Posts

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud

More than 90% of enterprises use the cloud in some way, with 69% of those considered hybrid cloud users (utilizing both private and public clouds). Along with widespread remote work adoption, this shift is driving the need for scaled-out, distributed infrastructure.

Within this new cloud landscape, security has become more complex as the number of perimeters and integrations grow, and cybercriminals increasingly focus on security gaps and vulnerabilities in cloud implementations. It’s often easier for threat actors to exploit these vulnerabilities than it is to breach hardened components of the cloud deployment.

A next-generation firewall deployed in the cloud can protect critical data stored in the cloud. But it’s important to make sure this firewall provides the same level of security and performance as an on-premises firewall.

Recently, Tolly Group used Keysight Technologies’ brand-new native cloud testing solution — CyPerf — to measure the performance of SonicWall NSv 470 virtual firewall in Amazon Web Services (AWS). AWS is the major public cloud vendor, with a projected 49% market share in enterprise cloud adoption for 2022. AWS recommends a shared responsibility model, meaning AWS is responsible for the security of the cloud, and the customer is responsible for security in the cloud.

What is SonicWall NSv virtual firewall?

SonicWall’s NSv Series virtual firewalls provide all the security advantages of a physical firewall, plus all the operational and economic benefits of the cloud — including system scalability and agility, speed of system provisioning, simple management and cost reduction. NSv delivers full-featured security tools including VPN, IPS, application control and URL filtering. These capabilities shield all critical components of the private/public cloud environments from resource misuse attacks, cross-virtual-machine attacks, side-channel attacks, and common network-based exploits and threats.

What is Keysight Technologies CyPerf?

Keysight CyPerf is the industry’s first cloud-native software solution that recreates every aspect of a realistic workload across a variety of physical and cloud environments. CyPerf deployed across a variety of heterogeneous cloud environments realistically models dynamic application traffic, user behavior and threat vectors at scale. It validates hybrid cloud networks, security devices and services for more confident rollouts.

Putting SonicWall NSv to the Test

Keysight Technologies and Tolly Group engineers tested a SonicWall NSv 470 virtual firewall running SonicOSX version 7. The AWS instance for the NSv 470 under test was AWS C5.2xlarge. The engineers deployed CyPerf agents on AWS C5.n2xlarge instances to be certain that the agents would have sufficient resources to stress the firewall under test. Each of two agent instances was provisioned with 8 vCPUs, 21GB memory and 25GbE network interfaces.

Product Image

Test methodology and results

The engineers used three different traffic profiles to collect results — unencrypted HTTP traffic, encrypted (HTTPS/TLS) traffic, and Tolly’s productivity traffic mix, which includes five applications: JIRA, Office 365, Skype, AWS S3 and Salesforce. Engineers used CyPerf application mix tests to create the Tolly productivity mix and generate stateful, simulated application traffic.

The tests were run against three different security profiles:

1) Firewall: Basic firewall functions with no policy set

2) IPS: Firewall with the intrusion prevention system feature enabled

3) Threat Prevention: Firewall with IPS, antivirus, anti-spyware and application control features enabled

The results observed in the AWS public cloud environment are similar to the results observed in virtual environment.

TestUnencrypted HTTP TrafficEncrypted HTTPS/TLS Traffic 
Firewall Throughput7.70 Gbps3.10 Gbps
IPS Throughput7.60 Gbps3.05 Gbps
Threat Prevention7.40 Gbps3.04 Gbps

Table 1: Test measurements for NSv 470 in AWS Cloud

Note: The table above highlights just a few of the test results. For complete results and test parameters, please download the report.

Conclusion

Most enterprises are moving their datacenters away from traditional on-premises deployments and to the cloud. It is imperative that security teams provide the same level of security for cloud server instances as they have been doing for on-premises physical servers. A next-generation firewall with advanced security services like IPS and application control is the first step to securing cloud instances against cyber threats.

In addition to security features, it also important to choose a firewall that provides the right level of performance needed for a given cloud workload. SonicWall NSv series offers a variety of models with performance levels suited to any size of cloud deployment, with all the necessary security features enabled. To learn more about how SonicWall NSv Series excels in AWS environments, click here.

 

What to Look for in a CASB Solution

Virtually every organization across major verticals — K-12 and higher education, financial services, retail and hospitality, and government — is undertaking digital transformation endeavors. And this includes migrating applications and data to the cloud.

When organizations do choose to adopt cloud technologies, software-as-a-service (SaaS) is the most popular choice according to a Gartner forecast for public cloud adoption. This is evident in the number of SaaS applications a typical organization uses. According IDG, 73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.

2018 Cloud Computing Survey

73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.
IDG

The adoption of SaaS applications brings about new security challenges for IT teams and increases attack surfaces for cybercriminals. The main use case for SaaS security is data protection. How do you protect your corporate data when you no longer have full control of the infrastructure or lack visibility into who can access that data and from which device/location?

The need to address this challenge created a new market segment in 2011 called Cloud Access Security Brokers (CASBs) or Cloud Security Gateways (CSGs). The CASB market segment is one of the fastest growing in information security with Gartner estimating a growth rate of 46% CAGR from 2017 to 2022.

Today, cloud security is not just about limiting or securing access to cloud applications. Cloud security is a shared responsibility where the organization that consumes cloud services is responsible for protecting sensitive data within their SaaS tenants. In fact, according to Gartner, “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”

What is CASB?

At a high level, CASB solutions typically deliver the following four functionalities:

  1. Visibility. Enable cloud discovery to shed light on cloud application usage and shadow IT activities.
  2. Data security. Secure the corporate data uploaded or hosted in the cloud by enabling data loss prevention (DLP) and monitor user activity.
  3. Threat protection. Identify anomalous user behavior and provide anti-malware and sandboxing capabilities to protect against threats in the cloud.
  4. Compliance. Empower organizations with auditing and reporting tools to demonstrate compliance, especially in regulated industries.

CASB: The evolution of cloud security

The early CASB solutions were geared toward large enterprises that were early adopters of cloud services. These solutions required sophisticated on-premise deployments that proxied all traffic (either forward or reverse proxy) to enforce inline policies for cloud usage.

This proxy-mode CASB approach is sometimes known to introduce latency and/or cause breakage in application functionality, creating a bad user experience. In fact, it’s why Microsoft recommends against using proxy-based solutions when securing Office 365.

The next generation of CASB solutions take advantage of the API-based architecture that SaaS platforms are built on. API-mode CASB is the only way to provide complete visibility into SaaS environments.

API-based CASBs are easy to deploy and provide the most coverage for SaaS security use cases across sanctioned IT, shadow IT, managed devices and unmanaged devices (BYOD).

On-Demand Webinar with Guest Michael Osterman

Need more security and control for your cloud applications? View this joint on-demand webinar, “Securing Your SaaS Landscape,” with Osterman Research principal analyst Michael Osterman, to explore the major concerns and issues organizations have with SaaS adoption, what to look for in a CASB solution and an overview of SonicWall Cloud App Security.

CASB protects Office 365 deployments

According to the Cybersecurity Insiders 2018 Cloud Security Report, the most popular SaaS app used by organizations of all sizes is Microsoft Office 365.

Many associate Office 365 to email because it’s the most used app within the Office 365 suite. So, when CISOs and IT directors begin migrating on-premise mailboxes to Exchange Online, the default response is to extend the incumbent Secure Email Gateway (SEG) or Mail Transfer Agent (MTA). This approach to secure cloud email creates two significant blind spots:

  1. Causing security gaps. Does not protect other apps within Office 365, so it becomes a point solution that is focused on securing only email.
  2. Missing internal threats. Does not scan internal Office 365 emails, which is becoming increasingly relevant in the current threat landscape with credential compromises and account takeovers.

To address these blind spots, you need to buy an add-on service (to scan internal email) from your email security provider (if they offer one) and deploy a CASB to protect the data residing in OneDrive and SharePoint Online. That’s one more point solution that IT directors need to add to their budget, and IT administrators need to deploy, get trained and manage.

Full-featured CASB solution: SonicWall Cloud App Security

When you view cloud email as a SaaS app, it makes sense that a CASB solution should protect data and provide visibility even if that data is in the form of email messages.

That’s why SonicWall Cloud App Security leverages APIs to directly integrate to SaaS platforms and combine both data security and email security to provide complete protection for SaaS in a single solution. The CASB solution can be implemented in minutes without the need for any on-premise appliances or software installations.