Managing the Madness of Multiple Management Consoles with SonicWall TZ Firewall and X-Series Switches

/0 Comments/in /by

With fast emerging technologies, challenges of network design in distributed retail store locations is becoming huge. As retail store and distributed enterprise environments evolve, the underlying network infrastructure must evolve with the transformational changes to embrace new technologies such as mobile and digital media which aim to improve customer experience. Embracing new technological changes in a retail network needs to be carefully thought through by raising the following questions:

  1. Is the network infrastructure scalable?
  2. With the increased scale, is the network still secure?
  3. Are the operating costs increasing with the network expansion?
  4. Above all, is there still sanity prevailing in the management of such an evolved network?

The ultimate goal of a network design for any distributed retail location is to create a smart, flexible and easy-to manage platform that can scale to the specific needs of each site, while helping the organization reduce costs and risks. Typical solution of solving any network design expansion is to throw more capacity at the problem. As support for new technology and devices arise, there is overinvestment with added complexity. A new paradigm shift is necessary that can provide a converged infrastructure, simple & easy-to-use management, lower operating costs and can scale to a retail store site’s specific business need.

Let us start by understanding a typical retail store network. A retail store has many components: Point of Sale (POS) devices that require network access to process orders, multiple PoE powered devices such as IP cameras, Network devices such as storage servers & printers, multiple internal backend networks that employees need access to and above all a Guest WiFi requirement that retail customers can benefit from. Taking these attributes into account, a typical retail store design gets broken up into:

  • Multiple internal networks for employee access (for example Sales, Engineering, Finance)
  • Point-of-Sale (POS) network
  • Network devices ““ PoE Cameras, PoE/PoE+ driven Access Points, Storage Servers & Printers
  • Wireless Networks ““ Corporate internal wireless, Guest wireless

The retail network design needs to be secure, fault tolerant and interconnected. Security is typically offered by next-generation firewalls, switches provide the interconnectivity and wireless is offered through multiple access points depending on the store location size. With a scattered management design, an IT administrator is faced with the challenge of managing the network through multiple management consoles. There is the added operating cost of licensing for the various management consoles. A certain madness starts to prevail with the varied management solution as we consider troubleshooting issues in such a network.

With the newly launched SonicOS 6.2.5, SonicWall Security launched a special feature, X-Series integration, that allows for a simplified management of secure converged infrastructure across a distributed retail network by integrating SonicWall X-Series switches into a single consolidated management view that already controls SonicWall firewalls, SonicWall SonicPoints (wireless access points), and SonicWall WAN acceleration devices. Using SonicWall Global Management System (GMS), SonicWall now offers a compelling single-vendor, consolidated secure management solution for distributed retail networks. If you are an existing customer and partner looking for the latest release notes, they are posted here: https://support.software.dell.com/sonicwall-tz-series/release-notes-guides

To learn more about the design of a scalable secure retail network, download our Tech brief: Scalable, consolidated security for retail networks.

DOWNLOAD WHITE PAPER

SonicWall Next-Gen Firewall Consistently Ranks as Recommended Year After Year

/0 Comments/in /by

The hacking economy continues to thrive. As you can see for the timeline chart below, we have seen data breach headlines in every industry verticals regardless of their size. Cyber-criminals made the most of their opportunities last year, and rest assured it’s unlikely to be any different for years to come.

Timeline of high profile breaches in 2015

If the fear of a network breach keeps you up at night wondering if you’ve done a thorough job measuring the effectiveness of your cyber-defense system, then you’re in good company. Even a slight doubt about your firewall capability forces you to worry regularly if you are successful as you can be in thwarting preventable attacks on your networks. Burdened with the possibility of having to deal with security incidents, you may ask if there is a reliable way to lessen this anxiety. The good news is the answer is yes!

Once a year, leading next-generation firewalls (NGFWs) vendors gear up to participate in the industry’s rigorous security and performance tests, conducted by NSS Labs, a trusted authority in independent product testing. NSS designs various permutations of real-world test conditions and parameters specifically to address the challenges security professionals face when measuring and determining if their firewall is truly performing as their vendor has promised. Upon completion of these tests, NSS publishes a comprehensive result-based report on all participating vendors. Each vendor’s product is ranked either “Recommended,”“Neutral” or “Caution” based on its weighted score across key evaluation criteria including security effectiveness, resistance to evasion, performance, and stability and reliability.

Definition:

  1. A “Recommended” rating from NSS indicates that a product has performed well and deserves strong consideration. Only the top technical products earn this rating from NSS, regardless of market share, company size, or brand recognition.
  2. A “Neutral” rating from NSS indicates that a product has performed reasonably well and should continue to be used if it is the incumbent within an organization.
  3. A “Caution” rating from NSS indicates that a product has performed poorly. Organizations using one of these products should review their security posture and other threat mitigation factors, including possible alternative configurations and replacement. Products that earn a Caution rating from NSS should not be short-listed or renewed.

NSS started this vendor group test four years ago, so it has a significant amount of knowledge and experience in security product testing. Over this period, I have observed many vendors that have moved in and out of the NSS Labs “Recommended” quadrant as NSS’s test methodologies have evolved. This should give you total clarity and confidence toward those vendors with products that have repeatedly and consistently performed well year over year, while providing specific guidance on how to proceed with products that performed poorly or inconsistently. You can find out how your current firewall vendor performed in the latest 2016 Next Generation Firewall Comparative Report ““ Security Value Mapâ„¢ (SVM). The SVM gives you a complete scorecard and ranking for each product tested. I urge you to read the entire set of NSS Labs NGFW reports, including the SVM, Comparative Analysis Report (CAR) and product Test Report (TR), to help you evaluate your current security posture and take immediate action where necessary.

For four years running, SonicWall has prevailed in the NSS Labs vendor group test. The SonicWall SuperMassiveâ„¢ E10800 is one of only three vendor products to have earned the coveted “Recommended” rating in the NSS Labs Next-Generation Firewall Security Value Map for four consecutive years. This year, the SuperMassive E10800 once again demonstrated one of the highest security effectiveness ratings in the industry, blocking 98.83 percent of exploits during continuous live testing. The device also consistently scored 100 percent effective against all tested evasion techniques and passed all manageability, stability and reliability tests. These are highly credible and verifiable proof points that SonicWall next-generation firewalls deliver on our product promise, and empowers you to achieve breakthrough performance at unprecedented levels of protection. The same technology is used in SonicWall SuperMassive, NSA and TZ firewalls, so they are also highly secure.

Figure of NSS Labs 2016 Security Value Map (SVM) for Next Generation Firewall (NGFW)

Learn more. Read the 2016 NSS Labs Next-Generation Firewall Security Value Map SVM Report.

Download Report

SonicWall Security – Helping CSOs Turn No into Yes

/0 Comments/in /by

A chief security officer’s (CSO) life is not easy. Typically, requests of them sound like this: “Please deploy more, do it faster, more efficiently, with less money, more securely, and – oh, by the way, be compliant and pass the audit.”

Often, what’s not considered in these requests is the risk a new application, device or cloud-based tool may bring with it. This leads to the CSO and their team being viewed as the Department of No.

A CSO is often forced to push back or shut down requests because they must constantly balance network and data vulnerability against deployment of new apps and new equipment. And with the rise of mobility, remote access and cloud-based resources, they’ve got their hands full securing everything and everyone who’s connected from inside and outside their corporate environment.

As illustrated in a recent SonicWall Security case study, something as simple as a police body camera can bring with it potentially life-threatening results if that device compromises security. While the consequences of most breaches and vulnerabilities are not this dire, they can bring an organization to a standstill and impact the flow of revenue.

In this brief video, I discuss how SonicWall @SonicWall solutions, such as SonicWall One Identity and  SonicWall next-generation firewalls, can help transform a CSO’s life and turn his team into the Department of Yes.

I’ll highlight ways to govern every identity and inspect every packet; how to eliminate siloed infrastructure; show that when IAM and network security solutions communicate that they reinforce each other; and how you can enjoy simplified compliance reporting and easily pass audits.

Securing a Scalable Network

/0 Comments/in /by

Note: This is a guest blog by Ken Fletcher, CEO of Quarterhorse Technology Inc., a  SonicWall Premier Partner based in New York. http://www.iqti.com/

Security is a major concern for small and large companies. When small companies hear the term enterprise-level security, the first thing that comes to mind is how much it would cost upfront and long term. Support is not just a dollar amount, it involves extensive management by trusted professionals.

As companies begin to outsource more of their IT needs to hosted applications and outside firms, internal staff are shifting their attention to network-centric issues. IT security has expanded from a firewall deployed at the perimeter and anti-virus installed on workstations to include mobile device security and user education. Network security has evolved to encompass securing non-company assets such as cell phones, tablets, and personal laptops that are utilized by end users to access company resources. Additionally, companies have started to invest in educating users on the multitude of ways a criminal can attempt to obtain sensitive information. This can include malware/ransomware and social engineering tactics.

The evolution of the next-generation firewalls

Firewall manufacturers are beginning to shift their focus from basic packet inspection to more intuitive and adaptive methods of traffic inspection. Security threats are constantly evolving and, as a result, firewall manufacturers have introduced next-generation firewalls (NGFW). An NGFW not only protects a network, but also its users. These firewalls go beyond packet inspection, and have the ability to scan for viruses at the gateway. They also include additional services such as content filtering (CFS) and intrusion prevention and detection (IPS/IDS). CFS can minimize the risk of employees visiting websites that contain malicious content, and increase productivity by eliminating access to non-work related websites. CFS can also be used as a liability protector by eliminating the risk of employees visiting controversial websites and subsequent lawsuits that could be filed against the company. If implemented correctly, these services can reduce the time and cost of management.


BYOD for the Real World

While some organizations are adopting a Bring Your Own Device (BYOD) model for their staff, these organizations are typically large, with significant support staff dedicated to managing the inherent issues that come with BYOD. Some organizations limit user’s remote access to company provided devices, allowing the company more control over security. Despite this, providing company-issued devices can be expensive to deploy and support. For example, companies have been inclined to provide a firewall for their employees’ home network in order to secure a device, such as a PC, that is being used for business purposes. This adds to the complexity of both the setup and support these devices for their employees. As a result, this methodology can limit the amount of personnel the company will allow to remotely access their network. Additionally, this method does not scale in an event such as Superstorm Sandy or the recent NYC blizzard to support the majority of employees that would be unable to commute to the office for work. As a solution to the drawbacks of both BYOD and company issued devices, many organizations have adopted a hybrid approach to secure BYOD devices. To accomplish this hybrid approach, companies are utilizing SSL VPN technology. This approach is less expensive, provides a high level of security and can scale quickly.

Today’s SSL VPN appliances can provide access to the network assets while performing a security checklist before allowing a connection through the use of endpoint control (EPC). EPC can determine a variety of properties about the device, including its OS version, patch level, antivirus, domain membership and equipment ID. EPC then compares the device’s properties against the predetermined requirements, and if the specified criteria is not met, access can be reduced or denied. While a technology with these advanced features sets may sound expensive,  SonicWall makes a SMA Virtual Appliance with virtual SSL VPN that includes EPC for under $500. On top of these features, it also includes the ability to generate one-time passwords which adds a second layer of authentication and protects against compromised credentials. SonicWall’s SSL VPN also contains a bookmark feature that can provide user-friendly access to an employee’s office PC, similar to remote control software such as LogMeIn or GoToMyPC. This feature does not require an installation of software on the office PC or monthly subscription cost.


Considering the human element

Security encompasses more than just hardware and software solutions. It is very common for companies to disregard the human element of security. Spammers are able to replicate emails from major corporations to a point that only a trained eye can tell the difference between a fake and legitimate email. Not only do these emails come from reputable names, but they can also appear to provide information which the user might be waiting for in a link or an attachment. One example would be purporting to have information about a delivery, such as a FedEx package. When the unsuspecting user click on a provided link, there is a chance that it will download malicious software that can encrypt files or applications and can give the attacker access to the company’s network. Companies are becoming aware of the need to adequately educate their employees to recognize these threats so they do not fall victim. While online training may cover a specific point, firms that specialize in awareness education generally offer a more comprehensive approach in training employees to identify these threats. These specialized firms can perform tests by sending spoofed or malicious emails to the trained users to determine if they are able to identify the threats.

As companies evaluate their IT infrastructure, they need to be cognizant of the perimeter, mobile and human elements that affect security. Implementing the correct strategy for each of these components will minimize security risks and reduce cost, while providing great flexibility.

DOWNLOAD TECH BRIEF

Avoid Making a Costly Network Security Shortlist Decision

/0 Comments/in /by

Living the life of a chief security officer (CSO), chief information security officer (CISO) or any title with the word “security” in it nowadays is surely a heart-wrenching experience each day. Far too often, yet another data breach in the news reminds you of the obvious notion that it’s not a matter of if but when you’ll be called upon to manage and contain a security incident in your organization. Regardless of its depth and severity, this has to be very disturbing and there seems to be no end. As a result, you find yourself regularly worrying if you’ve done a thorough job at vetting your cyber-defense system, and determining if it is really doing its job to prevent avoidable attacks on your networks. You understand the stakes. If any part of your security strategy is not functioning at its optimal level, you know your organization is susceptible to countless security risks. The bottom line is you don’t ever want to stand in front of the executives explaining why the company is breached, and dealing with the after-math as a result of a failure in one or more of your security layers. There is a way, however, to help you avoid such a disaster.

Limited resources and shortage of security staff can constrain your ability to carry out a rigorous vendor vetting process. The fundamental question then is what alternatives are there to help you efficiently select potential technologies that can put you in a position of strength and success against evolving threats. As a security leader, you’ve been down this road many times. You‘re aware that choosing the right technology partner with capable solutions to support your security strategy for the long-term is one of the most nerve-wracking but crucial task you must undertake. The range of capabilities and factors impacting your choice are overwhelming. You understand very well that making a poor choice could end up costing your organization millions in breach remediation expenses, immeasurable brand damage, loss of public confidence and possibly even your career. To help avoid such a costly decision when shortlisting possible vendors and their solutions for proof of concept (PoC) consideration or making the purchase, there are highly specialized market research companies that are well-recognized by the security industry for their reputable and impartial validation of network security quality and effectiveness that you can confidently use when making your selections.

The difficulty here is that there are many market research companies available. Most have specialization in a variety of technologies including network security. And to make things a little more complicated, each has it its own definition, criteria and approach to how vendors are evaluated and graded for their security effectiveness, performance and cost of ownership. The results often vary among them especially those that are vendor-sponsored research. Subsidized research and testing are always skewed to make one vendor’s product more favorable than its rival. And as such, these kind of reports lack objectivity, are seldom reliable from a technical perspective, and should not be viewed as serious research. So who should I depend on? Who do I need to stay clear of? Should I trust its finding completely? Where do I start? These are some good questions to help set clear direction and decision points. From our point of view, a good place to start is to give greater attention to independent research companies that are self-funded, has zero connection to any one vendor and focus exclusively on cyber-security. More importantly, you would also want the research to be fully verified by extensive public testing using different permutation of actual real-world use cases that best match your unique security environment requirements.

One particular company has differentiated itself in the IT security category over the past few years: NSS Labs. It is now broadly recognized as the world’s trusted authority in providing unbiased, independent, security product test reports and security intelligence services. NSS Labs reporting can help you shortlist vendors and their products based on empirical laboratory test results as opposed to fuzzy marketing, product surveys, opinion based analysis and/or peer-to-peer recommendation. The NSS Labs Test report is the ultimate validation of network security performance, resiliency and efficacy under various network traffic mixes and loads that mimic real-world use cases.  Download a free copy of the NSS Labs Test Report to gain knowledge of key performance indicators essential to the success of your cyber-defense strategy.

Download Report

Accelerate Application Performance for a Better User Experience

/0 Comments/in /by

A few years back I was living outside the US with my family and working from my home office, specifically my attic. When you’re a remote or mobile employee your work experience is a little different than when you’re in the main corporate office. To a certain extent the same can be said if you’re located in a branch site away from headquarters. How is it different? For the most part it’s simply how well things work. When you’re remote, everything seems to take longer and be a little more difficult.

Let me give you an example. Have you ever been in a remote office and tried downloading a file from a shared drive on the corporate network? I have and it was a slow process. How about accessing an internal web-based application? Same thing. Anytime data, whether it’s a file or an app, is sent back and forth over the WAN it tends to slow down. Bandwidth issues aside, this repeated transmission gets bogged down when the contents of the entire file are sent between the sites. Using an application results in the same experience – slow, unproductive and ultimately frustrating. While the application itself may not be performing slowly in actuality, the experience of the user in the remote office is that it is, and perception is reality.

What can you do to improve the experience for these employees and speed up the performance of WAN applications and file sharing between sites? The answer is WAN acceleration, also known as WAN optimization. WAN acceleration technology provides organizations with a range of benefits including:

  • Giving users at remote/branch office sites LAN-like application performance
  • Reducing bandwidth consumption
  • Improving browser response times to frequently-visited websites
  • Minimizing latency on the network
  • Optimizing network efficiency

How does it do all this? At a high level, WAN (Wide Area Network) acceleration technology decreases traffic volumes by only transmitting new or changed data across the network after initial file transfer instead of resending the entire file. Think of a Microsoft Word or PowerPoint document that’s sent back and forth between users or accessed from a shared drive through Windows File Sharing. The decrease in traffic between sites cuts down on the latency users experience while also consuming less bandwidth. Behind the scenes, WAN acceleration uses several techniques to accomplish this including byte and file caching, protocol optimization and data compression algorithms. There’s also HTTP web caching for faster access to sites users repeatedly visit.

For organizations that have multiple sites with employees who share information and access applications remotely, WAN acceleration may be the solution. If you think yours may be one, here are some questions you should ask yourself to get started.

  • Is my organization looking for ways to improve employee productivity?
  • Are my organization’s network bandwidth requirements outpacing our current service plan?
  • Do our remote office employees complain the network is slow and that this impacts access to applications?
  • Are our employees using applications such as Microsoft Windows File Sharing, SharePoint, Office or FTP?
  • Do we want to reduce internet-bound HTTP web traffic?

There are a number of WAN optimization solutions available to distributed organizations with remote and branch offices. One of those is theSonicWall™ WAN Acceleration Appliance (WXA) Series. An add-on product to SonicWall next-generation firewalls, the WXA series reduces application latency and conserves bandwidth, significantly enhancing WAN application performance and improving the end user experience, all at a low total cost of ownership compared to other WAN optimization products. To learn more about the benefits of WAN acceleration and how SonicWall WXA series solutions can help you achieve them, read our eBook titled “10 ways to securely optimize your network.”

Download Tech Brief

WAN Acceleration on the Back Burner? Time to Move It Up

/0 Comments/in /by

In our last blog we talked about the benefits of adding WAN acceleration into a network to accelerate and improve application performance. What I’ve observed from talking with others in the industry is most IT administrators understand the benefits of adding WAN acceleration. However because of deployment costs, ongoing maintenance and/or security concerns around how to deploy WAN acceleration solutions, some IT organizations are just abandoning or always placing those projects on the proverbial back burner.

Initial POC or deployment can be a major issue to deal with as IT would need to determine how to physically put the WAN acceleration device in place on the network to ensure it can improve application performance, then determine which traffic type should be routed to it for acceleration, all while not breaking or interrupting business critical applications. I guess one other option could be to put the acceleration device inline and route all network traffic through it, but that would include traffic that cannot be accelerated.

Then there’s the matter of learning the management interface of a new product. This will take time to ensure the IT staff is trained up and understands all the complex configuration options available within the acceleration solution. From there the challenge will be not only dealing with the deployment and management at the headquarter location, but what about all the remote offices? For those, someone from the IT group will have to not only do the initial setup, but also provide some level of ongoing management and monitoring. For a small deployment this may not be an issue, but for larger deployments this could become complex. There may be options to provide central management, but that would involve setting up yet another console, which may have its own set of complexities or limitations.

Finally, there’s the security aspect of adding WAN acceleration. If the customer is leveraging VPN within a next-generation Firewall (NGFW), where do you put the acceleration device? If you decide you want to put the device outside the VPN termination point, then no acceleration can happen because the traffic is encrypted and for all practical purposes cannot be accelerated. The other option is to put the acceleration device behind the NGFW/VPN combination, however this causes issues because the traffic that is being accelerated will not be able to be scanned for threats by the NGFW. This again becomes another headache for the IT administrators to deal with or think about addressing before a WAN acceleration solution can be introduced into a network.

The combined solution of the  SonicWall WAN Acceleration (WXA) and  SonicWall Next-Generation Firewall can help reduce the complexity of initial deployment, ongoing management and security of introducing WAN acceleration into a network environment. Integrated as part of SonicOS operating system, the WXA management is done through the same web UI, so all of the security, VPN and acceleration features can be controlled from the same management interface. For customers that have multiple offices, consolidated management is possible using the SonicWall Global Management System for environments that have deployed multiple firewalls and WXA appliances.

Network provisioning of the WXA is less complex as one of the firewall interfaces is dedicated specifically for the WXA appliance. Auto-provisioning reduces the complexity of initial deployment and ongoing management of the WXA solution. Traffic controls on the firewall ensure that only traffic that can be accelerated is sent over to the WXA to be accelerated.

Finally, since the WXA is integrated as part of the SonicWall NGFW, traffic that is sent between offices or destined to be cached is scanned by the  SonicWall Deep Packet Inspection engine which includes intrusion prevention, anti-malware scanning detection and prevention ensuring a higher level of security. Leveraging the SonicWall WXA/NFGW combination can help ensure an easier deployment, lowering ongoing maintenance cost without sacrificing security.

To learn more about the benefits of WAN acceleration and how SonicWall WXA series solutions can help you achieve them, read our eBook titled “10 ways to securely optimize your network.”

download ebook

The Evolution of Defense-in-Depth

/0 Comments/in /by

This post was written by Dan Cole.

As enterprises continue to shore up their defenses in anticipation of the next breach, it’s understood by many security professionals that it’s not a matter of if it happens, but when. And when it does, how soon they would know before the attack has completed its cycle.

To offset these upcoming threats, perimeter security experts have been doubling up on their defense solutions, layering security from the very edge of their perimeter (Firewalls, IPS, NGFW) to the deep core and asset point (end point software, application firewalls, etc.) of their IT infrastructure. This was done to not only prevent a breach, but to buy time for organizations to respond to such attacks. As I described in my earlier blog, Defense-in-Depth is very much like a “Castle” approach in building your IT security infrastructure.

But much like the castle illustrated here, by building such defense mechanisms chasms are inadvertently created. Translating this to the cyber realm the chasms represent the response time between and during ongoing attacks.

Now on the flip side of the coin, as cyber warfare incorporates both offense and defense strategies. The offense approach, which is structured and labeled by the military (as most things are) as the Kill chain. Simply put the Kill chain, from a military model perspective includes the following:

  • Target identification
  • Force dispatch to target
  • Decision and order to attack the target
  • Destruction of the target

By adapting this structured approach, Lockheed Martin coined the term Cyber Kill Chain model, like Defense in Depth, yet the opposing approach which is to attack an IT infrastructure. The perspective of the hacker if you will.

These steps include but are not limited to the following:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control
  • Actions on Objective

Today, attackers who have successfully penetrated classic Defense in Depth models, have leveraged an adaptation of the Cyber Kill Chain. So what’s the delta? What do IT experts need to incorporate into their defense strategy to help mitigate against such advanced attack approaches?

Defense in Depth with Intelligence

As discussed earlier one of the biggest challenges with the classic defense in depth approach is the inadvertent chasms that are created. These chasms are essentially people, process, and product related.

In larger enterprises there are multiple IT departments, with various responsibilities regulated based on assets managed. Network engineers may not necessary know or communicate to the security engineers. Although aspirations are to insure that process’s followed are global and relevant to all IT infrastructure touch points, in reality they are rarely followed. Lastly, products that are purchased and then deployed into the Enterprise are usually incompatible with each other, resulting in a differing log languages and management structures.

Although the people and process are valid challenges and problems that will need to be tackled, my responsibility as a product manager of the Network Security Products for SonicWall Security will be to insure that the chasms of product compatibility with adjacent security technologies are closed. The initiatives launched with our Connected Security vision will help in understanding these challenges better, as we ourselves being part of the SonicWall technology family need to bring various disparate technologies together to build a solution that will work for not only our customers but for ourselves (at SonicWall ).

One of the biggest challenges and approaches to minimizing this divide is by building a security communication framework in which all of our products can communicate using a common language. With this ability we would be able to make our products and other devices within our customer’s security infrastructure to respond and alert intelligently, minimizing the intervals between the attack cycles incorporated in the Kill Chain model.

As we and our customers continue to shore up our security infrastructure for the next generation of cyberattacks, the existing Defense in Depth model will need to be adapted and upgraded with intelligence. With intelligence we will be helping our customers in addressing the chasms within their castle.

Download white paper

Increase Your Network Security and Control Through Segmentation

/0 Comments/in /by

When you think about securing down a network using a next-generation firewall, in most cases the process immediately goes from the Internet to the local area network (LAN). This may be a good way of thinking if you only have hard wired desktop clients. However what if the network includes servers that need inbound access from the Internet or a wireless network? What steps can you take to protect a network that’s a little more sophisticated?

Let’s look at an example of a small network where the user has a few desktop clients connected to the physical LAN, wireless clients and a storage server. For this specific use case the network segmentation is set up in the following way. The LAN network has all of the desktop clients, a wireless LAN (WLAN) network for the wireless clients and a de-militarized zone (DMZ) where the storage server is connected.

From the LAN, clients are allowed to get to the Internet, but access to the other network segments is blocked. This includes the default policy to block all incoming access from the WAN or Internet.

For the wireless users, they can get to the internet but are blocked from accessing any of the other network segments. In order for the wireless users to access other network segments they must authenticate to the firewall. Once authenticated, each wireless user can gain access to the other network segments as needed. This was done to increase security from the WLAN and prevent unauthorized access to the other network segments.

Finally, on the storage server segment, the default policy is to block access to all other network segments. This is done to ensure that if the storage server was to become compromised by a vulnerability to its software it would not allow a hacker gain access or malware to spread to other network segments on the LAN or WLAN. For WAN access, all traffic is blocked, although a specific set of ports is allowed to provide the ability to automatically update the software on the storage server.

Now you may look at this and be thinking this is overkill for such a small network. However being in the security industry for the past 15 years and educating partners and customers on proper network designed I figured it would only benefit my own network security by implementing a security design that limits access between network segments.

While I’m not saying that all networks need to have this level of complexity, it is a good idea to think about network segmentation and not put all connected devices on a single segment just because it’s easy. The network segmentation will help to control traffic not only north and south, but also provide controls for traffic going east and west between network segments.

SonicWall NSA Next-Gen Firewall Series

With the SonicWall firewalls it’s possible to create a wide variety of segments using either physical or logical interfaces or the internal wireless radio if available. Once an interface is defined, you can then apply a zone classification such as LAN, DMZ, WLAN or custom, and from there apply policies to control access between the various segments and limit unauthorized access. For increased security you can also apply authentication requirements as well. To learn more about how SonicWall next-generation firewalls can help secure your network read the “Achieve Deeper Network Security and Control” white paper.

REGISTER NOW FOR WEBCAST

SonicWall Firewall As A Service Offers New GMS Infrastructure

/0 Comments/in /by

Today, customers are looking for more security and insight into the traffic on their network, without the burden of managing it on their own. Increasingly managed service providers (MSPs) are being asked to deliver network perimeter protection. Meeting this demand, SonicWall Firewall as a Service (FWaaS) now offers new SonicWall Global Management Systems (GMS) as a Cloud managed services. Immediately available from SonicWall are three unique options of the Global Management System Infrastructure solution: Monitoring, Monitoring and Reporting and Fully Managed. The undeniable benefits of all of these choices is that each lower upfront costs through the monthly subscription pricing. Customers also gain enterprise-level network security to defend against the relentless global threats and malware attacks without having to worry about maintenance or support. These solutions simplify customer management and deployment of SonicWall products. These new offerings will be provided by Solutions Granted Inc. and Western NRG, Inc., our selected infrastructure providers.

SonicWall Security’s Firewall-As-as-Service bundle includes a  SonicWall next-generation firewall appliance, Total Secure/Comprehensive Gateway Security Software (CGSS) and SonicWall Global Management System (GMS). What is new is that we are giving you more options on where and how to run the SonicWall GMS, allowing you to rapidly deploy and centrally manage the SonicWall next-gen firewall. This highly effective system provides real-time monitoring and alerts, along with comprehensive policy and compliance reporting in a solution that can easily be deployed as a hosted solution.

Option number one provides GMS infrastructure with monitoring. Option number two delivers more comprehensive security with both monitoring and reporting. With these 2 options the Managed Service Provider (MSP) will run GMS and is responsible for the workload, but uses the SonicWall GMS infrastructure. The value is to eliminate the cost of the GMS infrastructure, with a monthly price instead of an upfront cost, scaling over time to accommodate growth.

The third and most comprehensive option consists of a fully managed GMS instance and execution of the managed firewall service for the VAR/MSP. The value of this service is a VAR can now participate without being an MSP. With this option you sell the service, but the delivery of that service is handled by the new SonicWall GMS managed services offerings. This expands your business as a VAR. These options all complement and extend SonicWall security products and services provider, while optimizing your business security, managing growth and easing the administrative burdens.

We invite you to tune in for a live webcast on how the new offerings in the FWaaS partner program will help you increase your sales on, Thursday Nov. 5, 2015 at 11 a.m. Pacific/2 pm Eastern.

register for webcast

Meet us in-person at the upcoming IT Nation 2015 conference, Nov. 11 – 13, 2015 at the Hyatt Regency in Orlando, where SonicWall Security Solutions experts will demonstrate our SonicWall Firewall-as-a-Service (FWaaS) and SonicWall Global Systems Management next week.