offers transparent security services to augment existing security solutions, separate security functions and provides added capacity via N+1 redundancy to solve your most complex and demanding data center requirements. The SonicWall solution delivers the following benefits:

  • Scalability, add more capacity as you go reusing existing equipment
  • Redundancy and resiliency
  • In line upgrade for both firewalls and switches, no need to take a system down for maintenance
  • Single point of management for the Firewall cluster, ability to enforce policies to multiple firewall cluster blades
  • Full security services capability

I look forward to seeing you in Austin for SonicWall World Software User Forum and follow the conversation for updates on Twitter @SonicWall #DWUF and #SonicWallWorld. Register today, and take advantage of the Buy One Get One offer today. If you purchase one pass to the SonicWall World Software User Forum, we will include one additional pass at no extra cost for a colleague.

How Next Gen Firewalls are Keeping Up with Ever Growing Pipes

Scaling security devices is much more difficult than scaling routers or switches. A router acts on the destination IP lookup only, a 32 or 128 bit fixed length value, whereas a switch acts on a 48 bit fixed length MAC address, looking up on the destination MAC and adding the source MAC to a lookup table. Those values are not just fixed length, but they also appear at the same place in a data frame.

Routers and switches therefore embraced silicon very early on. Custom chips were designed that are comprised from transistors that form logic gates such as NAND or OR gates. Those logic gates are hardwired on a chip. These chips are called Application Specific Integrated Circuits – or ASIC, for short.

The logic in an ASIC used for routers and switches are hardwired, very similar to electronic components on an old TV circuit board. Unlike in an old tube TV, those ASICs process digital data. They can extract extremely fast IP and MAC addresses or perform table routing and forwarding table lookups in real time. Real time means that the time to perform a function always takes the same time, regardless of the load and run time.

There are several drawbacks with ASICs, though: First, ASICs cannot be changed once they leave the foundry. Second, there is a long lead-time to developing an ASIC. ASICs are simulated in software but can only be tested when a real sample exists. Producing samples is very costly, hence a long time is spent on testing an ASIC in software emulation before the first sample is built. This means that the technology used in an ASIC might be two or three years old before an ASIC hits production. And third, the development costs of ASICs are very high which makes them expensive for low volume production and evolutional versioning. The same ASIC generation has to be amortized over many years. The span between ASIC generations can therefore be five or more years, specifically for ASICs that are made for only one vendor’s products and sees low production count.

While this works for routing and switching that has not rudimentary changed in a decade or two, and there are still routers and switches in production today, which outlived a decade in service, this approach cannot be utilized for security where new threats appear by the minute. Threats typically do not obey fixed length requirements or are found at the same place within a data frame. RFC3514 has not been widely adopted by the BlackHat community for some reason.

The solution is to use microprocessors. Microprocessors are completely flexible and can be programmed in an instance to perform various tasks. Early firewalls started on common office technology processors, mostly Intel i386, but also PowerPC. The early days of firewalls were extensions to routers or switches. Security rules matched on source and destination IP, IP protocol ID, as well as source and destination ports for UDP and TCP protocols all fixed length values appearing at the same place within a data frame. While those general-purpose processors were programmable, they were not fast, and depending on the underlying operating system, not predictable, in terms of timing. This created substantial delays and jitter between packets. Security vendors took a hint from router and switch vendors and created ASICs to perform value extraction, table lookup, and packet switching. During the stateful inspection days, ASIC based systems have been very successful.

Stateful packet inspection (SPI) works by tracking TCP connection state between a client and a server socket. A socket is the combination of an IP protocol and a port. The two most common protocols are stateless UDP and stateful TCP. Stateful inspection was controlling access between sockets – that means access between clients and server applications. The problem with stateful packet filters these days is that traffic uses few sockets and that clients need access to many more servers. Other applications such as peer-to-peer (P2P) file sharing can use any socket. For instance, an internal client does almost all connections on HTTP and HTTPS and needs access to the entire Internet. In addition, a malicious attack can come over a legitimate connection, e.g. browsing a reputable news site that has a banner ad with malicious code embedded.

Deep packet inspection (DPI) inspects the actual data stream that flows between a client and a server. DPI can identify the application independent of sockets, and can look within the data stream for malicious code, or categorize applications and content. Whereas DPI was originally an add on to SPI, these days it replaced SPI as SPI is no longer effective in stopping threats, or controlling traffic flows. The term Next-Generation Firewall in NGFW implies DPI functionality. This includes common services such as user, application, and content identification, as well as intrusion prevention, gateway antivirus, geo fencing, botnet detection, bandwidth controls, and such. Also today, SSL client decryption is more and more important to be able to look into the payload of the data stream. After the recent website disclosures, we have seen a steady trend of more encryption that according to some predictions might reach two thirds of all sites by the end of next year.

DPI inspection cannot easily be done in silicon, or in other words few sub-functions could be done in hardware. DPI systems often apply hardware coprocessors that do cryptography, pattern matches, table look-ups, and framing. Vendor specific custom ASIC’s are less common today due to the cost of development. Sometimes Field Programmable Arrays (FPGAs) are utilized instead since their development cycle is low, but performance is significantly lower than that of an ASIC system, and there is little benefit to modern multicore processors. Another strategy by vendors that are locked into ASICs, is adding a microprocessor core to their legacy silicon. Performance of those afterthoughts is poor.

To summarize: Stateful inspection is no longer effective in protecting a network. DPI only benefits for some repetitive sub-functions from ASICs, but custom ASIC development is expensive with multi-year amortization cycles. On the other hand, office computer and server processors are too slow for scaling DPI beyond a few Gbps. They are also expensive and consume a lot of power, which means they cannot be packaged very densely, limiting the maximum throughput of the system.

SonicWall solved this problem by creating a security platform that is free from legacy. It is not based on custom ASICs, but uses high volume ASIC functions, that does not use power hungry and expensive microprocessors, but uses large clusters of processors more commonly found in low power applications such as smart phones. This permits a high packaging density of massive parallel processing, both in general microprocessors as well as ASIC coprocessors, utilized for signature match, table lookup, cryptography, framing, hashing, and switching.

SonicWall utilizes Cavium’s Octeon systems-on-a-chip (SoC) with up to 32 individual MIPS64 cores. Multiple SoC systems can be combined. Systems can have up to eight processing blades with one Octeon processor each within the same small two or three RU hardware enclosure. Enclosures can be deployed individually, as A/P HA pairs, or clustered up in a security fabric with a combined 2048 cores and DPI throughput of over 300 Gbps.

A single pass security engine, Reassembly Free Deep Packet Inspection (RFDPI), for which SonicWall got a patent awarded, brings this streamlined hardware with massive processing ability to life. RFDPI processes from SonicWalls around the world share intelligence with each other, over 2,000,000 devices today, enabled by the SonicWall GRID cloud. The GRID also offers cloud services such as sandboxing an access to a signature base of over 21,000,000 signatures, growing: 40,000 new malware samples are analyzed every day.

The philosophy behind SonicWall is to offer price effective massive parallel processing power that is highly scalable, and enable it with sophisticated on-board software that is connected via the cloud.

Mobile Security Checklist to Minimize Risk

The number of mobile devices in the workplace is exploding and with this, a new frontier for cyber-attack is emerging that poses a significant risk to business. As the great philosopher and strategist SunTze wrote, “Know your enemy and know yourself and you can fight a hundred battles without disaster.”

Threat analysts are finding that malware isn’t just a problem for laptops any more. For example, reports indicate that the CloudAtlas campaign, a sophisticated advanced persistent threat that initially targeted windows machines, has made its way to mobile platforms including Android, Apple IOS and Blackberry systems. Our own SonicWall Security Threat Research Center uncovered the Android counterpart of the CloudAtlas campaign. This malware masquerades itself as an update for the popular messenger app Whatsapp, and in turn, spies on a victim’s device to obtain sensitive data,such as texts, contacts and calendar information, and passes it back to the attacker, creating a huge business risk.

Could you, or one of your employees unknowingly have a mobile device infected with malware harvesting your confidential business data?

Fundamentally, there are two key business risks that you need to protect from as workers go mobile. The first, is theft or loss of mobile data. The second, is mobile devices becoming conduits for malware attacks that affect corporate systems and data. So what are the mobile threats you need to be aware of to protect your business?

Here’s a checklist of threats you need to be prepared to tackle in the mobile worker era:

  1. Lost and stolen devicesNo surprise here. If a device is lost or stolen, and corporate data was stored on the device, there’s a risk of confidential data loss. An even bigger risk, is a lost or stolen device being used to gain access to corporate data and apps on the back end. Significantly more data could be impacted if an unauthorized user with a lost or stolen mobile device gains access to the data center. This is particularly problematic for businesses subject to regulatory compliance.
  2. Mobile malware and vulnerabilitiesAnother concern is rogue apps downloaded to devices containing information-stealing malware, such as the CloudAltas threat discussed above, or vulnerabilities with devices, OS design and 3rd party apps. These threats provide entree for attacks and can lead to data theft and downtime. Again, this is a risk for data on the device, but potentially an even bigger risk if the device becomes a conduit for malware to infect backend data systems and cause data loss or downtime.
  3. Data leakage through 3rd party appsCorporate data and apps co-mingling with personal data and apps on devices can also create risk and lead to corporate data leaking, either intentionally or unintentionally. For example, many social apps mine contact lists from other apps and invite contacts to join their service. With this, confidential customer contact information stored in a business app could unintentionally be “shared” to a personal social app, leaking customer contact information and potentially damaging a business’s reputation or violating regulatory rules.
  4. Insecure Wi-FiLastly, the riskof man-in-the middle attacks. Attackers can snoop data if traffic is sent over unencrypted networks such as public wifi. Data in-flight is likely the pulse of the business. It likely contains fresh, sensitive data, and may even contain data subject to legal or regulatory requirements for confidentiality. If that data is intercepted, it could be damaging to the business. Although the relative quantity of data lost or stolen in case of in-flight traffic interception is likely small, the potential for damage is still there. So, to protect in-flight data from interception, data should be encrypted.

Mobile Security Solution

So, now that we reviewed the top threats, how can you prepare to win the mobile security battle to come? To protect from these threats, the best defense is a good offense.

Secure container and encryption technologies such as Enterprise Mobility Management (EMM) can help isolate and secure business apps and data on mobile devices. This a great start, but company data and networks are still at risk if only on-device data protection is addressed. Security is an end-to-end mobile workflow challenge.

For comprehensive mobile security, in addition to EMM, deploy security and access control technologies in your IT infrastructure that authenticate users and interrogate devices, OSes, mobile apps and validate their integrity. Only grant VPN access to trusted users, devices and business apps to help protect from rogue access and malware attacks. Also deploy, next-gen firewalls to scan mobile traffic entering your network and block malware before it infects corporate systems and data. Next-gen firewalls can also scan mobile traffic entering your network and block malware before it infects corporate systems and data and block access to and from disreputable web applications and sites, adding another layer of protection.

For more information on the security and access solutions you need to enable mobile worker productivity while protecting from threats, read our eBook: SonicWall Secure Mobile Access.

How We Built a Self Healing Double Ring Helix w SonicWall Next Gen Firewalls

In this guest post, our customers Kelley Parkes, Director of Technical Operations (on the right) and Dave Rupert, Systems Engineer (on the left) at First Source, describes how their company built a site-to-site VPN with SonicWall NSAs and TZs to enable secure collaboration and failover protection to sites spread across the country.

When your company grows by acquisition, the way ours does, your IT group has to run fast and hard just to keep up with more users, more sites, more remote connections and a secure perimeter that keeps expanding.

We’ve recently switched from keeping-up mode to being ahead of the curve thanks to a combination of our own internal expertise,  SonicWall next-generation firewalls and implementation help from Cerdant. I figured a lot of the people following Tech Center are in the same boat, so I asked SonicWall to let me share what we’re doing.

An expanding security perimeter

Our company is a nationwide distributor of specialty foods and confections from manufacturers like Godiva, Ghirardelli and Lindt. When you buy candy at Walmart, Cracker Barrel and Bed Bath & Beyond, chances are it comes from First Source.

We started out with sites in Virginia and Tennessee. We merged with a company in Buffalo, New York, and then we acquired a California location. Now we cover the entire country with around 500 employees in four main warehouses, two remote warehouses, one retail store and our data center. That means that our security perimeter covers eight locations from one coast to the other.

We had been using the ZyXEL 35, which has a very simple firewall application. However, when we looked at the roadmap of functions we wanted to offer the business, we knew the ZyXEL wouldn’t handle enough of them:

  • Remote computing “” We had no secure VPN for remote users. We used simple port forwarding over the ZyXEL firewall to give users remote desktop access. That offered some security, but nothing near the encryption level we wanted from a secure VPN.
  • Protection beyond the perimeter “” There was no mobile security for users connecting on BYO devices outside of our perimeter.
  • Quality of service for VoIP “” We plan a move to voice over IP soon, so besides network security we needed the ability to carve out QoS for that.
  • Content filtering “” We wanted the ability to block access to sites that waste time and devour bandwidth. Even more important for PCI compliance, we needed to be able to check any personally identifiable information or outgoing data that looks like a credit card number or a Social Security number.

And then strategically, we wanted everybody to be able to collaborate across the same network. For all of these reasons, we decided to build out a site-to-site VPN.

How to build a resilient, site-to-site VPN

We knew we were going to upgrade from the ZyXEL, so we looked at products from vendors like Cisco and Barracuda. We ended up selecting  SonicWall NSA and TZ Series next-gen firewalls, mostly because of their secure VPN, which would make it easier for all of us to log in remotely anytime from anywhere and access in-house files, applications and printers. The support team at SonicWall pointed me to Cerdant and we chose them as our implementation partner.

Cerdant is dedicated to SonicWall operation and applications, and they’ve given us good ideas based on our needs. The hardware inventory for our site-to-site VPN goes like this:

  • NSA 4500 in Virginia
  • NSA 3500 in Tennessee
  • NSA 3600s in California and New York
  • TZ 205s in each of the remote warehouses locations, at our retail store and at the data center

All of our SonicWall firewalls are connected by MPLS and business-class high-speed internet circuits. We’ve used them to create a primary, internal, closed-loop network over dedicated, fiber-optic MPLS lines (10 Mbps), which cost about $1,500 per month per site on average. We lease a secondary loop over standard ISP circuits (100 Mbps down, 20 Mbps up) for about $350 a month. (The retail store connects through its local cable provider for about $75 a month.) The secondary is a fallback loop in case the MPLS connection drops for a few minutes or a few hours.

The best part is that the SonicWall firewalls can use a probe to detect when the primary connection goes down and can automatically failover to the secondary loop. In fact, I can think of three or four times in the last year that the MPLS loop has dropped for anywhere from ten to 40 minutes and we’ve flipped over to that secondary network of internet connections.

Cerdant has been a great partner for us. They’ve automated the SonicWall firewalls to fail over from the primary to the secondary loop, and then back to the primary after our carrier has restored the MPLS connection.

As I mentioned, we went with SonicWall firewalls mostly because of the secure VPN. I’m very glad we’ve also gotten a self-healing, double-loop network in the bargain.

Saved about $20,000 on hardware alone

We’ve seen other big advantages to deploying SonicWall throughout the company “” operational, IT and financial advantages.

On the operations side, it’s been much easier to support our service level agreement, which is our commitment to users that we’ll keep our systems up and running. With the double-loop network, we don’t lose connectivity between locations, so we have full business continuity in the event our network fails.

From an IT perspective, we’ve gotten so much more than just firewall hardware. We reap the benefits of SonicWall features like deep packet inspection, gateway antivirus, anti-spyware, bandwidth management, content filtering and secure VPN, as well as SonicWall’s continuous threat research.

Financially, we’ve saved $5,000 to $6,000 per location on load balancing equipment. Our self-healing, double-loop network configuration required load and link balancers, and we get those functions from the SonicWall firewalls, in addition to all of the firewall security features they offer. That has saved us at least $20,000 in building out our network.

Your turn

When I first started this project, I researched several forums and saw other sys admins and IT managers trying to figure out how to connect multiple sites and asking questions about failover protection and the best type of connectivity. I could see that many of my counterparts aren’t happy with what they have in place. We’re very pleased with what we’ve implemented with SonicWall and Cerdant, and I wanted to describe it as a viable option for configuring a resilient network.

How do you connect your remote locations? What site-to-site VPN configuration works for you? Let me know in the comments below.

Deep Dive Into SonicWall Security at the SonicWall World 2015 Software User Forum

During my 14 years with SonicWall Security (formerly SonicWall), I’ve never seen a greater need for powerful network security, and the SonicWall World Software User Forum provides a great opportunity for you to mingle with some of the most powerful minds in security today.

We’re excited to finally be able to host a dedicated security customer forum at this event. We’ve had a fantastic year and we can’t wait to show you our new lineup of SonicWall TZ Series firewalls, new SonicWall Secure Mobile Access (SMA) appliances and a few yet-to-be-released products. Some of the break-out sessions that I’m especially looking forward to are: Strategic Direction & Vision, SonicWall Next-Generation Firewall Technology overview, and How to make your network security future ready and, of course, the top secret band that will be performing.

Register for the SonicWall Security Track at the SonicWall World Software User Forum 2015 and learn how to address these security challenges head-on with direct access to engineers and experts for the security products you depend on every day. Some of the highlights include:

  • Learn practical methods for getting the most out of your SonicWall device
  • Get a sneak peak at the newest tech
  • Participate in hands-on tech labs

Experience the visionary keynotes from our leaders and industry experts in the SonicWall World 2015 general sessions Explore the SonicWall World Solution Showcase with partner and product demos highlighting the innovation and cutting-edge technology in mobility, cloud, big data, networking and more. Plus, enjoy the music of our secret special band at the Opening Night concert.

Take advantage of the Buy One Get One offer today. If you purchase one pass to the SonicWall World Software User Forum, we will include one additional pass at no extra cost for a colleague.

And here are more good reasons to not to miss out on SonicWall’s annual conference:

  • Attend 13 in-depth, security-specific sessions including:
    • Technology and roadmap deep dive for SonicWall next-gen firewalls
    • Advanced SonicOS management best practices
    • Advanced SuperMassive deployment best practices
    • Global Management System (GMS) as an enterprise firewall management console
    • Creating an enterprise “Clean VPN” solution using SonicWall products

There will be interactive discussions and access for you to speak to SonicWall product engineers, experts and executives. They will shed light on product direction and roadmaps for SonicWall products.

During my tenure, I’ve met many of you in-person, and I look forward to seeing you again. For those of you I haven’t met, I hope you will register for the event and join me for a handful of truly informational days at the Software User Forum.

It’s all yours from Oct. 20 through Oct. 22
at the Hilton Hotel in Austin, Texas.
Come help us paint the town blue!
(SonicWall blue, please)

5 Key Performance Indicators to measure

The SonicWall Security Threat Research team sifts through hundreds of thousands of unique malware samples daily. In their latest threat report, they’ve documented that businesses continue to be under attack in ways that are increasingly difficult to defend against. We often see threat actors using combinations of evasion techniques and modifying their attacks vectors to circumvent firewalls and intrusion detection systems. The multitude of published security breaches proves that many existing network security controls are not working effectively against today’s modern threats. For companies that have been fortunate thus far, it’s time to face some tough questions about your security risks.

  • Are the company’s network security controls doing an effective job?
  • Are we testing and measuring its effectiveness thoroughly? What are the key quantifiable performance metrics?
  • Where do we need to improve to gain a better security posture?

Understandably there are many other important risk-related inquiries concerning different security controls that also require our attention. However, we’ll narrow the focus of this discussion primarily on next-generation firewalls (NGFWs) given their principal role in facilitating secure business communications and data exchanges over the Internet. Thus, the stability, reliability and most importantly, security effectiveness of the NGFW device is imperative when it comes to protecting the confidentiality, integrity, and availability of an information system and its information.

Picture of SonicWall's SuperMassive E10000 Series model

The concept of a “security effectiveness” score is generally recognized today as a decisive network security metric used by IT organizations across all industries. The computed rating helps decision makers establish a reference level in assessing the quality and efficacy of an NGFW based upon “5 performance indicators” identified by NSS Labs, a well-trusted independent information security research firm that supports its product analysis through exhaustive laboratory testing. NGFW devices are tested and rated for their effectiveness, performance, manageability and cost of ownership to provide answers to tough questions faced by IT professionals when selecting and implementing security products. So when NSS documents these scores and makes its recommendations in its published reports, it is solely based upon empirical test data. Testing is performed starting with a baseline configuration to more complex, real-world configurations that simulate varying use cases. The firewall ranking is heavily weighted on 5 key performance indicators that determine the effectiveness score verifying that the firewall is capable of the following:

  1. Intrusion Prevention – correctly blocking malicious traffic based on a comparison of packet/session contents against signatures/filters/protocol decoders without false positives.
  2. Evasion – accurately detecting and blocking known exploits when subjected to varying evasion techniques.
  3. Application Control – accurately executing outbound and inbound policies consisting of many rules, objects, and applications and identifying the correct application, and taking the appropriate control action.
  4. Firewall Policy Enforcement – correctly enforcing firewall rules that permit or deny access from one network resource to another based on identifying criteria such as source, destination, and service.
  5. Stability and Reliability – maintaining security effectiveness while passing malicious traffic under normal or heavy conditions.

The NSS security effectiveness report is the ultimate validation of NGFW quality and performance. The report contains a full range of tests results that have direct relevance towards the evaluation and selection of a capable NGFW to protect and secure your organization. Some of the interesting findings include exploit block rate, coverage by attack vector, impact type and popular applications and resistance to various combination of advanced evasive attacks. As an IT security leader responsible for information and network security in your organization, I’d like to share with you a copy of the NSS Labs report that is packed with important information to serve as a guide when measuring the security effectiveness of your current firewall.